Key Generation#
Generating Cryptographic Keys#
The Jans Server is compatible with the Java KeyGenerator to create new cryptographic keys if needed.
Backup#
- Backup jansConfWebKeysattribute data ofjansAppConfentity from persistence. Location of this attribute is:o=jans > ou=configuration > ou=jans-auth
- Backup jans-auth-keys.p12from/etc/certs/
[N.B] Below if Keystore location is anywhere except /etc/certs/ no need to backup.
Key Generate#
To get KeyGenerator, run the following command inside the terminal.
You can put expiration according to your own policy. For testing purpose we are keeping it 2 days.
/opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp /opt/dist/jans/jans-auth-client-jar-with-dependencies.jar io.jans.as.client.util.KeyGenerator -keystore /etc/certs/jans-auth-keys.p12 -keypasswd <Password> -sig_keys RS256 RS384 -enc_keys RSA1_5 RSA-OAEP -key_ops_type ALL -dnname "CN=jansAuth CA Certificates" -expiration 2 > /etc/certs/jans-auth-keys.json
Note
-key_ops_type ALL parameter which sets purpose of the keys generated by key generator.
Possible values are:
- "connect" - connect keys (that is what we already have)
- "ssa" - ssa keys which has expiration set to 50 years (it ignores "expiration" parameters)
- "all" - generate both "connect" and "ssa" keys. Usually should be done during initial setup.
Lets see our newly generated crypto keys
keytool -list -v -keystore /etc/certs/jans-auth-keys.p12 -storetype pkcs12 -storepass <password>
The jans implementation of KeyGenerator accepts the following arguments:
| Argument | Description | 
|---|---|
| -dnname | DN of certificate issuer | 
| -key_length | Length of hash key | 
| -enc_keys | Encryption keys to generate (For example: RSA_OAEP, RSA1_5) | 
| -expiration | Expiration in days | 
| -expiration_hours | Expiration in hours | 
| -h | Show help | 
| -key_ops_type | Purpose of the key, possible values: connect, ssa, all | 
| -keypasswd | Key Store password | 
| -keystore | Key Store file (such as /etc/certs/jans-auth-keys.p12) | 
| -sig_keys | Signature keys to generate. (For example: RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512) | 
| _keyId | Key name suffix | 
| -test_prop_file | Test property file used for test purpose only | 
  
    
      Last update:
      2024-09-27
      
        
Created: 2022-07-21
                
              Created: 2022-07-21
