密钥存储库和信任存储库之间的区别是什么?


密钥存储库包含私钥,以及具有相应公钥的证书。

信任存储库包含来自您希望与之通信的其他方的证书,或来自您信任以识别其他方的证书颁发机构的证书。


密钥存储库包含私有密钥。如果你是,你才需要这个 服务器,或者服务器是否需要客户端身份验证。 信任存储库包含要信任的CA证书。如果你的服务器 证书由认可的CA(默认信任库)签署 将会信任它(因为它已经 信任可信赖的ca),所以你不需要建立自己的, 或者从JRE中添加任何东西。


您可能还会对Sun的介绍感兴趣,这是标准JSSE文档的一部分:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Stores

通常,信任存储区仅用于存储公钥,用于验证目的,例如使用X.509身份验证。出于可管理性的目的,管理员或开发人员通常会将两者合并到一个存储中。


在SSL握手中,trustStore的目的是验证凭据,keyStore的目的是提供凭据。

密钥存储库

Java中的keyStore存储与其公钥相对应的私钥和证书,如果您是SSL服务器或SSL需要客户端身份验证,则需要。

信任存储库

TrustStore存储来自第三方的证书,您的Java应用程序通信或由CA(证书颁发机构,如Verisign, Thawte, Geotrust或GoDaddy)签署的证书,这些证书可用于识别第三方。

TrustManager

TrustManager决定是否应该信任远程连接,即远程方是否声称是谁,KeyManager决定在SSL握手期间应该将哪些身份验证凭证发送到远程主机进行身份验证。

如果您是SSL服务器,您将在密钥交换算法中使用私钥,并将与您的公钥对应的证书发送给客户端,该证书是从keyStore中获取的。在SSL客户端,如果它是用Java编写的,它将使用存储在trustStore中的证书来验证服务器的身份。SSL证书通常以.cer文件的形式出现,通过使用任何密钥管理工具(例如keytool)添加到keyStore或trustStore中。

来源:http://javarevisited.blogspot.ch


在Java中,密钥存储库和信任存储库之间有什么区别?

下面是Java Secure Socket Extension (JSSE)参考指南中的Java文档中的描述。我不认为这和别人说的有什么不同。但它确实提供了官方参考。

keystore/truststore A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity. Various types of keystores are available, including PKCS12 and Oracle's JKS. Generally speaking, keystore information can be grouped into two categories: key entries and trusted certificate entries. A key entry consists of an entity's identity and its private key, and can be used for a variety of cryptographic purposes. In contrast, a trusted certificate entry contains only a public key in addition to the entity's identity. Thus, a trusted certificate entry cannot be used where a private key is required, such as in a javax.net.ssl.KeyManager. In the JDK implementation of JKS, a keystore may contain both key entries and trusted certificate entries. A truststore is a keystore that is used when making decisions about what to trust. If you receive data from an entity that you already trust, and if you can verify that the entity is the one that it claims to be, then you can assume that the data really came from that entity. An entry should only be added to a truststore if the user trusts that entity. By either generating a key pair or by importing a certificate, the user gives trust to that entry. Any entry in the truststore is considered a trusted entry. It may be useful to have two different keystore files: one containing just your key entries, and the other containing your trusted certificate entries, including CA certificates. The former contains private information, whereas the latter does not. Using two files instead of a single keystore file provides a cleaner separation of the logical distinction between your own certificates (and corresponding private keys) and others' certificates. To provide more protection for your private keys, store them in a keystore with restricted access, and provide the trusted certificates in a more publicly accessible keystore if needed.


First and major difference between trustStore and keyStore is that trustStore is used by TrustManager to determine whether remote connection should be trusted, keyStore is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake. Another difference is that keyStore theoretically contains private keys required only if you are running a Server in SSL connection or you have enabled client authentication on server side and on the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which are used to trust remote party or SSL connection. In fact you can store in the same file both private and public keys, given that the the tool to manage those file is the same (keytool), so you could use a single file for both the purposes, but you probably should not. At least on my Mac OSX the default keyStore is ${user.home}/.keystore, and the default trustStore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts. If you want to override them you should add the JVM parameters -Djavax.net.ssl.keyStore /path/to/keyStore or -Djavax.net.ssl.trustStore /path/to/trustStore. You might also need to set the keyStore password in case of java.security.UnrecoverableKeyException: Password must not be null, using the parameter -Djavax.net.ssl.trustStorePassword=password or -Djavax.net.ssl.trustStorePassword=password

主要来源:

http://javarevisited.blogspot.co.uk/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html


密钥存储库用于存储特定程序应提供给双方(服务器或客户端)进行验证的私钥和身份证书。

Truststore用于存储来自认证机构(CA)的证书,这些证书用于在SSL连接中验证服务器提供的证书。

本文供参考https://www.educative.io/edpresso/keystore-vs-truststore