7.3. Java Keystores

Overview

Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private keys. Red Hat JBoss A-MQ uses Java keystore files as the standard format for deploying certificates

Prerequisites

The Java keystore is a feature of the Java platform Standard Edition (SE) from Oracle. To perform the tasks described in this section, you will need to install a recent version of the Java Development Kit (JDK) and ensure that the JDK bin directory is on your path. See Java SE.

Default keystore provider

Oracle's JDK provides a standard file-based implementation of the keystore. The instructions in this section presume you are using the standard keystore. If there is any doubt about the kind of keystore you are configured to use, check the following line in your java.security file (located either in JavaInstallDir/lib/security or JavaInstallDir/jre/lib/security): 
keystore.type=jks
The jks (or JKS) keystore type represents the standard keystore.

Customizing the keystore provider

Java also allows you to provide a custom implementation of the keystore, by implementing the java.security.KeystoreSpi class. For details of how to do this see the following references:
If you use a custom keystore provider, you should consult the third-party provider documentation for details of how to manage certificates and private keys with this provider.

Store password

The keystore repository is protected by a store password, which is defined at the same time the keystore is created. Every time you attempt to access or modify the keystore, you must provide the store password.
Note
The store password can also be referred to as a keystore password or a truststore password, depending on what kind of entries are stored in the keystore file. The function of the password in both cases is the same: that is, to unlock the keystore file.

Keystore entries

The keystore provides two distinct kinds of entry for storing certificates and private keys, as follows:
  • Key entries—each key entry contains the following components:
    • A private key.
    • An X.509 certificate (can be v1, v2, or v3) containing the public key that matches this entry’s private key.
    • Optionally, one or more CA certificates that belong to the preceding certificate’s trust chain.
    Note
    The CA certificates belonging to a certificate’s trust chain can be stored either in its key entry or in trusted certificate entries.
    In addition, each key entry is tagged by an alias and protected by a key password. To access a particular key entry in the keystore, you must provide both the alias and the key password.
  • Trusted certificate entries—each trusted certificate entry contains just a single X.509 certificate.
    Each trusted certificate entry is tagged by an alias. There is no need to protect the entry with a password, however, because the X.509 certificate contains only a public key.

Keystore utilities

The Java platform SE provides two keystore utilities: keytool and jarsigner. Only the keytool utility is needed here.