Difference between keystore & truststore

Difference between keystore & truststore

========================================
1. A keystore contains a private key. You only need this if you are
a server, or if the server requires client authentication.

2. A truststore contains CA certifcates to trust. If your server’s
certificate is signed by a recognized CA, the default truststore
that ships with the JR will already trust it (because it already
trusts trustworthy CAs), so you don’t need to build your own,
or to add anything to the one from the JRE.

========================================
SSL provides you with privacy, integrity, and authentication. That is,
the messages are encrypted, tamper-evident, and come from an authenticated
identity. Whether that’s the identity you want to talk to is another
question. So the application has to perform the authorization step, i.e.
check the identity against what is expected. You do this by getting the
peer certificates out of the SSLSession, usually in a HandshakeCompletedListener,
and check that the identity of the server is what you expect. SSL can’t
do this for you as only the application knows who it expects to talk to.
Another way around this is to ship a custom truststore that only contains
the server certificate for the correct server, so it won’t trust anybody else.
========================================

Advertisements

One thought on “Difference between keystore & truststore

  1. Is it possible for you to provide commands for generating self signed Keystore and truststore cert so I can test SSL in weblogic 10.3 please ?

    Thanks,
    Neha

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s