Other Tutorials

KeyStore vs TrustStore In Java


The two terms truststore and keystore are often confused and seem daunting to even many senior developers at first. In this tutorial, we’ll cover the differences between a truststore and a keystore.

We also suggest you read our article on How Https Works – SSL/TLS, which will help you understand the basics of Http over SSL.

Back to Basics:

First of all, let’s understand the very basic definition of the two:

Truststore:  It is used to store the certificates from trusted CAs(Certificate Authorities) which is then used to verify the certificate presented by the server in an SSL connection. In brief, these are the remote-party certificates you trust.

Keystore: It stores your own private key and certificates which you present to the server to validate your identity when trying to establish an SSL connection.


Differences Between TrustStore and KeyStore:

  1.  First and the major difference is that the trustStore is used to store certificates from CAs whereas a keyStore holds your own certificate used for authentication.
  2. The TrustManager class uses the trustStore to determines whether the remote connection needs to be trusted or not.
    The keyStore is used by KeyManager class to decide which authentication credentials need to be sent over to the server to verify your server’s identity.
  3. We need a KeyStore only when setting up our own server-side SSL connection as it stores the server’s identity. This keyStore is to be presented over to the client while attempting to make an SSL connection.
    TrustStore holds the public certificates and is used to verify any server’s identity before making an SSL connection.
  4. We can choose to have a single file act both as a trustStore as well as keyStore in Java. However, we recommended you to keep them separate, whenever possible. It helps in achieving easy maintenance and better certificate security.
  5. JDK/JRE itself comes with its own default trustStore file which holds a collection of certificates from popular trusted CAs like VeriSign, Thwarte, etc.
    The file is available at path <JAVA_HOME>/JRE/Security/cacerts.On setting up a new server-side SSL connection, we need to create our own keystore holding our certificates.
  6. In Java, we can specify the path of the keyStore using -javax.net.ssl.keyStore. The path of trustStore is specified using-Djavax.net.ssl.trustStore.Similarly, to specify the password for keyStore, we use -Djavax.net.ssl.keyStorePassword. The password for trustStore is specified using -Djavax.net.ssl.trustStorePassword.


We looked at major differences between a trustStore and a keyStore in Jaba.

At a minimum, all we need to understand is :

1.) A trustStore holds public certificates of trusted CAs. It is used to verify the identity of the server while making an SSL connection, whereas

2.) We need to set up a keyStore when establishing our own server-side SSL connection for the first time. It stores our server’s private key and certificates. We need to present it to the client while establishing an SSL connection.

Be the First to comment.

Leave a Comment

Your email address will not be published. Required fields are marked *