I want to add dev.jks file to vault with the password of jks file.
so when my application tries to use the jks from vault can use the same password to retrieve the cert
So you want to store a file in Vault plus the password for that file ?
You can use a kv value, for example
vault kv put secret/dev.jks file="$(dev.jks | base64 -w0)" password=my-pass
Related
I have an .jks certificate, i am able to use this for a request in Soap UI.
In SoapUI, I used the GET rest endpoint and saved it as project, then added the JKS at project level.
Next I expanded the projects and at the End-point configuration, selected the JKS file in the properties and added it (refer below snapshot).
With this setup i am successfully hitting the REST endpoint and getting a 200 OK response.
I am trying to see if i can use the POSTMAN to do the same, but it doesn't take the jks file.
It looks for cer, pem, crt files, which either i need to create from jks file. Is there any way to use the jks file directly in Postman.
I need to export a certificate from Azure KeyVault to VM as .crt file with its key as .key file.
I found on ms docs following article: link and then with openssl convert it to correct files.
Unfortunately, there's one restriction for me that I cannot use openssl.
So my question, is there any way to do it with powershell?
When a Key Vault certificate is created, an addressable key and secret
are also created with the same name. The Key Vault key allows key
operations and the Key Vault secret allows retrieval of the
certificate value as a secret. A Key Vault certificate also contains
public x509 certificate metadata.
Source: Composition of a Certificate.
You can use new az module (CLI based) in powershell to download the crt (public part), export the private key from secret or export the public key from key (in case you need only the public key) separately like below.
Note: The policy used to create the certificate must indicate that the
key is exportable. If the policy indicates non-exportable, then the
private key isn't a part of the value when retrieved as a secret.
Source: Exportable or Non-exportable key.
# download as crt in DER format
# you can also download in PEM format by changing to -e PEM
az keyvault certificate download --vault-name <keyvault-name> -n <cert-name> -f cert.crt -e DER
# private key is stored in secret, exporting separately
az keyvault secret download --vault-name <keyvault-name> -n <cert-name> -f cert.key
# key is stored in key, exporting public part separately in PEM format
# you can also download in DER format by changing to -e DER
# you cannot retrieve private part from key
az keyvault key download --vault-name <keyvault-name> -n <cert-name> -f public-key.pem -e PEM
Note: If the format is PKCS#12 when you uploaded the certificate, then the second command (private key) would download in p12 format which would require the passphrase.
The documentation at http://kafka.apache.org/documentation/#security describes the process of enabling security in Kafka.
It describes the certificates to be in JKS format. Is it possible to use PEM formatted certificates with Kafka?
-Yash
You'll be able to use PEM in Kafka after 2.7.0 is released. Details here. Currently you can also use PKCS12.
Update, since Kafka 2.7 PEM keys and certificates are supported.
You need to set ssl.keystore.type/ssl.certificate.type to PEM and then use ssl.keystore.key, ssl.keystore.certificate.chain and ssl.truststore.certificates to provide your keys and certificates.
Original answer
No you cannot directly use PEM certificates with Kafka.
This is not a Kafka restriction, it's just that all of the "mainstream" JVMs (HotSpot, OpenJDK, J9) use JKS.
See Import .key and .pem file to jks file and use in Java/Spring
for the required steps to import a PEM file into a JKS store.
I am signing saml Response and assertion with x509 certificate. The response is posted to a java app, which throws error Signature length not correct…". I am asked to make sure that the xml doc is signed with certificate in JKS format and not pkcs12.
Is there a way to sign xml document in jks format in c# and then post the saml response to java app?
There is no such thing as a XML document signed in JKS format. These are apples and oranges.
XML digital signatures are specified in XMLDsig standard (assuming that you use XML digital signatures). http://www.w3.org/TR/xmldsig-core/
When you sign something you use the private key of an asymmetric key pair, probably an RSA key pair. http://en.wikipedia.org/wiki/RSA_%28algorithm%29
When you verify the signature you use the public key, commonly wrapped in an X.509 Certificate. http://en.wikipedia.org/wiki/Public_key_certificate
JKS and PKCS#12 are two different formats for storing the private key and the certificate in a container, encrypted using a password (since the private key is supposed to be private you want to protect it using a password).
When you sign an XML document you open the JKS/P12 keystore and use the private key to sign, and optionally include the certificate for easier verification for the recipient.
The private key and the certificate are identical in both cases, i.e. it does not matter if you use JKS or P12, the XML signature is bit for bit identical.
Probably you are sending both the XML document and the PKCS12 keystore to the recipient, and the recipient is unable to open PKCS12 keystore properly?
Java can open both JKS and PKCS12 with no problems at all, most likely your problem is related to something else than JKS vs PKCS12.
I do not know if C# can read and/or write JKS files (JKS == Java Key Store)
I have a local setup of Open SSL. For every certificate request i create a ...cert.pem and ...pfx file.
I need open the cert.pem and the pfx to read the below data
1) Certificate serial id
2) Expiry date
3) Validity date
Is there some API that can help me do this?
You can read PFX (PKCS#12) certificates using JDK API without BouncyCastle:
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
ks.load(new FileInputStream("foo.pfx"), "passwd".toCharArray());
X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
...
For reading PEM files see this SO answer