Ceptor - Get a Free Trial

Keystore configuration

Owned by Kim Rasmussen
Last updated: Oct 14, 2023

This section describes the various possibilities for configuring a Keystore containing one or more private or public keys used for signing or verification of tickets and tokens.

JSON Configuration

A keystore configuration in general con contain a lot of different entries, ranging from a keystore loaded from disk at each Ceptor server instance, to keys and certificates being configured solely within the configuration.

In general, the first private key is used for signing, unless a specific key is pointed to by setting alias.privkey  in which case only this key is loaded.


Below is an illustrative example;

Example Keystore JSON Object
{
  "file": "${ceptor.home}/config/x509/issuer/certissuer.pfx",
  "provider": "BC",
  "type": "PKCS12",
  "password": "{encoded}96E1FAF9F9578720",
  "alias.privkey": "abc",
  "alias.cert": "public",
  "password.per.alias": [],
  "privatekey": "-----BEGIN PRIVATE KEY-----\nxxxxxxxx\n-----END PRIVATE KEY-----",
  "certificate": "-----BEGIN CERTIFICATE----\nxxxxxxxxxxxxxx\n-----END CERTIFICATE----",
  "publickey": "-----BEGIN RSA PUBLIC KEY----\nxxxxxxxxxxxxxx\n-----END RSA PUBLIC KEY----",
  "password.per.alias": [
    "public=anotherpassword",
    "supersecret=passw0rd"
  ],
  "certificates": [
    "${ceptor.home}/config/extra.cer",
    "${ceptor.home}/config/other.cer",
    "-----BEGIN CERTIFICATE----\nxxxxxxxxxyyyyyyyyxxxxx\n-----END CERTIFICATE----"
  ],
  "entries": [
    {
      "name": "Name used as alias",
      "privatekey": "PEM encoded RSA private key - possibly encrypted/obfusciated using password encryption - used to specify keys/certs only via configuration instead of requiring them to be loaded from external files",
      "certificates": [
        "PEM encoded certificate, or filename to load certificate from",
        "additional PEM encoded certificate or filename",
        ".... all certificates are combined into a single entry within the keystore - so one certificate chain"
      ]
      "certificate": "Ignored if 'certificates' is present - can otherwise contain a certificate if present, can either be PEM encoded, or filename (or semicolon separated filenames) of files to load certificates from",
      "publickey": "Can contain a public key if present, can either be PEM encoded, or filename (or semicolon separated filenames) of files to load certificates from"
    }
  ]
}


User interface configuration

Here is examples of the user interface for prompting for keystore information - note that depending on individual screens, not all might contain all the fields that the JSON has -e.g. if a screen is prompting for certificates only needed for validation, the fields with private keys are not shown.

Also note, that for Identity Providers, often you do not need to define they keys at all - instead you simply configure the URL to where to find the Federation Metadata, and the required certificates will be read periodically from the metadata URL.

If online access to the URL is not possible, e.g. due to firewall restrictions, you can also paste the federation metadata in to the configuration manually.


The keystore is configured in a JSON object called keystore within the service provider's JSON object.

Key or certificate configuration

JCE Provider

Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.

Default: None
JSON key is provider

Keystore type

Keystore type, usually PKCS12 or JKS

Default: PKCS12
JSON key is type

Filename

Name of file to load keystore from - note that some keystores, e.g. Luna does not have a file

Default: None
JSON key is file

Password

Password for the keystore - can be encrypted, see Encrypting or Obfuscating Passwords

Default: None
JSON key is password

Password per alias

This is only needed if you have specific aliases in your keystore which have passwords that differ from the main keystore password - it allows you to specify a password for each alias specifically.

Default: None
JSON key is password.per.alias - this is a JSON Array with the format alias=password

Alias of private key

If provided, only the private key with the specified alias will be loaded.

Default: None
JSON key is alias.privkey

Alias of certificate

If provided, only the certificate with the specified alias will be loaded

Default: None
JSON key is alias.cert

Private key

Allows you to provide the private key as an RSA key in PKCS#8 format by pasting it directly.

Default: None
JSON key is privatekey

Certificate

Allows you to provide the certificate as Base64 encoded DER by pasting it directly instead of loading it from a keystore.

Default: None
JSON key is certificate

Public key

Allows you to provide the public key directly - this is only available for keystores used within OpenID Connect / JWT token configurations.

Note: Requires Ceptor v6.5.11+

Default: None
JSON key is publickey

Certificates

Provide a list of filenames or certificates directly within the configuration.

Default: None
JSON key is certificates - which is a JSON Array of strings, each containing a filename of a certificate in .cer (binary or base64 encoded), .der or .p7b format or the certificate itself, if starting with -----BEGIN CERTIFICATE-----


© Ceptor ApS. All Rights Reserved.