A Java KeyStore (JKS) is a repository of cryptographic keys and certificates - used for instance in TLS encryption. It is defined within the Java Cryptography Architecture specification.
The file extension jks commonly refers to a Java keystore as defined in the Java Cryptography Architecture (JCA) specification. This file structure is used to hold bare keys, personal certificates and public certificates for use by Java-based applications.
The Java JDK references two different jks files. One, called the Trust Store holds the trusted certificates, such as the signer certificates issued by a Certificate Authority, or the personal certificates issued by peer nodes. Because all the certificates in the trust store are the public portion of the certificate pairs they represent, the security requirements for this file are significantly lower than those for private certificates and keys. The primary risk is to ensure secure provisioning to prevent insertion of undesired certificates. However, there is little to no risk in the file being world readable.
Separating the keystore and trust store files allows for the trust store to be distributed as part of an application's configuration package. The default location for this file is [jre home]/lib/security/cacerts.
Note that although this file is called a trust store to distinguish it from the keystore that holds the private keys, it uses the jks format and file name extension.
The second file referenced by the JDK is the keystore that contains the application's personal certificate and private keys, if any. Because these elements are private, they are usually generated in place in the local filesystem or hardware security module, and then never moved.
Managing the private keys and personal certificates centrally and then deploying them creates an additional security risk. If the central repository is breached, all certificates are compromised at once. When the certificates are transported improperly, it is possible to leave images of them in temp files, memory, cache and the local filesystems. For these reasons central management of private crypto elements is best performed by a purpose built Public Key Infrastructure (PKI) management system. A well-built PKI uses many additional controls to mitigate risks of breach and of leakage in transit.
JDKs provide a utility named keytool to manipulate the keystore and the cryptographic assets that it contains. The keytool utility includes functions to generate keys, generate certificate signing requests, import and export keys and certificates, and delete keys and certificates from the keystore.
