Reference:
http://one-size-doesnt-fit-all.blogspot.ca/2009/09/weblogic-server-identity-vs-trust.html
http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/identity_trust.htm#i1170342
http://mynotes.wordpress.com/2009/08/04/difference-between-keystore-truststore/
In short,
Identity Keystore contains private keys
Trust KeyStore contains CA's public key (or certificates)
sometimes, people refer Identify Keystore to be Keystore
Trust Keystore to be Truststore.
SSL provides you with encryption, integrity, and authentication. That is,
the messages are encrypted, and come from an authenticated identity.
"The public key is embedded in a digital certificate with additional
information describing the owner of the public key, such as name, street
address, and e-mail address *as well as the hostname*. *Along with this
the digital certificate containing the public key, and the separate
related private key, provide identity for the server*."
...ultimately to identify the server, to assert the server is who the server says it is.
The digital certificate containing the public key is also referred to as the "server certificate".
Thus the "identity" of the server is established by what's stored in the
"identity" keystore, and its contents are what are farmed out to
clients establishing secure connections with the server, who then verify
the supplied digital certificate's CA against the clients own list of
trusted CAs. The "identity keystore" is also referred to as the "server
keystore", because it establishes the server's identity (ie. I am who I
say I am).
The trust keystore is typically used for storing CA digital
certificates, essentially the CAs who will be used to check any digital
certificates that are given to the server at runtime (just the same as
the client did above).
No comments:
Post a Comment