[jira] [Commented] (JAMES-3639) Allow to configure SSL from PEM keys (without a keystore)

Mon, 30 Aug 2021 09:57:06 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17406834#comment-17406834
 ] 

Matthieu Baechler commented on JAMES-3639:
------------------------------------------

I learnt something funny this summer: starting with jdk 9, the default keystore 
is pkcs#12 
(https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to-pkcs12)
 which is a standard format that anybody can build from openssl or any other 
compliant tool.

That being said, PKCS#12 also has the good idea of being able to lock the 
private key with a passphrase, making it less vulnerable to secret stealing.

What would you think about making PKCS#12 the default format?

> Allow to configure SSL from PEM keys (without a keystore)
> ---------------------------------------------------------
>
>                 Key: JAMES-3639
>                 URL: https://issues.apache.org/jira/browse/JAMES-3639
>             Project: James Server
>          Issue Type: Improvement
>          Components: IMAPServer, JMAP, POP3Server, SMTPServer
>            Reporter: Benoit Tellier
>            Assignee: Antoine Duprat
>            Priority: Major
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> This gives the opportunity to inter-operate directly with OpenSSL formats and 
> avoids some potentially tricky configuration steps (importing the keys in a 
> keystore).
> Read related thread on the mailing list: 
> https://www.mail-archive.com/[email protected]/msg70772.html
> How this looks like:
> {code:java}
> <tls socketTLS="true" startTLS="false">
>   <privateKey>file://conf/private.nopass.key</privateKey>
>   <certificates>file://conf/certs.self-signed.csr</certificates>
> </tls>
> {code}
> Tested manually with self signed certificates:
> {code:java}
> # Generating your private key
> openssl genrsa -des3 -out private.key 2048
> # Creating your certificates
> openssl req -new -key private.key -out certs.csr
> # Signing the certificate yourself
> openssl x509 -req -days 365 -in certs.csr -signkey private.key -out 
> certs.self-signed.csr
> # Removing the password from the private key
> # Not necessary if you supply the secret in the configuration
> openssl rsa -in private.key -out private.nopass.key
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to