The Java platform uses a keystore as a repository for keys and certificates. Physically, the keystore is a file (there is an option to make it an encrypted one) with a default name of .keystore. Keys and certificates can have names, called aliases, and each alias can be protected by a unique password. The keystore itself is also protected by a password; you can choose to have each alias password match the master keystore password.

The Java platform uses the keytool to manipulate the keystore. This tool offers many options; the following example (keytool example) shows the basics of generating a public key pair and corresponding certificate, and viewing the result by querying the keystore.

The keytool can be used to export a key into a file, in X.509 format, that can be signed by a certificate authority and then re-imported into the keystore.

There is also a special keystore that is used to hold the certificate authority (or any other trusted) certificates, which in turn contains the public keys for verifying the validity of other certificates. This keystore is called the truststore. The Java language comes with a default truststore in a file called cacerts. If you search for this filename, you will find at least two of these files. You can display the contents with the following command:

keytool -list -keystore cacerts
Use a password of "changeit"