We continue discussing keys and certificates. They are used to secure data by using the public key to encrypt and the private key to decrypt. The certificate is used as a stamp of authority. Certificates can include the public key. The certificate then becomes usable to secure the ends of a channel such as https. They may be bundled as keystores and truststores.

Keystores is a combination of key and certificate. It is made available in the form of a file with pfx extension or p12 extension. Many applications prefer accepting a keystore rather than keys and certificates separately. The key Store is essentially a header and a collection of bags. one bag may contain the private key while another may contain the certificate. There can be more than one certificates in the bag. 

The truststores is merely a collection of certificates to be trusted. It could include a certificate chain if the certificates are signed. 

The keystore and truststore can be one and the same if the connections are internal. In this case, the client and the server share the same key-certificate. On the other hand, mutual authentication is one where the server and the client present different certificates. In this sequence of message exchanges for mutual authentication between the server and the client, the server initiates the messages. First, the server sends hello message.  Next it sends the certificate, followed by a request to get the client’s certificate and lastly the server-side hello done message. The client responds first with its certificate. Then it sends the session key with the client key exchange message. Then it sends the certificate verify message and changes the cipher spec. Lastly it sends the client-side finished message. The server closes the mutual authentication with the cipher changed message and the server-side finished message. 

Common issues encountered with generating these bundles is mentioned here: https://github.com/ravibeta/go-pkcs12/commit/db4cf640b9698ad37d9d170a9a75bf49d7425b71 line 427