Keystores contain private keys (credentials).

Truststores contain certificate chains or individual certificates that are said to be trusted (verified).

When you visit an https website it sends you a certificate which identifies it. The certificate must be signed by a trusted authority, which is called a CA (certificate authority). CAs may also include intermediate certificates forming a chain.

Not all CAs are trusted by Java - in those cases, you need to add your untrusted CA to a truststore.

You need a truststore if JAVA doesn't trust the CA signing the certificate for the https URL out of the box. for most public CAs this is not needed.

A keystore is needed only if the https URL requires client certificate authentication (authentication where the client nsdc] must identify itself as well).