PaaS Key Management Service
Key Management Link
AWS ACM
- AWS Certificate Manager Link
No download for private key, which encrypted by AWS KMS
, and can be decrypted by other AWS Services, if Grant
ed.
Azure Key Vault
Link
GCP KMS
Link
No import function
IBM Key Protect
Key Management
Development Stack
- Spring Boot 2
- Spring 5 Flux / Netty
- AWS SDK for
ACM
api call
Development Guide
Flow
1. Generate Key set with CA
1
2
3
4
5
6
7
8
9
10
# admin private key and csr
openssl genrsa -out privateKey.key 2048 -sha256
openssl req -new -key privateKey.key -out cert.csr
# CA private key, csr, and cert
openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -sha256
openssl x509 -signkey ca.key -days 7300 -req -in ca.csr -out ca.arm -sha256
# CA signing the admin csr
openssl x509 -req -days 7300 -in cert.csr -CA ca.arm -CAkey ca.key -out cert.arm -set_serial 01 -sha256
2. Upload Key set to AWS ACM
, and then can download Cert
and CA
from it.
3. Upload Private Key to AWS S3
, by encrypted with AWS KMS
Self Signed X509 Certificate
Concept
- X509
- Self-signed vs CA-signed
- JCA (Java Cryptography Architecture) vs. BC (Bouncy Castle) IDR - differences between JCA and BC Oracle - Sun package no public support
The problem to resolve
-
The way to generate self-signed X509 certificate
a) Java keytool, however the keytool in JDK package sun.* not public supported.
b) BC to do so.
-
Java doesn’t provide api for converting X509 Certificate to PEM format by native.
a) Using Base64 to do converting, and adding the BEGIN and END.
b) Using BC’s PEMWriter class is also a good alternate.
-
Convert String to InputStream in Java 8? Baeldung - Java String to InputStream
-
The private key PEM converted above is not parsable in Proxy. Exception “java.io.IOException: Invalid DER: object is not integer” Janos Pasztor - Private Key format in Java
-
How to verify Certificate format programmatically?
References