Keystore and Truststore are both important and essential for communication with an SSL Certificate. Both are very similar in terms of construct and structure, as both are managed by a key tool command.
Truststore is used for the storage of certificates from the trusted Certificate Authority (CA), which is used in the verification of the certificate provided by the server in an SSL connection. On the other hand, a Keystore is used to store the private key and own identity certificate to be identified for verification.
You may also like: How to Generate a Keystore and CSR Using the Keytool Command.
In an SSL handshake, the work of Truststore is to verify the credentials, whereas the work of Keystore is to provide those credentials. These are the most important differences between Truststore and Keystore but not the only ones. These differences vary in Java and they are as follows –
Truststore is used by Trust Manager and Keystore is used by Key Manager; they both perform different functions.
Keystore contains private keys and is required only when a server is running on an SSL connection, whereas Truststore store public keys and the certificates issued form the certificate authority.
To specify the path of a Keystore or Truststore, we need different extensions in Java. (Djavax.net.ssl.keyStore for Keystore and -Djavax.net.ssl.trustStore for Truststore.)
There is also a difference in the password of the two (i.e. for Keystore it is given by the following extension Djavax.net.ssl.keyStorePassword and for truststore is given by Djavax.net.ssl.trustStorePassword).
Keystore contains one private key for the host, while truststore contains zero private keys.
The listing, removal, and addition of certificates can be done from the Java Keystore by using the keytool utility. Almost all of the SSL clients have access to the Truststore.
Security Considerations for Keystore and Truststore
Keystores contain private keys, whereas Truststore do not. Security for Keystores is strict and exacting. In particular –
- Hadoop SSL (Secure Sockets Layer) has a requirement that Truststores and the Truststore password have to be stored in plaintext, in a configuration file that can be read easily by everyone.
- Keystore and key passwords are stored in plaintext, in a file that is readable only by members of the appropriate group.
- Since Truststore does not contain any private and sensitive information, only a single Truststore for an entire cluster is sufficient.
- But it is essential information that the passwords for both Truststore and Keystore should not be the same because the password for Truststore is stored in clear files and is visible to all. If the same password is used for a Keystore, the security will be vulnerable and can be attacked by malicious parties and hackers.
If one is using the default Truststore, he/she needs to add Certificate Authority (CA) to the Truststore or delete them from Truststore. If you are creating a custom Truststore, you must build the Truststore by importing trusted certificates into new Truststores. While creating a Truststore, a password has to be created/selected, and they should be the same for a given service.
The purpose of a Keystore is to protect privacy and integrity with the use of a password-based algorithm. The keys are kept secret to keep them safe and protected from unwanted third parties and can only be accessed by someone having the password.