Keystore and Truststore are both important and essential for communication with an SSL Certificate. Both are very similar in terms of construct and structure as both are managed by a key tool command.
Truststore is used for the storage of certificates from the trusted Certificate Authority (CA) which is used in the verification of the certificate provided by to the server in an SSL connection. On the other-hand keystore is used to store the private key and own identity certificate to be identified for verification.
In an SSL handshake the work of truststore is to verify the credentials whereas the work of keystore is to provide those credentials. These are the most important differences between truststore and keystore but not the only ones. These differences vary in Java and they are as follows –
1. Truststore is used by Trust Manager and keystore is used by Key Manager, they both perform different functions.
2. Keystore contain private keys and are required only when a server is running on an SSL connection whereas truststore store public keys and the certificates issued form the certificate authority.
3. To specify the path of a keystore or truststore we need different extensions in Java.
-Djavax.net.ssl.keyStore for keystore and -Djavax.net.ssl.trustStore for truststore.
4. There is also a difference in the password of the two i.e. for keystore it is given by the following extension Djavax.net.ssl.keyStorePassword and for truststore is given by Djavax.net.ssl.trustStorePassword.
5. Keystore contains 1 private key for the host while truststore contains 0 private keys.
The listing, removal and addition of certificates can be done from the Java Keystore by using the keytool utility. Almost all of the SSL clients have an access to the truststore.
Security Considerations for Keystore & Truststore –
Keystores contain private keys whereas truststore do not, hence security for keystores is strict and exacting. In particular –
- Hadoop SSL (Secure Sockets Layer) has a requirement that truststores and the truststore password have to be stored in plaintext, in a configuration file that can be read easily by everyone.
- Keystore and key passwords are stored in plaintext, in a file that is readable only by members of the appropriate group.
- Since truststore does not contain any private and sensitive information, hence only a single truststore for an entire cluster is sufficient.
- But it is an essential information that the passwords for both truststore and keystore should not be the same because the password for truststore is stored in clear files and is visible to all and if the same password is used for keystore also the security will be vulnerable and can be attacked by malicious parties and hackers.
Creating Trusutstores –
If one is using the default truststore, he/she needs to add Certificate Authority (CA) to the truststore or delete them from truststore and if one is creating custom truststore the one must built the truststore by importing trusted certificates into new truststores. While creating a truststore a password has to be created/selected and they should be same for a given service.
The purpose of a keystore is to protect the privacy, integrity by the use of a password based algorithm. The keys are kept secret to keep them safe and protected from the unwanted third parties and can only be accessed by the someone having the password.
More Resources
