keystore : Java Glossary

keystore

In Java version 1.2 or later, the .keystore file contains your public and private keys. The peculiar leading dot makes the file hidden in Unix.

By default, .keystore has no password, though you normally assign it one with keytool.exe. Don’t lose the password. There is no way to recover it. You would have to start over and create a new empty .keystore with keytool.exe.

.keystore is stored in a binary jks format JKS (Java Key Store) similar to PKCS #12 containing both public and private keys, protected by a passphrase. The first four signature bytes of a Sun .keystore file in hex are FEEDFEED.

Location

Since Java does not automatically create .keystore, The sysadmin might put it wherever he pleases. Likely places to look include:

Unix:
${user.home}/.java/deployment/security/.keystore
Windows 7
C:\Users\username\.keystore
C:\Users\.keystore
Vista:
C:\Users\username\Roaming\Sun\Java\Deployment\security\.keystore
C:\Users\username\.keystore
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\.keystore
C:\Program Files\java\jre7\lib\security\.keystore
XP:
C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\security\.keystore
C:\Documents and Settings\username\.keystore
Win2K:
C:\WINNT\Profiles\Administrator\.keystore

It is supposed to be in:

Unix : ${user.home}/.java/deployment/security
Windows : ${deployment.user.home}\security

Where user.home and deployment.user.home are system properties. C:\Program Files (x86)\Java\jre6\lib\security.

Make sure you back up your .keystore files especially when upgrading your OS (Operating System) or Java. Otherwise you will lose your code signing certificates.

Usually the .keystore file is stored in Sun JKS format, but keytool.exe is capable of dealing with other formats as well. Here is how to find out what other formats

Browser Keystores

It is possible for Java to get at the keystores of the various Mozilla family brewers using a tool called JSS (Network Security Services for Java). Java automatically accesses the Windows/Internet Explorer keystores when validating code-signing certificates for Applets and Java Web Start.

Learning More

Oracle’s Technote Guide on Browser keystores : available:

on the web at Oracle.com
in the current JDK 1.7.0_17 on your local Windows J: drive.

Oracle’s Javadoc on KeyStore class : available:

on the web at Oracle.com
in the current JDK 1.7.0_17 or in the old JDK 1.6.0_45 on your local Windows J: drive.

cacerts
certificate
jar
jarsigner.exe
keyman: a more user-friendly .keystore manipulator
KeyTool IUI: third party GUI version of keytool
keytool.exe
PKCS
RSA cipher: sample code to extract cert from .keystore

	available on the web at:	http://mindprod.com/jgloss/keystore.html
	optional Replicator mirror of mindprod.com on local hard disk J:	J:\mindprod\jgloss\keystore.html
	Please email your feedback for publication, letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : . If you want your message, your name or email kept confidential, not considered for public posting, please explicitly specify that. Unless you state otherwise, I will treat your message as a letter to the editor that I may or may not publish in the feedback section. After that, it will be too late to retract it. If you disagree with something I said, especially when sending an ad-hominem attack, a rant composed mainly of obscenities or a death threat, please quote the offending passage and cite the web page where you found it, tell me why you think it is wrong, and, if possible, provide some supporting evidence. I can’t very well fix erroneous or ambiguous text if I can’t find it.
Blog	Canadian Mind Products IP:[65.110.21.43] Your face IP:[184.72.91.94]
Feedback	You are visitor number 53,321.