Keystore = your passport (proves who you are to someone else e.g., a server)

- Contains certificate(s) + your private key

Who uses it?

• Servers (always)

- Clients (only if mutual TLS is required)

Truststore (cacerts) = a list of trusted embassies (tells you whose passports you believe are valid)

- Contains Public root and intermediate CA certificates.

- Purpose is to validate other party's certificate.

General Example:
e.g. if Java app is calling https://google.com

- google presents it's certificate chain.

- The client Java app checks if the chain (passport) belongs to the truststore (list of embassies passports we trust)

- Yes? then connection succeeds. No -> you get an error.

Example: Mutual TLS

• Client presents its certificate from its keystore.

• Server validates it against its truststore.

• Server presents its certificate from its keystore.

• Client validates it against its truststore.