Open in app

Sign in

Write

Sign in

Java Truststores and Keystores

Computer Security

Senthil Nayagan
3 min readSep 14, 2019

What is Keystore in General?

A keystore, as the name implies, provides storage/container for keys. It can be a file or a hardware device. For instance, the most popular keystore file formats used by Java programs are JKS, JCEKS and PKCS#12.

Keystore Format

The default format used for both keystore and trusstore files is JKS until Java 8. However, starting Java 9, the default keystore format is PKCS12. The key difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standard and language-neutral format for storing encrypted private keys and certificates.

Contents of Keystore

Keystore contains private keys, public keys and certificates.

Java Truststores

TLS/SSL requires obtaining public keys, certificates, and other security artifacts. The standard Oracle Java JDK distribution includes a default truststore (cacerts) that contains root certificates for many well-known CAs, including Symantec. All clients of a server configured for TLS/SSL need access to the truststore, to ascertain the validity of any certificates presented during TLS/SSL session negotiation.

Note: There are no private keys/passwords in the truststore, because there is no need to keep the certificates secret.

Truststores — How it works?

Each time a connection is made to a remote server using SSL, the remote server’s certificate is checked against the truststore of the client. The truststore contains a list of known certificates for various certification authorities (CA). During authentication, the remote server presents a certificate signed by a certification authority (or a self-signed certificate) known by the client’s truststore.

Java Keystores

Keystore can be used by both server and client. Optionally, the server can request client to authenticate itself by providing a client’s certificate. The keystore contains the private keys for the certificates that the client can provide to the server upon request. By default the Java keystore is implemented as a file.

JVM’s Default Truststores

The JVM contains a default Truststore that contains standard well-known certificates. We can find JVM’s default trustore in the following path:

$JAVA_HOME/jre/lib/security/cacerts

Import Certificates into Java Keystores

Java SDK comes with a key and certificate management utility (command-line tool) called keytool which can:

  • Generate public key/private key pairs
  • Import certificate to an existing Java keystore

Keytool Commands

C:\Program Files\Java\jdk1.8.0_111\bin>keytool
Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate req.
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore

Import a Certificate using Java’s Keytool

Assuming that we’ve been given a certificate file named “certfile.cer” which contains an alias named “foo”, we can import it into a public keystore named “publicKey.jks” with the following keytool import command:

keytool -import -alias foo -file cerfile.cer -keystore publicKey.jks -storepass changeit -noprompt

This import command does the following:

  • Read from the certfile file named certfile.cer.
  • Look in that file for an alias named foo.
  • If it find the alias “foo”, imports the information into the keystore named publicKey.jks.

Notes:

If file publicKey.jks already exists, the public key for “foo” will be added to that keystore file; otherwise, publicKey.jks will be created.

The alias used here (foo) does not have to correspond to the alias used when the private key keystore and certificate file (cerfile.cer) were created.

The password shown above (changeit) is the password for the keystore named publicKey.jks.

Security
Java Security
Keystore
Computer Security

--

--

Senthil Nayagan
Senthil Nayagan

Written by Senthil Nayagan

54 Followers
58 Following

I am a Data Engineer by profession, a Rustacean by interest, and an avid Content Creator.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams