What is difference between cacerts and keystore?

Question

What's the difference between the two, cacerts and keystore?

If I use the definition found in these links, cacerts and keystore, it seems that they're a collection of certificates, but in context of a (Java) distributed system. Which one is used to authenticate during an SSL connection? Both or just one of them or alternate?

*cacerts* = *certificate authority certificates*? – Peter Mortensen Jul 22 '18 at 10:56 — Peter Mortensen, Jul 22 '18 at 10:56

score 187 · Accepted Answer · answered Jul 29 '13 at 23:19

187

'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.

answered Jul 29 '13 at 23:19

user207421

305,947
44
307
483

Hi EJP thanks for the answers, I quoted that before I read any of your answers ;) So just a clarification if I summarize your answers in Francis and Pangea. Cacerts is used to authenticate clients requesting access or connection and for keystore i don't quite get it why you would want to authenticate yourself. :) – dimas Jul 29 '13 at 23:41
30

Read what I wrote again. (1) A truststore is used to authenticate *peers.* If you're the client, the server is the peer; if you're the server, *vice versa.* (2) If you're the server, or if you're the client and the server requests client authentication, you have to authenticate yourself *to* the peer, so you need your own certificate and private key, which are in the keystore. (Confusingly, the same file format is used for both and it's called a keystore file.) – user207421 Jul 29 '13 at 23:44
OK got it, but just a follow up question. My cacerts contains all the certs stored in keystore and more. Although some certs including my application's private cert have different aliases but they have the same digital signatures. So ideally I can use my cacerts if I connect to the server and requests authentication? – dimas Jul 30 '13 at 00:02
I don't understand the part about 'different aliases'. Different from what? Your final question is answerable by experiment. – user207421 Feb 06 '14 at 02:19
are cacerts same for all the environments or configured based on each environment? LIke can I use 'cacerts' from PROD to UAT or SIT? – raja777m Sep 09 '15 at 19:18
6

@raja777m `cacerts` is who you trust. I don't see any reason for that to change between environmenets, unless you commit the mistake of using self-signed certificates for test servers: a mistake because it means you're using different code paths in test and in production. – user207421 Oct 26 '15 at 22:21
Is `cacerts` specific to Java or not? – Peter Mortensen Jul 22 '18 at 10:56
@PeterMortensen Yes, it is a file distributed with the JRE, in `lib\security\cacerts`. Your point? – user207421 Jul 18 '19 at 10:23

score 59 · Answer 2 · edited Jul 22 '18 at 10:52

59

cacerts is where Java stores public certificates of root CAs. Java uses cacerts to authenticate the servers.

Keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.

edited Jul 22 '18 at 10:52

Peter Mortensen

30,738
21
105
131

answered Jul 29 '13 at 23:06

Aravind Yarram

78,777
46
231
327

@dimas Evidently, but what he really means is 'requests'. – user207421 Jul 29 '13 at 23:27
1

@user207421 I believe in this answer the Java App is playing the role of a http client and the http url that our Java App calls is the server application. So KeyStore of our client Java app should have both private key + certificate ( signed public key ) and send only the certificate to the server app, right ? And if the server app is also a Java app it verifies the certificate sent by our client Java app, using its own cacert file, right ? – user104309 Oct 31 '18 at 06:53
1

== One does not simply share private keys ==, but yeah, they can be used for (client) authentication – smido Dec 28 '21 at 08:22
@user104309 Almost. The server must verify the client certificate, if any, regardless of whether it is written in Java or not. RFC 2246 and successors require it. – user207421 Apr 25 '23 at 04:59

score 4 · Answer 3 · edited Jun 15 '21 at 07:54

4

Cacerts are details of trusted signing authorities who can issue certs. This what most of the browsers have due to which certs determined to be authentic.

Keystore has your service related certs to authenticate clients.

edited Jun 15 '21 at 07:54

Jeroen Steenbeeke

3,884
5
17
26

answered May 23 '19 at 11:06

Jawed

49
1
1

The keystore is used to authenticate *to* other peers. The truststore is used to authenticate peers. – user207421 Apr 25 '23 at 04:59

Teddy · Answer 4 · 2023-07-04T08:08:15.287

There are now better articles to explain the difference. This article explains it well: https://www.baeldung.com/java-keystore-truststore-difference

For some additional basics in laymans terms:

Terminology:
- Client: You are considered a client if you are reaching out to someone to get a service. You could even be a server, and you could still be the client from the perspective of a particular connection! For example, if I am a web server, and I reach out to CuteCatPics.com for getting cat pics, then I am a client.
- Server: You are providing a service to someone.
How Secure HTTP connections work:
- Client reaches out to a server for a service.
- Eventually server is going to ask me for credentials to prove myself. So, before sending my password, I want to make sure that I am talking to the right server. I don't want to send my password to a fake server. (This is the common case where client sends password or JWT etc.)
- So, first Client asks the server to send its certificate. Client gets the certificate and checks within its truststore whether it is a valid certificate. Or, if the certificate is in turn signed by a certifying authority, then the certifying authority's certificate should be in my truststore. That's why Java's default trust store is called "ca certs".
- Based on this, Client has concluded that the Server is genuine. Then the client sends password/JWT to the server to login.
How secure HTTP works when client also wants to use certificate to identify itself instead of passwords / JWTs:
- Once client has decided that Server is genuine, client sends its public certificate (taken from keystore) to that server.
- Server will pick a random number, encrypt it with the public certificate, and send it to the client challenging it to decrypt the encrypted random number.
- Client will use the matching private key (from keystore) to decrypt the encrypted random number, and reply to the server. Server is now confident that the Client indeed has the private key, and client's identity is confirmed. (Note that in this case, the server may also check the client's public certificate in its own truststore. Or, some other method of authorization.)(Answering private key challenge can only prove the identity that the client is in fact "Mr. Mark Twain" or "BlogServerA.com". But, authorization deals with what services Mark Twain is entitled to on the server).
Other uses of Keystore:
- Keystore stores private keys and/or matching public certificates. This can be used to do token signing, document signing, etc.

score -1 · Answer 5 · edited Jul 22 '18 at 10:53

-1

Check your JAVA_HOME path. As systems looks for a java.policy file which is located in JAVA_HOME/jre/lib/security. Your JAVA_HOME should always be ../JAVA/JDK.

edited Jul 22 '18 at 10:53

Peter Mortensen

30,738
21
105
131

answered Jul 08 '18 at 09:15

naveen verma

31

6

thanks for the effort but you should read and understand EJPs answer. – dimas Jul 08 '18 at 09:27
The question is about the `cacerts` file, and you haven't answered it in any way. – user207421 Apr 25 '23 at 05:00

What is difference between cacerts and keystore?

5 Answers5

Linked