Monday, November 17, 2014

JKS: protecting your Private Key with a password

Strangely, Puppet java_ks module doesn't cater for protecting the Private Key with a password. This feature seems to be available only through the Oracle proprietary ImportPrivateKey tool , through the "-keyfilepass" option.

Another tool providing the same functionality is ExtKeyTool, available here .

If you don't need a scripting interface, but are happy with a UI, you can use Keystore Explorer, it' really cool. It allows you very simply to export the Private Key in PKCS#8, PVK or OpenSSL formats. All these formats can be encrypted and protected with a password, to avoid that the PK is stolen. Not necessarily your .key file is protected. Incidentally if your .key file begins with "-----BEGIN RSA PRIVATE KEY-----", it's most likely a OpenSSL file.

Traditionally in the WebLogic world people use the utils.ImportPrivateKey utility; as you see, it supports all: a password-protected key file (-keyfilepass), a password-protected JKS store (-storepass), a password-protected key entry in the JKS Store (-keypass):

. ./
java utils.ImportPrivateKey

Usage: java utils.ImportPrivateKey
        -certfile  -keyfile 
        [-keyfilepass ]
        -keystore  -storepass  [-storetype ]
        -alias  [-keypass ]

-certfile, -keyfile, -keyfilepass
        certificate and private key files, and the private key password

-keystore, -storepass, -storetype
        keystore file name, password, and type. The default type is JKS.

-alias -keypass
        alias and password of the keystore key entry where the private key
        and the public certificate will be imported. When the key entry
        password is not specified, the private key password will be used
        instead, or when it is not specified either, the keystore password.

In fact, you MUST protect your key with a password in the JKS file, but the .key file needs not to be protected (-keyfilepass can be omitted). The -keypass parameter is the same you provide for "Private Key Passphrase" in the "SSL" configuration of the WebLogic Server. The -storepass corresponds to the "Custom Identity Keystore Passphrase" in the "Keystore" tab of the WLConsole.

Another workaroundish way of doing it is using keytool and going through a pkcs12 keystore:
-importkeystore [-v]
             [-srckeystore ] [-destkeystore ]
             [-srcstoretype ] [-deststoretype ]
             [-srcstorepass ] [-deststorepass ]
             [-srcprotected] [-destprotected]
             [-srcprovidername ]
             [-destprovidername ]
             [-srcalias  [-destalias ]
               [-srckeypass ] [-destkeypass ]]
             [-providerclass  [-providerarg ]] ...
             [-providerpath ]

Just use the -destkeypass option, and -srcstoretype PKCS12 (see this SO post).

No comments: