Nov 21, 2011

Java Interview Q&A on SSL and truststore vs keystore?

Q. What do you understand by the terms trusstores and keystores in Java?

A. You generally need a truststore that points to a file containing trusted certificates, no matter whether you are implementing the server or the client side. You may or may not need a keystore. The keystore points to a file containing private key. You need a keystore if

  • you are implementing the server side of the protocol, or 
  • you are implementing the client side and you need to authenticate yourself to the server. 
The keystore will be used for encrypting/signing some thing with your private key while the trust stores will be used mostly to authenticate remote servers. To create a trust store, follow the steps outlined below.


The first step is to get hold of the certificates. You could export the certificates from Google chrome or Firefox. If you click the "view site" information in Google Chrome, it's possible to save to file any cert in the chain. In Firefox, you could try something like

Click on "I understand the Risks" and then on "Add exception". You will be getting a screen as shown below.

Click on "Get certificate" and then "View". On the 2nd tab, named "details" you will see an export button to export the certificate.

Save the file as shown above to be imported into your truststore as explained below.


To create a working truststore, it needs to contain the certs to trust, as well as the certs in the parent chain. You can import certificates with the keytool that ships with Java.

Import parent certificate

keytool -importcert -alias myservices -file mydomain.crt -keystore truststore.jks

import another linked certificate

keytool -importcert -alias coreservices -file mydomain2.crt -keystore truststore.jks

Note: When prompted enter a password and answer yes to trust this certificate.

to view the certificates

keytool -list -keystore truststore.jks


Use the trust store as shown below.


Q. How do you go about resolving any SSL related installation issues?
A. There are several SSL tools that are available that can help you determine SSL problems and get your servers running SSL properly.

OpenSSL is an open source implementation of the SSL protocol, and by far the most versatile SSL tool.

Q. What is a one-way SSL?
A. One way SSL just means that the server does not validate the identity of the client. The client generates a random key, encrypts it so that only the server can decrypt it, and sends it to the server. The server and client now have a shared secret that can be used to encrypt and validate the communications in both directions.

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home