In software development projects, there are often requirements where we need to call other APIs from our application. In such cases, we might have some headers or data that we don’t want to send in clear text form due to security concerns. This is where the concept of keystores comes into play.
A keystore is a secure storage facility that stores sensitive information such as private keys, certificates, and passwords. It is typically used to manage cryptographic keys and certificates required for secure communication between different systems. Keystores can be used to store keys and certificates for multiple environments, making it easier to manage and deploy applications across different environments.
There are a few different types of keystores in Java:
• JKS (Java Key Store): The JKS or Java Keystore is Java-specific and usually has an extension of .jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys.
• JCEKS: JCEKS is a superset of JKS and supports more algorithms. It is an extension of JCEK and provides much stronger protection for stored private keys by using Triple DES encryption. The entries that can be put in the JCEKS keystore are private keys, secret keys, and certificates.
• PKCS12: PKCS12, also known as PKCS#12 or PFX, is a standard keystore type that can be used in Java and other languages. It usually has an extension of .p12 or .pfx. You can store private keys, secret keys, and certificates of this type.
• PKCS11: PKCS11 is a type of hardware keystore. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet’s Luna, nCipher, or smart cards.
• DKS: DKS is a keystore of keystores. DKS itself is not a keystore but a collection of keystores that are presented as a single logical keystore.
Among the different types of keystores mentioned above, we will be using JKS (Java Key Store). One of the key tools used for creating keystores is the Java Keytool. Java Keytool is a command-line utility used to manage keystores, certificates, and keys. It is included with the Java Development Kit (JDK) and is available on all platforms where Java is installed. The Java Keytool provides a set of commands for creating, managing, and exporting keystores.
To create a keystore, we first need to generate a private key and a certificate. We can then use the Java Keytool to create a keystore and store the private key and certificate in it. We can also add additional certificates to the keystore as required.
Once the keystore has been created, we can configure our application to use it for secure communication with other systems. This involves specifying the location of the keystore, the password for accessing it, and the alias for the private key and certificate.
In our application, we have multiple environments. Instead of creating separate keystores for each environment, we will create a single keystore for all environments.
In this blog, we will go through the commands to create a single keystore for multiple environments (i.e., dev, staging, and prod).
Creating a keystore for a specific environment:
keytool -genkeypair -alias project_name_env_name -keyalg RSA -keypass project_name#2022 -keystore signing_project_name.keystore -storepass project_name#2022 -validity 9999
Listing specific environment public keys and certificates:
keytool -list -rfc –keystore signing_project_name.keystore -alias project_name_env_name | openssl x509 -inform pem –pubkey
Listing all entries in the keystore:
keytool -list -rfc –keystore signing_project_name.keystore
Deleting an entry in the keystore file:
keytool -delete -alias project_name_stg -keystore signing_project_name.keystore -storepass project_name#2022
JWKS Creation:
• We can create JWKS using this link Jwk Creator, which has the parameters mentioned in the given link, which you must collect as mentioned below.
• Public Key Use: Signing (and Algorithm): Leave it as (unspecified).
• Key ID: A random UUID (which can be generated using uuidgenerator)
• PEM encoded key: Enter the public key here, including the “—-BEGIN PUBLIC KEY—-” text as well.
• If you have a public key certificate and want to extract the public key, you can use the following command:
openssl x509 -in project_name_dev_pub.cer -pubkey -noout > project_name_dev_publickey.pem
JWKS Configuration in APIGEE:
• We need to add JWKS configuration to the Apigee key-value map.
• You can find this in APIS → Environment Configuration → Key Value Maps.
• Create a new map, or if one is already created, add an entry with your project name and value, which will be your JWKS object.
• Make sure the right environment is selected before making changes to the Environment configuration.
In summary, keystores are an important tool for managing cryptographic keys and certificates in software development projects. They provide a secure storage facility for sensitive information and help ensure secure communication between different systems. Java Keytool is a key tool for creating and managing keystores, and it provides a set of commands for creating, managing, and exporting keystores. Apigee helps verify encrypted tokens and extract meaningful information from them.
Senior Software Engineer
