Difference between trustStore and keyStore in Java - SSL

 
trustStore vs keyStore in Java
trustStore and keyStore are used in context of setting up SSL connection in Java application between client and server. TrustStore and keyStore are very much similar in terms of construct and structure as both are managed by keytoolcommand and represented by KeyStore programatically but they often confused Java programmer both beginners and intermediate alike. Only difference between trustStore and keyStore is what they store and there purpose. In SSL handshake purpose of trustStore is to verify credentials and purpose of keyStore is to provide credential. keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL Server or SSL requires client authentication. TrustStore stores certificates from third party, your Java application communicate or certificates signed by CA(certificate authorities like Verisign, Thawte, Geotrust or GoDaddy) which can be used to identify third party. This is second article on setting up SSL on Java program, In last post we have seen How to import SSL certificates into trustStore and keyStore and In this Java article we will some differences between keystore and truststore in Java, which will help to understand this concept better.
 
 

Difference between trustStore and keyStore in Java

Here is the list of most common difference between keyStore and trustStore. I have already mentioned key difference in first paragraph which is related to purpose of keyStore and trustStore, which we will see here is little more detail.
 
1)First and major difference between trustStore and keyStore is that trustStore is used by TrustManager and keyStore is used by KeyManager class in Java. KeyManager and TrustManager performs different job in Java, TrustManager determines whether remote connection should be trusted or not i.e. whether remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake. if you are an SSL Server you will use private key during key exchange algorithm and send certificates corresponding to your public keys to client, this certificate is acquired from keyStore. On SSL client side, if its written in Java, it will use certificates stored in trustStore to verify identity of Server. SSL certificates are most commonly comes as .cer file which is added into keyStore or trustStore by using any key management utility e.g. keytool. See my post How to add certificates into trustStore for step by step guide on adding certificates into keyStore or trustStore in Java.
 
2) Another difference between trustStore and keyStore in rather simple terms is that keyStore contains private keys and required only if you are running a Server in SSL connection or you have enabled client authentication on server side. On the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which is used to trust remote party or SSL connection.
 
3)One more difference between trustStore vs KeyStore is that we use -Djavax.net.ssl.keyStore to specify path for keyStore and -Djavax.net.ssl.trustStore to specify path for trustStore in Java.
 
4) Another difference between trustStore and keyStore is that, If you store your personal certificate along with signer certificate in trustStore,  you can use same file as both trustStore and keyStore. By the way its good idea to separate personal certificate and signer certificates in keyStore and trustStore for better management.
 
5) One more API level difference between keyStore and trustStore is that  password of keyStore is provided using -Djavax.net.ssl.keyStorePassword and password of trustStore is provided using -Djavax.net.ssl.trustStorePassword.
 
That’s all on difference between trustStore and keyStore in Java. You can still use same file as trustStore and keyStore in Java to avoid maintaining two separate files, but its good idea to segregate public keys and private keys in two different files, its more verbose and self explanatory that which one holds CA certificates to trust server and which contains client's private keys.
 
总之,keyStore是用于存放自己keytool产生的key(public/private) (浏览器是否相信server, public key经过CA签名用于商业SSL), truststore用于存放第三方提供的经过CA认证的public key(用于server是否相信第三方连接)

Read more: https://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html#ixzz5i1OTp1X1

Difference between trustStore and keyStore in Java - SSL的更多相关文章

  1. java ssl https 连接详解 生成证书

    我们先来了解一下什么理HTTPS 1. HTTPS概念 1)简介 HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全 ...

  2. java ssl https 连接详解 生成证书 tomcat keystone

    java ssl https 连接详解 生成证书 我们先来了解一下什么理HTTPS 1. HTTPS概念 1)简介 HTTPS(全称:Hypertext Transfer Protocol over ...

  3. Different types of keystore in Java Overview

    Different types of keystore in Java JKS DKS JCEKS PKCS12 PKCS11 http://www.pixelstech.net/article/14 ...

  4. Java SSL/TLS Socket实现

    通信端无需向对方证明自己的身份,则称该端处于"客户模式",否则称其处于"服务器模式",无论是客户端还是服务器端,都可处于"客户模式"或者&q ...

