Importing or exporting the Lowkey Vault Self‐Signed certificate - nagyesta/lowkey-vault GitHub Wiki
When you are using Lowkey Vault through HTTPS with the default self-signed certificate it ships with, you may need to create a custom key store you can use in your tests or whenever you are launching your application locally.
In these situations, you can find the latest key store here.
[!TIP] The certificates are valid for multiple years, so no need to worry about frequent renewal effort!
[!NOTE] The aforementioned key store uses the default password
changeitas store pass.
Exporting the certificate from the key store
1. List the certificates first:
keytool -list -keystore keystore.p12 -storepass changeit
Displaying
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
lowkey-vault.local, Aug 26, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
2. Export the certificate:
keytool -exportcert -alias lowkey-vault.local -file exportedcert.pem -rfc -keystore keystore.p12 -storepass changeit
Displaying:
Certificate stored in file <exportedcert.pem>
Importing the exported certificate into your key store
1. Create a copy of the default Java trust store (normally located under $JAVA_HOME/lib/security/cacerts)
[!CAUTION] Importing a publicly available self-signed certificate into your default trust store may introduce security risks. You should prefer to use at least an application specific copy of the key store to reduce the risk.
cp $JAVA_HOME/lib/security/cacerts mycacerts
Providing no output when successful.
2. Import the Lowkey Vault certs into the copy of the cacerts
keytool -import -alias lowkey-vault.local -file exportedcert.pem -keystore mycacerts -storepass changeit
Which will display the certificate details and ask you whether you trust the certificate or not:
Owner: CN=lowkey-vault.local
Issuer: CN=lowkey-vault.local
Serial number: 43bece907703d128
Valid from: Fri Aug 26 22:49:56 CEST 2022 until: Mon Aug 23 22:49:56 CEST 2032
Certificate fingerprints:
SHA1: 62:9D:34:CA:20:AB:26:78:44:15:5B:39:A3:68:3F:40:CC:43:15:DC
SHA256: C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: lowkey-vault.local
DNSName: lowkey-vault
DNSName: *.localhost
DNSName: *.lowkey-vault
DNSName: *.lowkey-vault.local
DNSName: *.default.svc.cluster.local
DNSName: localhost
IPAddress: 127.0.0.1
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 B8 A5 7A F3 0A 33 55 D2 79 7F D8 25 EA 25 63 ...z..3U.y..%.%c
0010: ED 17 06 7C ....
]
]
Trust this certificate? [no]:
Answer yes if you want to trust it. The response should be:
Certificate was added to keystore
3. Verifiy that the install was successful
keytool -list -keystore mycacerts -storepass changeit
Look for an entry similar to these lines in the output:
lowkey-vault.local, Jul 12, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): C3:A4:FD:20:3A:8F:CC:93:89:67:0E:C2:8F:E0:B7:62:62:4D:A9:05:90:A0:4A:37:73:B6:92:5B:96:75:F1:48
Use your new key store
1. Add the necessary system properties
When you intend to use the new key store, you can set it with the following system properties to your Java process:
-Djavax.net.ssl.trustStore=mycacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS