Differences between Keystore & Truststore

Keystore and Truststore are both important and essential for communication with an SSL Certificate. Both are very similar in terms of construct and structure as both are managed by a key tool command.

 

Truststore is used for the storage of certificates from the trusted Certificate Authority (CA) which is used in the verification of the certificate provided by to the server in an SSL connection. On the other-hand keystore is used to store the private key and own identity certificate to be identified for verification.

 

In an SSL handshake the work of truststore is to verify the credentials whereas the work of keystore is to provide those credentials. These are the most important differences between truststore and keystore but not the only ones. These differences vary in Java and they are as follows – 

1. Truststore is used by Trust Manager and keystore is used by Key Manager, they both perform different functions. 

2. Keystore contain private keys and are required only when a server is running on an SSL connection whereas truststore store public keys and the certificates issued form the certificate authority.

 

3. To specify the path of a keystore or truststore we need different extensions in Java. 

-Djavax.net.ssl.keyStore for keystore and -Djavax.net.ssl.trustStore for truststore. 

4. There is also a difference in the password of the two i.e. for keystore it is given by the following extension Djavax.net.ssl.keyStorePassword and for truststore is given by Djavax.net.ssl.trustStorePassword.  

5. Keystore contains 1 private key for the host while truststore contains 0 private keys. 

The listing, removal and addition of certificates can be done from the Java Keystore by using the keytool utility. Almost all of the SSL clients have an access to the truststore. 

Source