Create/Manage KeyStore and TrustStore

This tutorial will discuss how create and manage the keystore and truststore. We will be using openSSL (open source tool), and the java keytool (existing with any jvm installation).

If you are not familiar with the security certificates and how it works,It is strongly recommended to review our last articles ‘creating security certificate tutorial’, here is the link:

We will discuss the following points :

  1. What is key store and trust store?
  2. Why using the key store and trust store?
  3. Create the keystore.
  4. Manage the store with the java keytool.


1. What is key store and trust store?

It is a password protected file which is used to store security certificates, private keys, and root security certificates. The most common types are JKS (Java ket store), and PKCS12. The key store and trust store have the same format and capabilities, the difference is in how you use them in your application.

Key store is used when your server is offering a secured connection (ex. https) to clients or servers, and it stores pair of private key, and security certificate.

Trust store is used when you receive secured calls (ex. https), it stores the following:

  1. Root security certificate (Certification authority certificate) : which is used to trust all the certificate issued by specific entity. Ex. Verisign certificate.
  2. The partner’s self-signed certificate : add the security certificate of the server calling you if you in the development or test servers and you use self-signed certificate, or if you have a partner who you trust and who uses self-signed certificate.

2. Why using keystore and truststore?

‘Security in depth’ is a concept which promotes the idea of creating layers of security, and more layers = more security. So by protecting your private key, and the certificate you trust in case of the trust store by putting them in a password protected file will add a layer of security.

To make it easier imagine the following situations :

  • Your private key file is stored in a location in your application/server (in some cases without encryption), so anyone can access your server can take a copy from it and use it to decrypt your messages, or pretend that the message is coming from you.
  • You use a specific folder to store the root security certificates, or partner security certificates you trust. So if someone copied a fake certificate in this folder your server will accept requests from untrusted server.

The two above situations can be avoided by using the keystore and truststore.

3. Create the keystore

For the keyStore you need to store your private key file, and your server certificate. You have two ways to do it:

  1. Use the openSSL to generate the keystore with the private key and the certificate in the PKCS12 fromat (and you can convert it to JKS format with the java keytool).
  2. Use the KeyTool to create the the JKS keystore, this option is not valid if you already have the certificate and private key. The only way to do it is by creating the private key, and generate the CSR (certificate signing request). This is not always practical specially in the case of the self-signed certificate. (we will not cover this way in the tutorial).

So follow these steps to create your keystore:

1. Create the key store in the PKCS12 format. by executing this command in the openSSL:

openssl pkcs12 -export -name myAlias -in myServer.crt -inkey myServer.key -out myKeyStore.p12

myServer.key : is the server’s private key
myServer.crt : is the server’s security certificate
myAlias : is the alias you will be using in your code to access the private key. The alias must be unique in each keystore, the alias is unique in this case as we are creating a new store.
myKeyStore.p12:  is the name of the new keystore generated from the command.

Note : the new keystore ‘myKeyStore.p12’ will be in the bin directory of the openSSL.

2. Converting the keystore from the PKCS12 to JKS

We will use the java keytool which is a part from the installation of the JVM, you should find it in the following bin folder :’\jvm\jvm\bin’

keytool -importkeystore -srckeystore myKeyStore.p12 -srcstoretype pkcs12 -destkeystore myKeyStore.jks -deststoretype jks

4. Manage the store with the java keytool.

Creating the truststore

The following command can be used to import the root certificate of the self-signed certificate.

keytool -import -file server.crt -alias myCertAlias -keystore myTrustStore.jks

server.crt: The security certificate you want to import to the truststore.

myCertAlias: The unique alias you will be using to access the certificate from the store

myTrustStore.jks: The name of the truststore file. If the file doesn’t exist the keytool will create a new file, and if it was existing the certificate will be added to it.

Delete certificate from the truststore

To delete a certificate from an existing truststore.

keytool -delete -alias myCertAlias -keystore myTrustStore.jks

myCertAlias: the alias of the certificate to be deleted.

myTrustStore.jks: the name of the keystore which contain the certificate ti be deleted.

List the certificates in the Store

List the items in the store, usually we use it to see what is in the truststore as it might contains more than a certificate, however you can use it to see the contents of keystore.

Keytool -list -keystore mytruststore.jks

mytruststore.jks: is the name of the store file (keystore or truststore)

Change Alias in Trust Store or key store

To change the alias of an existing entry in the store use the following command:

keytool -changealias -alias oldAlias -destalias newAlias -keystore myStore.jks

oldAlias: is the old alias name to be changed.

newAlias: is the new alias name.

myStore.jks: the JKS file name which contain the alias to be changed.


Thank you for visiting our website. We are looking forward reading your comments and questions.

Follow us:

on twitter: @WM_Expert

Group on LinkedIn:

(C) 2014 Hossam Elsharkawy. All rights reserved.

3 thoughts on “Create/Manage KeyStore and TrustStore

  1. umesh says:

    with respect to Webmethod. DO we keep all leaf,inter,root certificates in RG trustore Or its only a root and inter.

    • Hello Umesh,
      Adding the root certificate to the trust store should be enough, and all the leafs(certificates signed by the root certificates) will be trusted. If you add both certificate in the trust store it will work also without any problems.


  2. seda says:

    Hi Hossam

    I folloy the tutorial but i have two errors when i use the keytool.

    Error number one : C:\Program Files (x86)\Java\jre1.8.0_111\bin>keytool -importkeystore -srckeystore C:\OpenSSL-Win64\bin\sfcKeyStoreAlias.p12 -srcstoretype pkcs12 -destkeystore sfcKeyStoreAlias.jks -deststoretype jks
    Entrez le mot de passe du fichier de clés de destination :
    Ressaisissez le nouveau mot de passe :
    Entrez le mot de passe du fichier de clés source :
    L’entrée de l’alias sfckeystorealias a été importée.
    Commande d’import exécutée : 1 entrées importées, échec ou annulation de 0 entrées
    erreur keytool : sfcKeyStoreAlias.jks (Accès refusé)

    Error number 2 : C:\Program Files (x86)\Java\jre1.8.0_111\bin>keytool -import -file C:\OpenSSL-Win64\bin\sfc_server.crt -alias sfcMyCertAlias -keystore sfcMyTrustStore.jks
    Entrez le mot de passe du fichier de clés :
    Ressaisissez le nouveau mot de passe :
    Propriétaire :, CN=seda, OU=informatique, O=sfconsulting, L=Paris, ST=France, C=fr
    Emetteur :, CN=seda, OU=informatique, O=sfconsulting, L=Paris, ST=France, C=fr
    Numéro de série : a39f55b9ae09ce92
    Valide du : Tue Dec 20 22:23:59 CET 2016 au : Wed Dec 20 22:23:59 CET 2017
    Empreintes du certificat :
    MD5: A1:1E:2A:E6:2D:84:CF:F3:F9:EC:6A:7A:9B:63:CC:E4
    SHA1 : 02:06:FF:51:8A:BD:28:73:F5:27:82:D0:6F:18:71:06:A6:84:88:BB
    SHA256 : B3:BA:01:32:9A:7C:BD:CB:4A:EB:90:02:17:5B:7B:8F:9C:CC:57:3C:E0:8C:B2:28:08:B6:3E:28:B5:D4:D4:88
    Nom de l’algorithme de signature : SHA256withRSA
    Version : 1
    Faire confiance à ce certificat ? [non] : oui
    Certificat ajouté au fichier de clés
    erreur keytool : sfcMyTrustStore.jks (Accès refusé)

    So the two files sfcKeyStoreAlias.jks and sfcMyTrustStore.jks are not created

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s