Key Generation#
Generating Cryptographic Keys#
The Jans Server is compatible with the Java KeyGenerator to create new cryptographic keys if needed.
Backup#
- Backup
jansConfWebKeysattribute data ofjansAppConfentity from persistence. Location of this attribute is:o=jans > ou=configuration > ou=jans-auth - Backup
jans-auth-keys.p12from/etc/certs/
[N.B] Below if Keystore location is anywhere except /etc/certs/ no need to backup.
Key Generate#
To get KeyGenerator, run the following command inside the terminal.
You can put expiration according to your own policy. For testing purpose we are keeping it 2 days.
/opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp /opt/dist/jans/jans-auth-client-jar-with-dependencies.jar io.jans.as.client.util.KeyGenerator -keystore /etc/certs/jans-auth-keys.p12 -keypasswd <Password> -sig_keys RS256 RS384 -enc_keys RSA1_5 RSA-OAEP -key_ops_type ALL -dnname "CN=jansAuth CA Certificates" -expiration 2 > /etc/certs/jans-auth-keys.json
Note
-key_ops_type ALL parameter which sets purpose of the keys generated by key generator.
Possible values are:
- "connect" - connect keys (that is what we already have)
- "ssa" - ssa keys which has expiration set to 50 years (it ignores "expiration" parameters)
- "all" - generate both "connect" and "ssa" keys. Usually should be done during initial setup.
Lets see our newly generated crypto keys
keytool -list -v -keystore /etc/certs/jans-auth-keys.p12 -storetype pkcs12 -storepass <password>
The jans implementation of KeyGenerator accepts the following arguments:
| Argument | Description |
|---|---|
| -dnname | DN of certificate issuer |
| -key_length | Length of hash key |
| -enc_keys | Encryption keys to generate (For example: RSA_OAEP, RSA1_5) |
| -expiration | Expiration in days |
| -expiration_hours | Expiration in hours |
| -h | Show help |
| -key_ops_type | Purpose of the key, possible values: connect, ssa, all |
| -keypasswd | Key Store password |
| -keystore | Key Store file (such as /etc/certs/jans-auth-keys.p12) |
| -sig_keys | Signature keys to generate. (For example: RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512) |
| _keyId | Key name suffix |
| -test_prop_file | Test property file used for test purpose only |
Last update:
2024-01-30
Created: 2022-07-21
Created: 2022-07-21
