Trust Management in the JDK Libraries

Keystores and Truststores

Keystores and truststores are protected databases that contain key entries and trusted certificate entries. A key entry consists of an entity"s identity and its private (data-sensitive) key. A trusted certificate entry consists of an entity"s identity and a public key. Keystores also contain secret keys, generally for use in the local system, and supply public keys to others.

A truststore is a type of keystore used to establish trust. They are essential to TLS connections because they help to establish the identity of a server when the TLS connection is opened. They are also useful for establishing the identity of a client in more secure connections.

Truststores should only contain entries relating to entities that the user trusts. In the JDK, the default truststore is cacerts, and it can be found in <JDK_HOME>/lib/security/.

JDK Keystore Types

PKCS#12

PKCS#12 has been the default keystore type since JDK 9. It was originally defined by the RSA company, and has been supported by every implementation of the JDK platform since JDK 7. It has been widely-adopted and is the main format provided by certificate authorities when issuing certificates.

Other Types

Other types of keystores are available in the JDK, including:

• JKS (proprietary format)
• JCEKS (proprietary format)
• Windows-MY (Windows-specific)

Configuration

The keystore type is configurable via the keystore.type security property in <JDK_HOME>/conf/security/java.security.The keystore type can also be specified via the Keystore.getInstance API. More details on keystore types are available in the Java security documentation.

X.509 Certificates

For more information on certificates, see the Managing X.509 Certificates page.

Other Issues

• 'Could not derive key' or 'Could not decrypt key' Errors After Upgrading JDK or Applying the October 2022 CPU
• Truststore Issues When Migrating From JDK 8 to JDK 9+ With Bouncy Castle As the FIPS Provider (And Possibly Other Providers)