Java SSL Basics

What is a Java Keystore?

Key Stores are used in Java for two different purposes -

1)      To store private keys and certificates

To represent the identity of a Web server (, an application or a user - the certificates and key pair should be stored in a keystore. 

2)      To store the certificates of trusted Certificate Authorities (CAs).

Keystore files that contain the certificates of trusted CA are referred to in Java as Truststores.

Keystore Formats Supported by Java

So a key store is a container is used to store keys and certificates. Java supports two different key store types –

·         JKS (Java Key Store) – this is a Java format

·         PKCS12 – this is an industry standard

The default keystore type is specified in the Java security properties file by the "keystore.type" property. If an application references a key store file without specifying the type - the JKS format is assummed. This Java security properties file is located in the file named <JAVA_HOME>/lib/security/

While JKS files are supported by Java they have a number of disadvantages:

  • They do not easily allow the private key to be exported
  • The format is not an open standard supported by other software

Creating a Keystore

The process of generating a keystore (JKS or PKCS12) involves generating a key pair (public / private key) and then getting a Certificate Authority (CA) to sign the public key and associated identity information  - This occurs when the CA issues a certificate with these these details included.

According to Wikipedia - a CA issues a certificate binding a public key to a particular Distinguished Name (this could be a hostname, name of a user or an application name). The steps to creating a keystore that represents a user, application or hostname are as follows:

1) Generate a key pair (public / private key)

2) Generate a Certificate Signing Request (CSR) from the key pair

3) Get the CSR signed by the trusted CA (output of this is a certificate)

4) Import the certificate produced by the CA that bears your details (CA's response to your signing request) into the key store

5) Import the CA's own certificate into your keystore as a trusted certificate


To facilitate the creation and management of keystore files Java comes with the Keytool utility to create JKS files. Keytool is a management tool that allows public/private key pairs and certificates to be managed.

Creating a Keystore in JKS format

Guide to Basic Keytool Commands covers:
  • Creating a basic java key store
  • Generating a Certificate Signing Request (CSR)
  • Importing the signed certificate into the key store
  • Listing the contents of a key store

Creating a Truststore in JKS format

Guide to Creating a Truststore covers:
  • Downloading CA certificates
  • Create keystore
  • Add trusted certificates

Java's Default Keystore

A Web server or application can instruct Java to use a specific keystore file by setting the property with keystore's file location. If the application does not specify a keystore property then the default keystore is loaded and used. The default keystore is stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property.

Java's Default Truststore

A Web server or application can instruct Java to use a specific truststore file by setting the property with truststore's file location. If the application does not specify a truststore property then the default truststore is loaded and used. The default Java keystore file is located at <JAVA_HOME>/lib/security/cacerts and its default password is ‘changeit’. Truststore files are simply keystorefiles that contain one or more trusted CA certificates.

Creating credentials in PKCS12 format


  • Creating a key with OPENSSL
  • Getting the Generating a Certificate Signing Request (CSR)
  • Generating a PKCS12 file with the key and signed certificate.

Converting between Key Stores Formats

  • Converting a JKS file to PKCS12
  • Converting a PKCS12 file to JKS