Overview[1]#
Java KeyStore (JKS) is a Trust Anchor Store either authorization certificates or Public Key certificatesJava KeyStore, by default uses the filename extension of jks and is managed by Keytool
Java KeyStore manages different types of certificate entries. There are three basic types of Java KeyStore entries:
- KeyStore.PrivateKeyEntry - This type of entry holds a cryptographic Private Key, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a Certificate Chain for the corresponding Public Key. Private keys and certificate chains are used by a given entity for self-authentication. Applications for this authentication include software distribution organizations which sign JAR files as part of releasing and/or licensing software.
- KeyStore.SecretKeyEntry - This type of entry holds a cryptographic SecretKey, which is optionally stored in a protected format to prevent unauthorized access.
- KeyStore.TrustedCertificateEntry - This type of entry contains a single Public Key Certificate belonging to another party. It is called a Trusted Certificate because the Java KeyStore owner trusts that the Public Key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate. This type of entry can be used to authenticate other parties.
Java typically uses two different Java KeyStores
- Keystores - is a Java KeyStore that contains Private Keys and certificates used by TLS/SSL servers or clients to authenticate themselves to TLS/SSL others. By convention, such files are referred to as keystores. (KeyStore.PrivateKeyEntry) There is no specific location published as we can determine.
- Truststores - is a Java KeyStore where certificates of trusted TLS/SSL servers, or of Certificate Authorities trusted to identify others. There are NO Private Keys in the truststore. (default is $JAVA_HOME/jre/lib/security/cacerts)
