Where is the location of Keystore file in JAVA?

I know the cacerts file that ship with JRE is the truststore where Root CA certificates are stored, many people refer to this file as a keystore as well. However, my understanding of the keystore file is another file where private keys are kept for the server to authenticated it-self.

Then, where JAVA stores the private keys? or where is the location of the keystore file exactly, is it the same file of cacerts?

Moreover, the following command list all Root CA certificates:

> keytool -list -storepass changeit -keystore "C:\Program Files\Java\jre1.8.0_191\lib\security\cacerts"

Why the keytool cannot list the Root CA without the -keystore & -storepass flags?

Prior to Java 9 why the keytool did not have this option? is it because cacerts file was considered as both a truststore and a keystore? for private keys, yes of course java doesn't store/provide private keys but what i meant is whether JAVA have some default location/file to look for private keys added by users which I beleive it is the equivalent of javax.net.ssl.keyStore JVM property?

"why the keytool did not have this option?" Because they hadn't thought to add it, and it wasn't really necessary, since you can do it with the -keystore argument.

OK, but still it is not clear. Does this mean the cacerts file is considered as both a truststore and a keystore? can this file contains private keys? used for example by the server to decrypt?

@mkhayata Why would it? The cacerts file stores CA certificates, i.e. root and intermediate public certificates issues by Certificate Authorities, and public certificates never have private keys. cacerts is a plain keystore file, dedicated to storing CA certificates, so you can use HTTPS out-of-the-box. --- A server certificate, and its associated private key, is not a CA certificate, and should not be stored in cacerts. It should be stored elsewhere, and referenced by the server configuration, as already mentioned in the answer.

You just said cacerts is a plain keystore file, and this is the starting point of confusion for me, why are you calling it a keystore file? isn't it a truststore file?

@mkhayata I'm sorry, you're right, I misspoke, it's a truststore. This answer has a good description of the difference: Trust Store vs Key Store - creating with keytool

OK, thanks for the link. Then can we say that cacerts file is to store CA Root certificates but can also have private keys added by the user with the keytool? so the same file can be both a keystore and a truststore? and the fact that the keytool always needs -keystore & -storepass flags (prior to JAVA 9) is because the keytool was designed to create/manipulate private keys in the first place?

"can we say that cacerts file is to store CA Root certificates" Yes, of course, look at the name of the file. --- "but can also have private keys added" Can? Probably, but that would be a total misused of the file. Don't do it! --- Read the description of keytool: "Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates." It was designed to do all of that.

OK, now all make sense. I am accepting your answer for your great collaboration.