The KeyStore class is an engine class; there is a corresponding KeyStoreSpi class that you can use to write your own keystore more about that a little later. As weve seen, the Sun−supplied algorithms for this engine are JKS, JCEKS, and PKCS12. Instances of the KeyStore class are predictably obtained via this method: public static final KeyStore getInstanceString type public static final KeyStore getInstanceString type, String provider Return an instance of the KeyStore class that implements the given algorithm, supplied by the given provider, if applicable. If you do not want to hardwire the name of the keystore algorithm into your application, you may use this method to return the string that should be passed to the getInstance method: public static final String getDefaultType Return the default keystore algorithm for the environment. This value is obtained by looking for a property called keystore.type in the java.security file; Suns version of Java sets the default value of this string to JKS. When the keystore object is created, it is initially empty. Although the getInstance method has constructed the object, it is not expected that the objects constructor will read in a keystore from any particular location. The interaction between the keystore object and the keytool database comes via these two methods: public final void loadInputStream is, char[] password Initialize the keystore from the data provided over the given input stream. The integrity of the keystore is protected by using a message digest: when the keystore is stored, a message digest that represents the data in the keystore is also stored. Before the digest is created, the password is added to the digest data; this means that the digest cannot be recreated from a keystore without knowledge of the password. This allows you to detect whether the keystore has been tampered with. The password for this method can be null , in which case the keystore is loaded and not verified. Its somewhat misleading to call this parameter a password, although thats what the javadoc calls it, and thats the term used by keytool . If you pass null for the password, youll always be able to read the keystore. Remember that a different password is used to decrypt the private keys in the keystore, so this isnt a security hole: if you dont have the password, you will be able to read only public certificates. If you use an incorrect password, an IO exception is thrown. You cannot require a password for the load method to succeed since the Sun implementation of the Policy class calls this method without a password when it constructs the information needed for the access controller. You may, of course, provide your own implementation of the Policy class that requires a password. If the class required to support the underlying message digest is not available, a NoSuchAlgorithmException is thrown. An error in reading the data results in an IOException , and generic format errors in the data result in a CertificateException . public final void storeOutputStream os, char[] password