Best IT Recipes

Keystore type: which one to use?

java.security file of my JRE , I see that the type of keystore that will be used by default is set to JKS . Here , there is a list of types of key stores that you can use.

Is there a recommended type of keystore? What are the pros and cons of different types of keystores?

+106
java security ssl jsse
Jul 18 2018-12-12T00:
source share
2 answers

There are several types besides those listed in the list of standard names that you are attached to. Further information can be found in the documentation for cryptographic providers . The most common are, of course, JKS (by default) and PKCS12 (for PKCS # 12 files, often with the extension .p12 or sometimes .pfx ).

JKS is the most common if you stay in the Java world. PKCS # 12 is not specific to Java, it is especially convenient to use certificates (with private keys) made from a browser or coming from OpenSSL-based tools ( keytool could not convert the key store and import its private keys before Java 6, so you had to use other tools )

If you already have a PKCS # 12 file, it is often easier to use the PKCS12 type. Format conversion is possible, but this is rarely necessary if you can directly select the type of keystore.

In Java 7, PKCS12 was mostly useful as a key store, but less for trust (see the difference between a keystore and a trust store ) because you couldn’t store certificate entries without a private key. In contrast, JKS does not require that each entry be a private key, so you can have entries containing only certificates that are useful for trust stores, where you store a list of trusted certificates (but you don’t know, t have a private key for them).

This has changed in Java 8, so now you can only store certificates for certificates in PKCS12 . (More information on these changes and future plans can be found in JEP 229: Create PKCS12 Keystores by default .)

There are several other types of keystores, perhaps less commonly used (depending on context), including:

  • PKCS11 , for PKCS # 11 libraries, usually for access to hardware cryptographic tokens, but the Sun vendor implementation also supports NSS repositories (from Mozilla) through this.
  • BKS using the BouncyCastle provider (commonly used for Android).
  • Windows-MY / Windows-ROOT if you want to access the Windows certificate store directly.
  • KeychainStore if you want to use the OSX keychain directly.
+129
Jul 18 '12 at 11:15
source share

Here's a post that introduces the different types of keystores in Java and the differences between the different types of keystores. http://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

Below are descriptions of the different keystores from the message:

JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has a jks extension. This type of keystore may contain private keys and certificates, but it cannot be used to store private key keys. Since this is a specific Java keystore, it therefore cannot be used in other programming languages.

JCEKS, JCE Key Store. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has the JCEKS extension. The entries that can be placed in the JCEKS repository are private keys, private keys, and certificates.

PKCS12 is a standard type of keystore that can be used in Java and Other languages. You can find this key store implementation in sun.security.pkcs12.PKCS12KeyStore. It usually has the extension p12 or pfx. You can store private keys, private keys and certificates for this type.

PKCS11 is a hardware type of keystore. It serves as an interface for the Java library to connect to hardware keystores such as Moon, nCipher. You can find this implementation on sun.security.pkcs11.P11KeyStore. When you download the keystore, you do not need to create a specific provider with a specific configuration. This keystore can store private keys, private keys and cetrificates. when loading the keystore, the records will be retrieved from the keystore and then converted to software records.

+21
Aug 21 '14 at 9:27
source share


More articles:


All Articles