truststore vs keystore in layman terms
I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.
When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?
Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?
For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?
Any help in understanding this would be really helpful to me.
java keystore truststore
edited Dec 28 '18 at 10:20
user152468
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
add a comment |
I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.
When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?
Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?
For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?
Any help in understanding this would be really helpful to me.
java keystore truststore
edited Dec 28 '18 at 10:20
user152468
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
1
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26
add a comment |
I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.
When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?
Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?
For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?
Any help in understanding this would be really helpful to me.
java keystore truststore
edited Dec 28 '18 at 10:20
user152468
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.
When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?
Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?
For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?
Any help in understanding this would be really helpful to me.
java keystore truststore
java keystore truststore
edited Dec 28 '18 at 10:20
user152468
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
edited Dec 28 '18 at 10:20
user152468
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
edited Dec 28 '18 at 10:20
user152468
1,63121333
edited Dec 28 '18 at 10:20
user152468
1,63121333
edited Dec 28 '18 at 10:20
user152468
1,63121333
1,63121333
asked Jan 13 '18 at 16:18
Praveen Praveen
313
asked Jan 13 '18 at 16:18
Praveen Praveen
313
asked Jan 13 '18 at 16:18
Praveen Praveen
313
313
1
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26
add a comment |
1
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26
1
1
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26
add a comment |
1 Answer
1
active
oldest
votes
Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.
Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.
In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.
What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.
Now to your question
Where do I have to import this server certificate? If the import
solves the issues, do I need to import the certificate in other
environments when i deploy the application?
Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.
If the import solves the issues, do I need to import the certificate
in other environments when i deploy the application?
Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.
For truststore, I see people saying trusting ourself. What are we
trusting ourself with?
By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)
Do the truststore uses any certificates?
Trust store is just a container.
When should I be using a keystore versus a truststore?
Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48241755%2ftruststore-vs-keystore-in-layman-terms%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.
Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.
In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.
What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.
Now to your question
Where do I have to import this server certificate? If the import
solves the issues, do I need to import the certificate in other
environments when i deploy the application?
Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.
If the import solves the issues, do I need to import the certificate
in other environments when i deploy the application?
Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.
For truststore, I see people saying trusting ourself. What are we
trusting ourself with?
By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)
Do the truststore uses any certificates?
Trust store is just a container.
When should I be using a keystore versus a truststore?
Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
add a comment |
Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.
Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.
In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.
What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.
Now to your question
Where do I have to import this server certificate? If the import
solves the issues, do I need to import the certificate in other
environments when i deploy the application?
Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.
If the import solves the issues, do I need to import the certificate
in other environments when i deploy the application?
Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.
For truststore, I see people saying trusting ourself. What are we
trusting ourself with?
By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)
Do the truststore uses any certificates?
Trust store is just a container.
When should I be using a keystore versus a truststore?
Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
add a comment |
Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.
Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.
In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.
What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.
Now to your question
Where do I have to import this server certificate? If the import
solves the issues, do I need to import the certificate in other
environments when i deploy the application?
Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.
If the import solves the issues, do I need to import the certificate
in other environments when i deploy the application?
Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.
For truststore, I see people saying trusting ourself. What are we
trusting ourself with?
By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)
Do the truststore uses any certificates?
Trust store is just a container.
When should I be using a keystore versus a truststore?
Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.
Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.
In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.
What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.
Now to your question
Where do I have to import this server certificate? If the import
solves the issues, do I need to import the certificate in other
environments when i deploy the application?
Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.
If the import solves the issues, do I need to import the certificate
in other environments when i deploy the application?
Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.
For truststore, I see people saying trusting ourself. What are we
trusting ourself with?
By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)
Do the truststore uses any certificates?
Trust store is just a container.
When should I be using a keystore versus a truststore?
Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
edited Dec 28 '18 at 10:59
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
answered Dec 28 '18 at 10:42
AntoniossssAntoniossss
15.3k12253
15.3k12253
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48241755%2ftruststore-vs-keystore-in-layman-terms%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.
– Boris the Spider
Jan 13 '18 at 16:25
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?
– Praveen
Jan 13 '18 at 16:39
This might help to understand: stackoverflow.com/questions/318441/…
– user152468
Dec 28 '18 at 9:26
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.
– Antoniossss
Dec 28 '18 at 10:26