keystore and truststore confusion

1
votes

I'm having problems in understanding the concept of keystores and truststores.

I would like to understand in layman terms:

Let's say I've the the following applications:

App A -> Client Application

App B -> Server Application.

If App A wants to do an API call by invoking App B's URL over https, then what all informations(keystore/truststore) would App A require from App B?

which application keep the keystore and which application keep the truststore?

I couldn't find any good resource on the net. Would really appreciate if somebody can clearly depicts the difference between truststore and keystore?

1
javakeystoretruststore
If you are creating a Self Signed Certificate for your Server, a .keystore file will be created on your Server and a Certificate be generated. You will need to add that Certificate to Java Key Store of your Client application to invoke Server APIs over HTTPS protocol. - N00b Pr0grammer
Thanks,but in this case, who holds the truststore? - Sandy
If your Server and Client are different machines then the certificate gets added to your Client's Java trust store. - N00b Pr0grammer
so as I understood, the client truststore will keep an entry of the certificate just for validation purpose.But additionally if I want to connect to the server over https, then I also need to add that certificate to the keystore as well. - Sandy
Yeah, this holds good in the case of Self Signed Certificates that we create ourselves for the Server! - N00b Pr0grammer

1 Answers

1
votes

App B (Server) will store the identity certificate (lets call it C) in keystore. When App B tries to connect to App B , App B will present C to A.

App A (Client) will verify the certificate offered by B (i.e C) with the certificates present in trust store. (These certificates are from CA(certificate authorities).