Keystores contain private keys (credentials).
Truststores contain certificate chains or individual certificates that are said to be trusted (verified).
When you visit an https website it sends you a certificate which identifies it. The certificate must be signed by a trusted authority, which is called a CA (certificate authority). CAs may also include intermediate certificates forming a chain.
Not all CAs are trusted by Java - in those cases, you need to add your untrusted CA to a truststore.
You need a truststore if JAVA doesn't trust the CA signing the certificate for the https URL out of the box. for most public CAs this is not needed.
A keystore is needed only if the https URL requires client certificate authentication (authentication where the client [sdc] must identify itself as well).
