Security has become a vital concern in most of the online transactions nowadays. Lots of the world's most popular websites have adopted security protocols to transfer data, especially sensitive data. These security protocols including SSL/TLS which are using the private/public key exchange mechanism to establish secure connections.
The private/public key cryptography is a really important invention and it allows data to be transferred securely and solves the big problem of transferring symmetric key securely over Internet at the same time. Because of this characteristic, private/public key cryptography is the ideal candidate for online secure key distribution.
SSL/TLS is a family of secure transmission protocols defines how a security key can be distributed on the Internet and how the application data is being transferred securely. It consists two major processes : Handshake and application data transmission. The handshake is the process of establishing the secure connection between two parties. During this process, the server will use its private key to encrypt the key material which will be used to generate the symmetric key and the client will decrypt it using the corresponding public key from the server. In addition, the server will present its certificate to the client so that it can be validated to prove that the server is the trusted target server instead of a fake server.
The private key and certificate used in this process will have to be stored somewhere. The place for storing them are keystore and truststore respectively.
Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore: private key, secret key and certificate. This means it can not only store keys but also store certificates, hence the keystore can be used a both a eystore and truststore in some way. And often a keystore will be password protected.
Truststore is another kind of storage which is mainly used for storing certificate or certificate chains. It will not be used for storing keys. These certificate and certificate chains are used for validating whether a certificate from some party is trusted or not. The certificates stored in a truststore would usually are the ones signed by trusted CAs such as VeriSign.
In a normal server client model, the keystore and truststore play different roles. The server will have a keystore setup and the keystore serves different types of private keys which meet different security strength requirement. These keys are generated using different cryptographic algorithms such as RSA, DSA, EH, ECDH etc.
While the client will usually have a truststore which contains sets of trusted certificates So when a server presents its certificate to the client, the certificates in the truststore will be searched through to verify that the certificate is trsuted. Basically how this validation process works is that it will check whether there is a certificate whose subject name is the same the issuer name of the certificate sent from the server, the certificate is trusted if these is such certificate in the truststore. And if the certificate sent from the server is a certificate chain, then the last certificate will be checked against the truststore.
In addition to truststore, there are other mechanisms can be used to check whether a certificate is trusted or not. For example, check revocation list or OCSP. Different from trsutstore, these mechanisms are more focused on check whether a certificate is valid.
After understanding about keystore and truststore, how to use them correctly should become an easy to answer question.
