Difference between trustStore vs keyStore in Java SSL

Main difference between trustStore vs keyStore is that trustStore (as name suggest) is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection while keyStore is used to store private key and own identity certificate which program should present to other parties (Server or client) to verify its identity. That was one liner difference between trustStore vs  keyStore in Java but no doubt these two terms are quite a confusion not just for anyone who is the first time doing SSL connection in Java but also many intermediate and senior level programmer. One reason of this could be SSL setup being a one-time job and not many programmers get opportunity to do that. In this Java article, we will explore both keystore and trust stores and understand key differences between them. By the way, you can use a keytool command to view certificates from truststore and keystore. keytool command comes with Java installation and its available in the bin directory of JAVA_HOME.

KeyStore vs TrustStore

In order to understand the difference between keyStore and trustStore you need to understand How SSL conversation happens between client and server because this is the starting point of confusion, many Java programmer doesn't pay attention whether they are implementing the server side of SSL connection or client side of SSL Connection. 

One example is setting up SSL for tomcat is server side of SSL while setting up JDBC over SSL is client side of SSL connection. If you are implementing SSL on Server side you need a KeyStore to store your server certificate and private key. 

Anytime a client will connect to the server, server will present its certificate stored in KeyStore and client will verify that certificate by comparing with certificates stored on its trustStore.

Let's see difference between truststore vs keystore in point format which is much clear and easy to understand :

1) Keystore is used to store your credential (server or client) while truststore is used to store others credential (Certificates from CA).

2) Keystore is needed when you are setting up server side on SSL, it is used to store server's identity certificate, which server will present to a client on the connection while trust store setup on client side must contain to make the connection work. If you browser to connect to any website over SSL it verifies certificate presented by server against its truststore.

3) Though I omitted this on the last section to reduce confusion but you can have both keystore and truststore on client and server side if the client also needs to authenticate itself on the server. In this case, client will store its private key and identify certificate on keystore and server will authenticate the client against certificate stored on server's trust store.

4) In Java -javax.net.ssl.keyStore property is used to specify keystore while -javax.net.ssl.trustStore is used to specify trustStore.

5) In Java, one file can represent both keystore vs truststore but it's better to separate private and public credential both for security and maintenance reason.

trusstore vs keystore in Java6) When you install JDK or JRE on your machine, Java comes with its own truststore (collection of certificate from well known CA like Verisign, goDaddy, thwarte etc. you can find this file inside

JAVA_HOME/JRE/Security/cacerts where JAVA_HOME is your JDK Installation directory.

7) keytool  command (binary comes with JDK installation inside JAVA_HOME/bin) can be used to create and view both keyStore and trustStore.

If you are still not clear with what is truststore and keystore in Java or difference between keystore and truststore than just remember one line keystore is used to store server's own certificate while truststore is used to store the certificate of other parties issued by CA like Verisign or goDaday or even self-signed certificates.

Further Learning
Java In-Depth: Become a Complete Java Engineer
Java Fundamentals: Collections
Data Structures and Algorithms: Deep Dive Using Java

Other Java tutorials you may like


  1. Hi

    Still Im confused with point-3

    That is we can configure both keystore and truststore in tomcat .

    Means , is it like configuring the truststore in server.xml is equivalent to configuring the system property java.net.ssl.truststore or is it different

    And also , Can u suggest test scenario on how to verify whether it is working fine after configuring

  2. To explain it better. Truststore basically contains the certificates of CA which actually contains the public key(RSA) of CAs.
    One publishes its public key but not private key. Trust Store contains public keys of well known CAs. These public keys are used to verify if the server you are trying to connect is legitimate.

    Keystore and truststore are actually same. To be precise Truststore is a keystore. Keystore is a more generic term. No one stops you from storing a private key in a Truststore. The name Truststore is given to a keystore which only contain public keys. So the name Truststore is because of the content.


  3. Can anybody explain the each line of how these keystore/truststore works in SSL OR some reference?

  4. As you said, "keystore is used to store server's own certificate while truststore is used to store the certificate of other parties issued by CA"

    Now, server has its own keystore.when client comes to server having any other truststore then as they will have different keys they will never authenticate themselves.
    How can they authenticate for correct key when server has own key and client has trustore from CA ?

    1. The Server's certificate (signed by a CA's private key) is presented to the Client during the SSL handshake. The client browser validates this certificate by using the corresponding CA's public key stored in the client's trustStore. Since the CA's public and private key are matched pairs, a successful decryption indicates to the browser/client that the certificate issuer (CA) has indeed issued this certificate to the server. This allows the client to 'trust' the server's identity.