Keystore and Truststore in Java

Posted on September 9, 2021 by Adrian Wyssmann ‐ 3 min read

Working with java applications in you might know what is a keystore and what is a truststore. For the ones not aware, here a quick intro.

What are Java Key- and Truststores in Java

Let’s have a look at the documentation:

A keystore is a *database of key material. Key material is used for a variety of purposes, including authentication and data integrity. Various types of keystores are available, including PKCS12 and Oracle’s JKS.

Generally speaking, keystore information can be grouped into two categories: key entries and trusted certificate entries. A key entry consists of an entity’s identity and its private key, and can be used for a variety of cryptographic purposes. In contrast, a trusted certificate entry contains only a public key in addition to the entity’s identity. Thus, a trusted certificate entry can’t be used where a private key is required, such as in a In the JDK implementation of JKS, a keystore may contain both key entries and trusted certificate entries.


A truststore is a keystore that is used when making decisions about what to trust. If you receive data from an entity that you already trust, and if you can verify that the entity is the one that it claims to be, then you can assume that the data really came from that entity.

Java comes with a default truststore, which already contains trusted entries for known trusted entities. You may add additional trusted entries by either generating a key pair or by importing a certificate, the user gives trust to that entry. This may be useful if you have for example an internal CA, which you have to be trusted.

The default format until Java 8 was JKS, for later Java versions it’s PKCS12.

How to create key-/truststore?

You can use keytool, a key and certificate management utility coming with Java JSE/SDK. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication.

Creating a Java Keystore is actually quite easy:

keytool -importkeystore -srckeystore internal.p12  -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype jks

Alternatively you may import the certificate to your existing keystore:

keytool -importcert -file internal.crt -keystore keystore.jks -alias internal

Verify it afterwards:

keytool -v -list -keystore ./keystore.jks -alias internal

What about Key-Pairs?

You also can import key-pairs using keytool. First create a pkcs12 file as follows:

openssl pkcs12 --export -in internal.pem -inkey internal.key -out keypair.p12

Then as above, import the key-pair with alias keypair:

keytool -importcert -file keypair.12 -keystore keystore.jks -alias keypair


cacerts is a collection of trusted certificate authority (CA) certificates which is included in the JDK. It uses Oracles JKS format and contains certificate references for well-known Certificate authorities.

The default password of the cacerts is changeit

As mentioned above, you can extend the content of if by importing new certificates:

keytool -import -keystore ./cacerts -trustcacerts -file cacert.pem -storepass changeit