Re: Java Key Store (JKS) verses just PKCS12 files

Sun, 03 Feb 2013 23:01:01 -0800 

On 2/3/2013 2:14 PM, redpath wrote:

I store my cert and private key in PKCS12 files;
I then add these PKCS12 files to Java Key Store.

If I need to perform some security functions I extract the PKCS12 from
the Java Key Store by alias and perform all sorts of openssl commands.

And so why do I want to use a Java Key Store other than for a bag for
my PKCS12s  (as  repository of security certificates) ? The alias is nice
to access which ones I need and have to replace also its one
file (JKS file) that can be backed up;  thats all I see.

  Is there a standard well excepted measure to manage your sec certs,
in other words is is wrong to just have PKCS12 files?

I imagine the process which is performing all sorts of signing of documents
would
simply load the security certs in memory for quick usage be it from the
Keystore or
just the raw PKCS12s and periodically check for updates.

Any comments on this.



The common methods are either:

- Trust some (semi-)closed source vendor (Oracle or Google binary Java
or Microsoft binary cryptoapi) to safely store things in their choice
of private storage pool.  JKS is easy to backup, MS storage has gone
overboard in preventing backups (because they cannot detect the
difference between backups and someone stealing your keys).

- Use a perfectly ordinary file storage mechanism (file system, tar.gz
file, signed jar file etc.) to store one PEM file per certificate and one encrypted PEM key file (.key) per private key. Use your chosen nickname as the file name and use subdirectories for certificate types 
(e.g. cacerts/, incerts/, contacts/, owncerts/).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to