-
Notifications
You must be signed in to change notification settings - Fork 5
Importing or exporting the Lowkey Vault Self‐Signed certificate
When you are using Lowkey Vault through HTTPS with the default self-signed certificate it ships with, you may need to create a custom key store you can use in your tests or whenever you are launching your application locally.
In these situations, you can find the latest key store here.
Tip
The certificates are valid for multiple years, so no need to worry about frequent renewal effort!
Note
The aforementioned key store uses the default password changeit as store pass.
keytool -list -keystore keystore.p12 -storepass changeitDisplaying
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
lowkey-vault.local, Aug 26, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
keytool -exportcert -alias lowkey-vault.local -file exportedcert.pem -rfc -keystore keystore.p12 -storepass changeitDisplaying:
Certificate stored in file <exportedcert.pem>
1. Create a copy of the default Java trust store (normally located under $JAVA_HOME/lib/security/cacerts)
Caution
Importing a publicly available self-signed certificate into your default trust store may introduce security risks. You should prefer to use at least an application specific copy of the key store to reduce the risk.
cp $JAVA_HOME/lib/security/cacerts mycacertsProviding no output when successful.
keytool -import -alias lowkey-vault.local -file exportedcert.pem -keystore mycacerts -storepass changeitWhich will display the certificate details and ask you whether you trust the certificate or not:
Owner: CN=lowkey-vault.local
Issuer: CN=lowkey-vault.local
Serial number: 43bece907703d128
Valid from: Fri Aug 26 22:49:56 CEST 2022 until: Mon Aug 23 22:49:56 CEST 2032
Certificate fingerprints:
SHA1: 62:9D:34:CA:20:AB:26:78:44:15:5B:39:A3:68:3F:40:CC:43:15:DC
SHA256: C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: lowkey-vault.local
DNSName: lowkey-vault
DNSName: *.localhost
DNSName: *.lowkey-vault
DNSName: *.lowkey-vault.local
DNSName: *.default.svc.cluster.local
DNSName: localhost
IPAddress: 127.0.0.1
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 B8 A5 7A F3 0A 33 55 D2 79 7F D8 25 EA 25 63 ...z..3U.y..%.%c
0010: ED 17 06 7C ....
]
]
Trust this certificate? [no]:
Answer yes if you want to trust it. The response should be:
Certificate was added to keystore
keytool -list -keystore mycacerts -storepass changeitLook for an entry similar to these lines in the output:
lowkey-vault.local, Jul 12, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
When you intend to use the new key store, you can set it with the following system properties to your Java process:
-Djavax.net.ssl.trustStore=mycacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS