Difference between trustStore vs keyStore in Java SSL (original) (raw)

If you are confused between truststore and keystore and looking to find what exactly they mean then you have come to the right place. Earlier, I have shared free Java courses and today, I am going to tell you the difference between trustStore and keyStore in Java. Both trustStore and keyStore are important but confusing concepts and constantly tormented Java developers when they connect to servers using SSL. The main difference between trustStore vs keyStore is that trustStore (as the name suggest) is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection while keyStore is used to store the private key and own identity certificate which program should present to other parties (Server or client) to verify its identity.

That was a one-liner difference between trustStore vs keyStore in Java but no doubt these two terms are quite confusing not just for anyone who is the first time doing SSL connection in Java but also for many intermediate and senior-level programmers.

One reason for this could be SSL setup being a one-time job and not many programmers get the opportunity to do that.

In this Java article, we will explore both keystore and trust stores and understand the key differences between them. You can also use a keytool command to view certificates from truststore and keystore. keytool command comes with Java installation and it's available in the bin directory of JAVA_HOME.

By the way, if you are new to the Java world and want to learn more about basic and advanced Java concepts in a structured way then there is no better way than to join an online course like The Complete Java Masterclass by Tim Buchalaka on Udemy. This 80+ hour course is the most up-to-date and comprehensive course to learn Java.

Difference between KeyStore vs TrustStore in Java

In order to understand the difference between keyStore and trustStore you need to understand How SSL conversation happens between client and server because this is the starting point of confusion, many Java programmer doesn't pay attention whether they are implementing the server side of SSL connection or client-side of SSL Connection.

One example is setting up SSL for tomcat on is server-side of SSL while setting up JDBC over SSL is the client-side of SSL connection. If you are implementing SSL on Server side you need a KeyStore to store your server certificate and private key.

Anytime a client will connect to the server, the server will present its certificate stored in KeyStore and the client will verify that certificate by comparing it with certificates stored on its trustStore.

Difference between trustStore vs keyStore in Java SSL

Let's see the difference between truststore vs keystore in point format which is much clear and easy to understand :

1. Keystore is used to store your credential (server or client) while truststore is used to store others' credentials (Certificates from CA).

2. Keystore is needed when you are setting up server-side on SSL, it is used to store server's identity certificate, which server will present to a client on the connection while trust store setup on client-side must contain to make the connection work. If your browser connects to any website over SSL it verifies the certificate presented by the server against its truststore.

3. Though I omitted this in the last section to reduce confusion you can have both keystore and truststore on the client and server-side if the client also needs to authenticate itself on the server. In this case, the client will store its private key and identify the certificate on the keystore and the server will authenticate the client against the certificate stored on the server's trust store.

4. In Java -javax.net.ssl.keyStore property is used to specify keystore while -javax.net.ssl.trustStore is used to specify trustStore.

5. In Java, one file can represent both keystore vs truststore but it's better to separate private and public credentials both for security and maintenance reasons.

6. When you install JDK or JRE on your machine, Java comes with its own truststore (collection of a certificate from well known CA like Verisign, GoDaddy, Thawte, etc. you can find this file inside

JAVA_HOME/JRE/Security/cacerts where JAVA_HOME is your JDK Installation directory.

7. keytool command (binary comes with JDK installation inside JAVA_HOME/bin) can be used to create and view both keyStore and trustStore.

That's all about the difference between truststore and keystore in Java. If you are still not clear with what is truststore and keystore in Java or the difference between keystore and truststore then just remember one line keystore is used to store the server's own certificate while truststore is used to store the certificate of other parties issued by CA like Verisign or GoDaddy or even self-signed certificates.

Other Java Programming Articles you may like

Thanks for reading this article so far. If you like these difference between keystore and truststore in Java, then please share it with your friends and colleagues. If you have any questions or feedback, please drop a note.

P. S. - If you are new to Java and looking for a free Java training course to start your programming career then you should join this Java Tutorial for Complete Beginners(FREE) course on Udemy. It's completely free and more than 1.4 million programmers have already joined this course.