3

I know the cacerts file that ship with JRE is the truststore where Root CA certificates are stored, many people refer to this file as a keystore as well. However, my understanding of the keystore file is another file where private keys are kept for the server to authenticated it-self.

Then, where JAVA stores the private keys? or where is the location of the keystore file exactly, is it the same file of cacerts?

Moreover, the following command list all Root CA certificates:

> keytool -list -storepass changeit -keystore "C:\Program Files\Java\jre1.8.0_191\lib\security\cacerts"

Why the keytool cannot list the Root CA without the -keystore & -storepass flags?

mkhayata
  • 327
  • 1
  • 3
  • 11

1 Answers1

5

Why the keytool cannot list the Root CA without the -keystore & -storepass flags?

It can, starting with Java 9:

keytool -list -cacerts

Just press enter on password prompt.

where JAVA stores the private keys?

Java doesn't store them anywhere.

You store them in a keystore file, anywhere you want on the file system. Then you tell the "server" where it is.

Exactly how you do that depends on what the "server" is, e.g. for Tomcat you give the path to the keystore file in the server.xml file.

Community
  • 1
  • 1
Andreas
  • 154,647
  • 11
  • 152
  • 247
  • 1
    Prior to Java 9 why the keytool did not have this option? is it because cacerts file was considered as both a truststore and a keystore? for private keys, yes of course java doesn't store/provide private keys but what i meant is whether JAVA have some default location/file to look for private keys added by users which I beleive it is the equivalent of **javax.net.ssl.keyStore** JVM property? – mkhayata Jan 20 '19 at 01:43
  • *"why the keytool did not have this option?"* Because they hadn't thought to add it, and it wasn't really necessary, since you can do it with the `-keystore` argument. – Andreas Jan 20 '19 at 02:43
  • OK, but still it is not clear. Does this mean the cacerts file is considered as both a truststore and a keystore? can this file contains private keys? used for example by the server to decrypt? – mkhayata Jan 20 '19 at 20:05
  • @mkhayata Why would it? The `cacerts` file stores **CA certificates**, i.e. root and intermediate public certificates issues by Certificate Authorities, and public certificates never have private keys. `cacerts` is a plain keystore file, dedicated to storing CA certificates, so you can use HTTPS out-of-the-box. --- A server certificate, and its associated private key, is *not* a CA certificate, and should *not* be stored in `cacerts`. It should be stored elsewhere, and referenced by the server configuration, as already mentioned in the answer. – Andreas Jan 20 '19 at 20:47
  • You just said ```cacerts``` is a plain keystore file, and this is the starting point of confusion for me, why are you calling it a keystore file? isn't it a truststore file? – mkhayata Jan 20 '19 at 21:57
  • 1
    @mkhayata I'm sorry, you're right, I misspoke, it's a truststore. This answer has a good description of the difference: [Trust Store vs Key Store - creating with keytool](https://stackoverflow.com/a/6341566/5221149) – Andreas Jan 21 '19 at 02:33
  • OK, thanks for the link. Then can we say that ```cacerts``` file is to store CA Root certificates but can also have private keys added by the user with the keytool? so the same file can be both a keystore and a truststore? and the fact that the keytool always needs **-keystore** & **-storepass** flags (prior to JAVA 9) is because the keytool was designed to create/manipulate private keys in the first place? – mkhayata Jan 21 '19 at 03:42
  • 1
    *"can we say that cacerts file is to store CA Root certificates"* Yes, of course, look at the name of the file. --- *"but can also have private keys added"* Can? Probably, but that would be a total misused of the file. **Don't do it!** --- Read the description of [`keytool`](https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html): *"Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates."* It was designed to do **all** of that. – Andreas Jan 21 '19 at 04:03
  • OK, now all make sense. I am accepting your answer for your great collaboration. – mkhayata Jan 23 '19 at 01:10