Ram Mohan

Trust Store vs KeyStore

Ram Mohan's photo
Ram Mohan
·

3 min read

Table of contents

Definitions:

  • KeyStore: It contains private keys and public certificates which are used to authenticate clients. It is used to configure on the server side.
  • TrustStore: It contains trusted SSL or public certificates. usually, it is used to configure on the client side.

Create a keypair and keystore

keytool -genkeypair -alias <name> -keyalg <algorithm> -keysize <size> -dname <subject> -validity <days> -keystore <path to keystore> -storepass <password> -keypass <same password>

-alias <name>
Any value. For example, the hostname of the server, or a descriptive name like nginx node 1.

-keyalg <algorithm>
The key algorithm is normally RSA.

-keysize <size>
Use a key size of 2048.

-dname <subject>
The subject is an X.500 Distinguished Name (DN) with a CN (common name), and optionally O (organization), OU (organizational unit), C (country), and other tokens. An example DN is CN=nginx node 1, OU=Datacenter 1, OU=QA, O=IBM.

-validity <days>
The validity specifies the number of days until the personal certificate expires. For self-signed personal certificates used for internal client/server communications, there is no reason to specify short validity periods, so a ten-year expiration (3650) is acceptable.

-keystore <path to keystore>
The path to the keystore file can be anywhere, but it would normally be on the nginx conf directory (for example:/etc/nginx/conf/keystore.p12).

-storepass <password>
The keystore password can be of any value. It is used to generate a key to encrypt the keystore file.

-keypass <same password>
The key password must be the same as the storepass password.

Export a certificate from keystore

keytool -exportcert -alias <name> -keystore <path to keystore> -file <path to cert file> -storepass <password>

-exportcert
The keytool command for exporting a certificate.
-keystore <path to keystore>
The path to the keystore file can be anywhere (for example:/etc/nginx/conf/keystore.p12).
-alias <name>
Any value. For example, the hostname of the server, or a descriptive name like nginx node 1.
-file <path to the file to which the certificate is exported>
The path to the file that contains the exported certificate (for example: /etc/nginx/conf/nginx.crt). It is recommended that the name of the certificate file is different for each nginx node to identify them.
-storepass <password>
The keystore password is used in step 1.

Create a truststore

keytool -importcert -alias <name> -file <path to cert file>.crt -keystore <path to truststore> -storepass <password>

-importcert 
The keytool command for importing a certificate.
- alias <name>
Any value. For example, the hostname of the server, or a descriptive name like nginx node 1.
-file <path to cert file>.crt
A certificate that is extracted from the keystore.p12.
-keystore <path to truststore>
The path to the truststore file can be anywhere (for example:/etc/nginx/conf/truststore.ts).
-storepass <password>
The truststore password.

Example

Creating a keystore

keytool -genkey -alias node1 -keyalg RSA -keystore keystore.p12
# It asks for information with an interactive terminal

Creating a keystore with non-interactive terminal

keytool -genkeypair -alias node1 -keyalg RSA -dname "CN=nginx node1, OU=Unit,O=Organization,L=City,S=State,C=IN" -keypass password -keystore keystore.p12 -storepass password

Export a public certificate from the store

keytool -export -alias node1 -file certificate.cer -keystore keystore.p12

Importing a certificate into the truststore

keytool -import -v -trustcacerts -alias node1 -file certificate.cer -keystore truststore.ts
# If there is no truststore.ts then it will create a new truststore.ts

Importing a certificate into the truststore with non interactive terminal

keytool -importcert -alias node1 -file certificate.cer -keystore truststore.ts -storepass password -noprompt
SSL