Understanding Java Keystore Types

A Java KeyStore (JKS) is a repository (also referred to as database and storage facility) of keys, also known as certificates.

These keys or certificates are most frequently used to establish secure (HTTPS) connection.

Keystores are typically stored in a file system. The default location is JAVA_HOME/jre/lib/security/cacerts. You can protect the keystore with a password and the default password is changeit.

The default format used for these files has been JKS until Java 8. The default keystore format from Java 9 is PKCS12.

The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral format. Note that it is possible to convert formats, but it's rarely necessary if you can choose the keystore type directly.

A KeyStore can hold the following three types of keys:

• Private keys
• Public keys and Certificates
• Secret keys

There is always a pair of unique keys. A SSL Certificate embeds the Public key whereas the Private key is secured using a password and is stored on a file server. A certificate is usually used to verify the identity of a server and sometimes it is also used to identify a client when requested.

When a website visitor fills out information and submits it to the server, the information gets encrypted with the public key. This information is then decrypted on the server by the Private key and passed over for further processing. To ensure that nobody else can decrypt the transmitted message, we must use a unique and unforgeable pair of keys. So in a nutshell, one key without another is useless.

There are a few different types of keystores in Java:

•  JKS
• JCEKS
• PKCS12
• PKCS11
• DKS

Normally, you won't need in-depth knowledge of all these keystores unless you work cryptography or a relevant field. Let us have a look

Next, we will have an overview of these keystore types.

JKS (Java Key Store):
The JKS or Java Keystore is Java specific and usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.

JCEKS (JCE key Store or Java Cryptography Extension KeyStore):
JCEKS is a super set of JKS and supports more algorithms. It has an extension of jceks and it provides much stronger protection for stored private keys by using Triple DES encryption. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates.

PKCS12:

PKCS12, also known as PKCS#12 or PFX is a standard keystore type which can be used in Java and other languages. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.

If you are using Java version 8 or lower, the default keystore type is JKS i.e. the keystore format is JKS if you don't specify the -storetype while creating keystore with keytool With Java 9, the default keystore type is PKCS12.

PKCS11:

PKCS11 is a type of hardware keystore. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards.

DKS (Domain KeyStore):

DKS is a keystore of keystore. DKS itself is actually not a keystore but a collection of keystores that are presented as a single logical keystore.

In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.

In Java, a command line tool called keytool is used to process keystores i.e. create keystore, generate keys, import and export certificates etc.