Skip to content

Key Generation#

Generating Cryptographic Keys#

The Jans Server is compatible with the Java KeyGenerator to create new cryptographic keys if needed.

Backup#

  • Backup jansConfWebKeys attribute data of jansAppConf entity from persistence. Location of this attribute is: o=jans > ou=configuration > ou=jans-auth
  • Backup jans-auth-keys.p12 from /etc/certs/

[N.B] Below if Keystore location is anywhere except /etc/certs/ no need to backup.

Key Generate#

To get KeyGenerator, run the following command inside the terminal.

You can put expiration according to your own policy. For testing purpose we are keeping it 2 days.

/opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp /opt/dist/jans/jans-auth-client-jar-with-dependencies.jar io.jans.as.client.util.KeyGenerator -keystore /etc/certs/jans-auth-keys.p12 -keypasswd <Password> -sig_keys RS256 RS384 -enc_keys RSA1_5 RSA-OAEP -key_ops_type ALL -dnname "CN=jansAuth CA Certificates" -expiration 2 > /etc/certs/jans-auth-keys.json

Note

-key_ops_type ALL parameter which sets purpose of the keys generated by key generator.

Possible values are:

  • "connect" - connect keys (that is what we already have)
  • "ssa" - ssa keys which has expiration set to 50 years (it ignores "expiration" parameters)
  • "all" - generate both "connect" and "ssa" keys. Usually should be done during initial setup.

Lets see our newly generated crypto keys

keytool -list -v -keystore /etc/certs/jans-auth-keys.p12 -storetype pkcs12 -storepass <password>

The jans implementation of KeyGenerator accepts the following arguments:

Argument Description
-dnname DN of certificate issuer
-key_length Length of hash key
-enc_keys Encryption keys to generate (For example: RSA_OAEP, RSA1_5)
-expiration Expiration in days
-expiration_hours Expiration in hours
-h Show help
-key_ops_type Purpose of the key, possible values: connect, ssa, all
-keypasswd Key Store password
-keystore Key Store file (such as /etc/certs/jans-auth-keys.p12)
-sig_keys Signature keys to generate. (For example: RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512)
_keyId Key name suffix
-test_prop_file Test property file used for test purpose only

Last update: 11 months ago2024-01-30
Created: 2 years ago2022-07-21