Difference between keystore & truststore

Difference between keystore & truststore

1. A keystore contains a private key. You only need this if you are
a server, or if the server requires client authentication.

2. A truststore contains CA certifcates to trust. If your server’s
certificate is signed by a recognized CA, the default truststore
that ships with the JR will already trust it (because it already
trusts trustworthy CAs), so you don’t need to build your own,
or to add anything to the one from the JRE.

SSL provides you with privacy, integrity, and authentication. That is,
the messages are encrypted, tamper-evident, and come from an authenticated
identity. Whether that’s the identity you want to talk to is another
question. So the application has to perform the authorization step, i.e.
check the identity against what is expected. You do this by getting the
peer certificates out of the SSLSession, usually in a HandshakeCompletedListener,
and check that the identity of the server is what you expect. SSL can’t
do this for you as only the application knows who it expects to talk to.
Another way around this is to ship a custom truststore that only contains
the server certificate for the correct server, so it won’t trust anybody else.