What is a keystore?

A keystore is a database (usually a file) that can contain trusted certificates and combinations of private keys with their corresponding certficiates.

- trusted certificates: these are certificates from the entities you trust, for example a certificate from Thawte. Trusted certificates are used to validate other certificates. For example, suppose you have a certificate A signed by Thawte and you want to check it for trustworthiness. Certificate A contains: a public key, some identification information about the certificate (name, etc.), a digital signature (calculated by the one that is vouching for the certificate, in this case Thawte), and some identification information about the voucher. Now you can extract the digital signature from A and decrypt it with the public key from the Thawte (stored in the keystore as a trusted certificate) to check the validity the public key of A.

- private keys/certificates: each is a public key certificate with their corresponding private keys.

To create a keystore containing a self-signed certificate:

C:>c:jdk1.3binkeytool -genkey -alias mykey -keyalg RSA
Enter keystore password:  esuspass
What is your first and last name?
  [Unknown]:  Joris Van den Bogaert
What is the name of your organizational unit?
  [Unknown]:  ESUS Team
What is the name of your organization?
  [Unknown]:  Esus, Inc
What is the name of your City or Locality?
  [Unknown]:  Meerbeek
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  BE
Is <CN=Joris Van den Bogaert, OU=ESUS Team, O="Esus, Inc", L=Meerbeek, ST=Unknow
n, C=BE> correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password):
 
C:> c:jdk1.3binkeytool -list
Enter keystore password:  esuspass

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry:

mykey, Mon Aug 06 13:29:28 CEST 2001, keyEntry,
Certificate fingerprint (MD5): 0E:8F:ED:F3:E3:07:25:9C:1D:15:65:43:7C:4F:86:32

The keystore containing the trusted certificates is located at JRE_HOME/lib/security/cacerts. You
can list its contents:

C:> c:jdk1.3binkeytool -list -keystore c:jdk1.3jrelibsecuritycacerts
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: jks
Keystore provider: SUN

Your keystore contains 10 entries:

thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8