Java KeyStore


Java KeyStore (JKS) is a Trust Anchor Store either authorization certificates or Public Key certificates

Java KeyStore, by default uses the filename extension of jks and is managed by Keytool

Java KeyStore manages different types of certificate entries. There are three basic types of Java KeyStore entries:

  • KeyStore.PrivateKeyEntry - This type of entry holds a cryptographic Private Key, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a Certificate Chain for the corresponding Public Key. Private keys and certificate chains are used by a given entity for self-authentication. Applications for this authentication include software distribution organizations which sign JAR files as part of releasing and/or licensing software.
  • KeyStore.SecretKeyEntry - This type of entry holds a cryptographic SecretKey, which is optionally stored in a protected format to prevent unauthorized access.
  • KeyStore.TrustedCertificateEntry - This type of entry contains a single Public Key Certificate belonging to another party. It is called a Trusted Certificate because the Java KeyStore owner trusts that the Public Key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate. This type of entry can be used to authenticate other parties.

Java typically uses two different Java KeyStores

  • Keystores - is a Java KeyStore that contains Private Keys and certificates used by TLS/SSL servers to authenticate themselves to TLS/SSL clients. By convention, such files are referred to as keystores. (KeyStore.PrivateKeyEntry) There is no specific location published as we can determine.
  • Truststores - is a Java KeyStore where certificates of trusted TLS/SSL servers, or of Certificate Authorities trusted to identify servers. There are NO Private Keys in the truststore. (default is $JAVA_HOME/jre/lib/security/cacerts)

More Information#

There might be more information for this subject on one of the following: