Cacerts vs Keystore in Java

This tutorial compares the cacerts and KeyStore and highlights the differences.

cacerts vs KeyStore in Java

The cacerts is a TrustStore used to authenticate peers, while a KeyStore is used to authenticate yourself.

Both Keystore and TrustStore are mainly used for those applications that need to communicate over the SSL/TLS. These files are password protected.

The default format of Keystore is PKS12 from Java 9. However, another default format, JKS, uses until Java 8. So let’s discuss KeyStore and TrustStore individually below.

KeyStore in Java

The KeyStore is the storage of private entries, public keys, and certificates mainly used for cryptographic purposes. The KeyStore will be used by a program when the program acts as a server and is willing to use the HTTPS.

During the handshaking by SSL, a server program looks for the private key from the KeyStore. The KeyStore is used in client programs too.

When a client program tries to connect to a server, it needs to authenticate itself. During the authentication, the client program also looks for the public keys and certificates from the KeyStore.

Collectively, we can say that a KeyStore is a place that holds all the necessary security files.

TrustStore in Java

The TrustStore is opposite the KeyStore. The KeyStore holds the file to identify us, whereas the TrustStore holds the files to identify others.

Java contains a bundled TrustStore called the cacerts and it is placed in your directory $JAVA_HOME/jre/lib/security.

Demonstration of the Keystore and TrustStore (cacerts)

Below shared an example command regarding the Keystore and TrustStore. The command will look like the below:

keytool -list -keystore cacerts

Now, after running the above command, you will get the following output:

Please note that the command shared above mainly focuses on Java.