首页 > 编程语言 >Understanding the difference between a Java keystore and a truststore

Understanding the difference between a Java keystore and a truststore

时间:2024-09-25 14:24:55浏览次数:7  
标签:keystore Java certificate private server key Understanding public

A truststore is a file that contains one or more public certificates, but no private keys.

 

A keystore is a file that contains one or more public certificates and one or more private keys. This is typically a "chain" where the keystore contains the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certificate (issued by the root CA), and one or more server certificates (issued by the intermediate CA).

 

Let's say you have a web server that produces HTTPS web pages, such as https://www.example.com. When a client submits a request to get a web page from your web server, a TLS handshake occurs, so that the packets exchanged between the client and server are encrypted. In this scenario, a keystore could be used. The keystore on the server would contain the public certificate and private key that will be used. A keystore is a file such as foo.p12 or bar.jks.

A keystore contains both public certificates and private keys

The TLS handshake look like this.

  1. The client sends a "Client Hello" packet to the server.
  2. The server sends a "Server Hello" packet to the client, which includes the public certificate in the keystore file (not the private key).
  3. The client validates the public certificate against it's list of known, trusted certificate authorities, and then sends the server a premaster secret (random string of data). The premaster secret is encrypted with the public certificate. The server decrypts the premaster secret with the private key in the keystore.
  4. The client generates a session key and sends the server a FIN (finished) packet.
  5. The server generates a session key and sends the client a FIN (finished) packet.

 

Let's say you know you are going to be requesting a resource from a server often over a secured channel, such as HTTPS. Instead of going through the SSL handshake negotiation process to have the server provide you with the public certificate, you could store the servers public certificate in a truststore. Then, when you need to request a resource from the server, you will already have the certificate, so that you can present the certificate to the server and get on with the request. A truststore is a file, such as trust.p12.

A truststore contains public certificates. A truststore does not contain private keys.

 

The Java keytool command can be used to view, import, add, and remove public certificates and private keys from a keystore or truststore. In this example, the key.p12 keystore contains a public certificate called "default". A private key doesn't contain user specific data, such as an "alias" or "expiration date", so the user specific data in the keystore represents the public certificates, not the private key.

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/key.p12
. . .
Alias: default

 

In this example, the trust.p12 truststore contains a public certificate called "example.com".

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/trust.p12
. . .
Alias: example.com

 

 《From: https://www.freekb.net/Article?id=1797》

标签:keystore,Java,certificate,private,server,key,Understanding,public
From: https://www.cnblogs.com/rusking/p/18431279

相关文章

  • java中多态的扩展性
    创建一个动物父类和狗,猫子类,当这些子类中有共同方法只是实现不同时,我们可以利用多态的扩展性classAnimal{publicvoideat(){System.out.println("吃饭");}publicvoidsheep(){System.out.println("睡觉");}}classDogextendsAnima......
  • DC00015基于java web校园网上购物系统
    1、项目功能演示DC00015【含配套文档】基于javaweb校园网上购物系统2、项目功能描述 基于javaweb校园网上购物系统分为用户和系统管理员两个角色。2.1用户功能1、系统登录、用户注册、忘记密码2、商品浏览、商品详情3、购物车、付款4、我的订单5、修改密码、......
  • JavaScript 之父联手近万名开发者集体讨伐 Oracle:给 JavaScript 一条活路吧!
    JavaScript之父联手近万名开发者集体讨伐Oracle:给JavaScript一条活路吧!投递人 itwriter 发布于 2024-09-2401:08 评论(6) 有1528人阅读 原文链接 [收藏] « »近日,据外媒消息,JavaScript杰出人士和至少9000名其他相关方签署了一封联名信,再次要求Oracle......
  • 使用 NCache 将 Java 微服务扩展到极致性能
            微服务已成为软件开发领域的一种变革性架构方法,提供了从整体结构到更加模块化和可扩展的系统的范式转变。微服务的核心是将复杂的应用程序分解为更小的、可独立部署的服务,这些服务可以无缝通信,从而提高敏捷性、灵活性和易维护性。这种分散的方法使开发人员能够专注......
  • Java 性能调优:调整 GC 线程以获得最佳结果
        垃圾回收(GC)在Java的内存管理中起着重要作用。它有助于回收不再使用的内存。垃圾回收器使用自己的线程集来回收内存。这些线程称为GC线程。有时,JVM最终可能会有太多或太少的GC线程。在这篇文章中,我们将讨论为什么JVM最终会拥有太多/太少的GC线程,它的后果,以及解......
  • 什么是带有示例的 Java 中的交错数组?
    Java中的交错数组交错数组,也称为数组数组,是一种数据结构,其中数组用于存储其他数组。交错数组的主要特征是主数组的每个元素可以具有不同的大小,从而允许在二维结构中使用可变的列长度。为了理解Jagged数组的概念,让我们考虑一个例子。假设我们想要存储有关学生及其各自成绩的信息......
  • 使用 AuraDB 免费版构建 Java 微服务
        对于今天的冒险,我们希望构建一个Java微服务,它连接到Neo4jAuraDBFree数据库中的图形数据并与之交互。我们的数据是 Goodreads数据集的精简版本,其中包括书籍、作者和评论信息。虽然书籍和作者非常适合MongoDB等文档数据库,但一旦您将评论添加到组合中,关系的细微差别......
  • 了解 Java 中的浮点精度问题
    Java浮点数看起来很熟悉在 Java 中,我们有两种类型的浮点数:和.所有 Java开发人员都知道它们,但无法回答以下模因中描述的简单问题:floatdouble你够机器人吗?您对Float和Double了解多少?float并表示浮点数。使用32位,而使用64位,可用于十进制或小数部分。但这实际上意味着什......
  • 基于Java的宠物之家小程序 宠物服务小程序【源码+调试】
    精彩专栏推荐订阅:在下方主页......
  • 【JUC并发编程系列】深入理解Java并发机制:阻塞队列详解与简单纯手写(七、BlockingQueu
    文章目录【JUC并发编程系列】深入理解Java并发机制:阻塞队列详解与简单纯手写(七、BlockingQueue、ArrayBlockingQueue、LinkedBlocking)1.简单回顾1.1数组结构和链表结构1.1.1数组结构1.1.2链表结构1.2有界队列与无界队列1.3Lock锁使用回顾2.什么是阻塞队列3.B......