  5. Difference between LinkedList vs ArrayList in Java

    source-url LinkedList implements it with a doubly-linked list. ArrayList implements it with a dynami ...

  6. 配置Java SSL 访问网站证书

    最近在开发 Java 访问 Azure ServiceBus 时遇到SSL证书问题,导致JAVA报错,不能正常访问,报错信息如下: javax.net.ssl.SSLException: Connec ...

  7. java ssl 连接AD域

    1.安装证书服务和IIS服务,不需要启动asp.(其会在c盘生成一个crt文件)2.获取crt证书文件 windows 2003:文件位于系统盘根目录 windows 2008: 文件位于C:\Win ...

  8. https Java SSL Exception protocol_version

    在java代码中,使用HttpClient爬取https页面时,遇到了这个bug:javax.net.ssl.SSLException: Received fatal alert: protocol_ ...

  9. Java ssl认证记录

    听到有人在用,所以自己随便搜了搜试了下,这里就是简单记录 就是操作了一遍这篇博文 https://blog.csdn.net/a495614205/article/details/12648939 i ...

随机推荐

  1. P4293 [WC2010]能量场

    P4293 [WC2010]能量场 题意 给你 \(n\) 个粒子,每个粒子有两个权值 \(m_i,c_i\) 每个相邻有序对 \((a,b)\) 会产生 \(m_am_b(c_a-c_b)\) 的贡 ...

  2. python2 与 python3 依赖包冲突问题

    原文链接   https://www.2cto.com/database/201805/749294.html 执行pip的时候取的是/usr/bin这里的pip,查看这里是否存在pip3,没有的话需 ...

  3. 【动画消消乐 】HTML+CSS 吃豆豆动画 073

    前言 Hello!小伙伴! 非常感谢您阅读海轰的文章,倘若文中有错误的地方,欢迎您指出-   自我介绍 ଘ(੭ˊᵕˋ)੭ 昵称:海轰 标签:程序猿|C++选手|学生 简介:因C语言结识编程,随后转入计 ...

  4. java标识符,关键字,注释及生成Doc文档

    # java语法基础 ## 标识符,关键字与注释 ### 标识符 1.类名,变量名,方法名都称为标识符. 2.命名规则:(1):所有的标识符都应该以字母(AZ,或者az)美元符($)或者下划线(_)开 ...

  5. Linux[Manjaro] 小新15笔记本AMD ryzen锐龙4800U,在安装系统后出现的随即死机冻屏问题

    Linux[Manjaro] 小新15AMD ryzen锐龙4800U,在安装系统后出现的随即死机冻屏问题解决办法 年初尝试将manjaro安装在我的笔记本上就存在这个问题,也一度将我劝退.系统安装在 ...

  6. 媒体应用视频超分AI神器!360P视频一键转换HD

    作为多媒体应用的开发者,你是否想为媒体播放器快速开发创新AI功能?例如: 在播放低画质视频过程中对其进行逐帧超分 让满屏飘飞的弹幕自动绕过画面的主体人物 HMS Core 6.0.0开放的多媒体管线服 ...

  7. Linux下的Vim文本编辑器(入门)

    引言 vim filename:打开名为filename的文件,如果不存在就会创建一个filename文件 Vim的三种使用模式 1. 命令模式 启动Vim时,就进入了命令模式 在该模式下: i:切换 ...

  8. Feign实战技巧篇

    介绍Feign在项目中的正确打开方式 看了上一期Feign远程调用的小伙伴可能会问:阿鉴,你不是说上一期讲的是Feign的99%常用方式吗?怎么今天还有正确打开方式一说呀? 阿鉴:是99%的常用方式, ...

  9. Android开发音视频方向学习路线及资源分享,学完还怕什么互联网寒冬?

    接触Android音视频这一块已经有一段时间了,跟普通的应用层开发相比,的确更花费精力.期间为了学习音视频的录制,编码,处理也看过大大小小的几十个项目.总体感觉就是知识比较零散,对刚入门的朋友比较不友 ...

  10. Socket通信-服务端

    WSADATA wsd; SOCKET sClient; SOCKET sServer; SOCKADDR_IN addrServ; char chRcvBuf[RECV_BUF_SIZE]; if ...