What is difference between cacerts and keystore?

Question

What's the difference between the two, cacerts and keystore?

If I use the definition found in these links, cacerts and keystore, it seems that they're a collection of certificates, but in context of a (Java) distributed system. Which one is used to authenticate during an SSL connection? Both or just one of them or alternate?

*cacerts* = *certificate authority certificates*? – Peter Mortensen Jul 22 '18 at 10:56 — Peter Mortensen, Jul 22 '18 at 10:56

score 168 · Accepted Answer · answered Jul 29 '13 at 23:19

168

'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.

answered Jul 29 '13 at 23:19

user207421

298,294
41
291
462

Hi EJP thanks for the answers, I quoted that before I read any of your answers ;) So just a clarification if I summarize your answers in Francis and Pangea. Cacerts is used to authenticate clients requesting access or connection and for keystore i don't quite get it why you would want to authenticate yourself. :) – dimas Jul 29 '13 at 23:41
26

Read what I wrote again. (1) A truststore is used to authenticate *peers.* If you're the client, the server is the peer; if you're the server, *vice versa.* (2) If you're the server, or if you're the client and the server requests client authentication, you have to authenticate yourself *to* the peer, so you need your own certificate and private key, which are in the keystore. (Confusingly, the same file format is used for both and it's called a keystore file.) – user207421 Jul 29 '13 at 23:44
OK got it, but just a follow up question. My cacerts contains all the certs stored in keystore and more. Although some certs including my application's private cert have different aliases but they have the same digital signatures. So ideally I can use my cacerts if I connect to the server and requests authentication? – dimas Jul 30 '13 at 00:02
I don't understand the part about 'different aliases'. Different from what? Your final question is answerable by experiment. – user207421 Feb 06 '14 at 02:19
are cacerts same for all the environments or configured based on each environment? LIke can I use 'cacerts' from PROD to UAT or SIT? – raja777m Sep 09 '15 at 19:18
5

@raja777m `cacerts` is who you trust. I don't see any reason for that to change between environmenets, unless you commit the mistake of using self-signed certificates for test servers: a mistake because it means you're using different code paths in test and in production. – user207421 Oct 26 '15 at 22:21
Is `cacerts` specific to Java or not? – Peter Mortensen Jul 22 '18 at 10:56
@PeterMortensen Yes, it is a file distributed with the JRE, in `lib\security\cacerts`. Your point? – user207421 Jul 18 '19 at 10:23
@endless You may indeed be looking for that,and if so you should ask your own question, although it seems to me that what you're now asking is already implicitly anwered here, but the *question* that is answered here isn't asking for any of that. Don't beat up 6-year-old answers just because they don't appear to meet your current expectations. – user207421 Aug 20 '19 at 10:04

score 55 · Answer 2 · edited Jul 22 '18 at 10:52

55

cacerts is where Java stores public certificates of root CAs. Java uses cacerts to authenticate the servers.

Keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.

edited Jul 22 '18 at 10:52

Peter Mortensen

30,030
21
100
124

answered Jul 29 '13 at 23:06

Aravind Yarram

76,625
45
224
313

@dimas Evidently, but what he really means is 'requests'. – user207421 Jul 29 '13 at 23:27
1

@user207421 I believe in this answer the Java App is playing the role of a http client and the http url that our Java App calls is the server application. So KeyStore of our client Java app should have both private key + certificate ( signed public key ) and send only the certificate to the server app, right ? And if the server app is also a Java app it verifies the certificate sent by our client Java app, using its own cacert file, right ? – user104309 Oct 31 '18 at 06:53
== One does not simply share private keys ==, but yeah, they can be used for (client) authentication – smido Dec 28 '21 at 08:22

score 3 · Answer 3 · edited Jun 15 '21 at 07:54

3

Cacerts are details of trusted signing authorities who can issue certs. This what most of the browsers have due to which certs determined to be authentic.

Keystore has your service related certs to authenticate clients.

edited Jun 15 '21 at 07:54

Jeroen Steenbeeke

3,466
5
17
23

answered May 23 '19 at 11:06

Jawed

31
1

score 0 · Answer 4 · edited Jul 22 '18 at 10:53

0

Check your JAVA_HOME path. As systems looks for a java.policy file which is located in JAVA_HOME/jre/lib/security. Your JAVA_HOME should always be ../JAVA/JDK.

edited Jul 22 '18 at 10:53

Peter Mortensen

30,030
21
100
124

answered Jul 08 '18 at 09:15

naveen verma

33

5

thanks for the effort but you should read and understand EJPs answer. – dimas Jul 08 '18 at 09:27

What is difference between cacerts and keystore?

4 Answers4

Linked