Key Stores are used in Java for two different purposes -
1) To store private keys and certificates
To represent the identity of a Web server (www.hostname.com), an application or a user - the certificates and key pair should be stored in a keystore.
store the certificates of trusted Certificate Authorities (CAs).
Keystore files that contain the certificates of trusted
CA are referred to in Java as Truststores.
So a key store is a container is used to store keys and certificates. Java supports two different key store types –
· JKS (Java Key Store) – this is a Java format
· PKCS12 – this is an industry standard
The default keystore type is specified in the Java security properties file by the "keystore.type" property. If an application references a key store file without specifying the type - the JKS format is assummed. This Java security properties file is located in the file named <JAVA_HOME>/lib/security/java.security.
While JKS files are supported by Java they have a number of disadvantages:
The process of generating a keystore (JKS or PKCS12) involves generating a key pair (public / private key) and then getting a Certificate Authority (CA) to sign the public key and associated identity information - This occurs when the CA issues a certificate with these these details included.
According to Wikipedia - a CA issues a certificate binding a public key to a particular Distinguished Name (this could be a hostname, name of a user or an application name). The steps to creating a keystore that represents a user, application or hostname are as follows:
1) Generate a key pair (public / private key)
2) Generate a Certificate Signing Request (CSR) from the key pair
3) Get the CSR signed by the trusted CA (output of this is a certificate)
4) Import the certificate produced by the CA that bears your details (CA's response to your signing request) into the key store
5) Import the CA's own certificate into your keystore as a trusted certificate
To facilitate the creation and management of keystore files Java comes with the Keytool utility to create JKS files. Keytool is a management tool that allows public/private key pairs and certificates to be managed.
Converting between Key Stores Formats