I have a file, ote.truststore, that I've set with a custom password using Keystore Explorer 5.1, and I'm using it for an API servlet running under Tomcat 7/Java 1.7. What I can't understand is how the servlet is managing to open the file even though I've not specified the password anywhere in code, configuration or ssl.properties.
I know that the servlet is opening the right file because I have javax.net.debug.all enabled, and I can see in the log the trusted CA certificate that it finds ("CN=GeoTrust Primary Certification Authority - G3").
I verified that I can change the password to any random string, and the servlet still opens the truststore. I also verified that if I remove the file and restart the servlet, I get "trustStore is: No File Available, using empty keystore." in the log.
Is there something in the JKS format that says passwords don't apply to truststore files? That would seem odd to me. When I try to open the file in Keystore Explorer without specifying the correct password, it dutifully fails to decrypt.
Password is not required to read a trust store. No private key is involved.
You still need password to modify a trust store. Also, when reading a trust store, if the password is provided, it can be used to verify the integrity of the trust store.
ref - http://bayou.io/release/0.9/javadoc/bayou/ssl/SslConf.html#trustStorePass-java.lang.String-