In addition to the domain certificate, additional SSL certificates can be installed into a Service Plan to securely connect to external servers from your application. This is particularly useful if you are using self-signed certificates.
Keystores are used when an https connection is required between a client and a server. During an SSL handshake the server loads its identifying certificate and public key (usually combined into a single certificate) from its keystore and sends it to the client. The client must then decide if it trusts that the server and it will look up the expected certificate from its truststore. If the certificate given by the server is present in the truststore then the client can accept the SSL handshake.
Both truststores and keystores use the same technique to store certificates and keys in a KeyStore.
Truststore
The Truststore stores certificates from third parties or certificates signed by CAs (Certificate Authorities) for example Verisign, Thawte, Geotrust and GoDaddy. These are used to verify the client’s certificate.
Every Service Plan comes with a truststore that contains all the current CA certificates.
To add extra certificates, a truststore can be added to the keystore directory of the application's filesystem. The truststore must be in the JKS KeyStore format, its filename must be truststore, and its password must be changeit. You may find this page about creating truststores useful.
Keystore
An empty keystore is provided with every Service Plan, in the keystore directory of the application's filesystem. Identifying keys and certificates can be added to this keystore.
Replacing this keystore is also possible, but the replacement must be in the JKS KeyStore format, its filename must be keystore and its password must be changeit. You may find this page about creating keystores useful.