Hello Raphael, Duc, This weekend I did put together a proof of concept regarding alternative PEM key usage.
This looks something like this: <tls socketTLS="true" startTLS="false"> <privateKey>file://conf/private.nopass.key</privateKey> <certificates>file://conf/certs.self-signed.csr</certificates> </tls> You can find a Proof of concept PR there: https://github.com/apache/james-project/pull/626 I also created a dedicated ticket: https://issues.apache.org/jira/browse/JAMES-3639 @rouazana @duc does it answers your concerns? I mentionned this ticket in the most related ticket: https://issues.apache.org/jira/browse/JAMES-3215 (https://issues.apache.org/jira/browse/JAMES-3209is IMO barely related as it discuss setting up NGinx as an encryption proxy...). We had some discussion on this topic, but sadly inside Linagora. (#1549) As it is very relevant to the ongoing dicussion, I am going to disclose its content (creadits go mostly to Raphael Ouazana and Matthieu Baechler, I merely relay their sayings...) We discussed PKCS12 support (ascii armored so that can be passed as environment variables / k8s secrets), java enforcing keystore being an implementation details - and thus PEM key support. Some key concepts where expressed as well like removing all cryptographic keys from default configuration, including demo images. What is very interesting was a proposal to have auto-generation configuration option to ensure both convenient and secure set-up for demo image - we likely should consider implementing this too. Regards, Benoit On 27/08/2021 21:42, Raphaël Ouazana-Sustowski wrote: > Hello, > > Le 27/08/2021 à 06:37, Duc Nguyen a écrit : > >> Conclusion: >> >> With Kubernetes and containers have become virtually synonymous with >> cloud-native development, Apache James needs to adapt quickly and >> catch up >> with others. >> >> JKS keystore is an old topic but I'm bringing this back because the >> change >> is necessary. > > I agree, we need to review the way we manage keys in James. See for > example this ticket which mentions also the issue: > https://issues.apache.org/jira/browse/JAMES-3209 > > I'm in favor of getting rid of keystore in favor of PEM format (or at > least allowing both). > > Regards, > Raphaël. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org > For additional commands, e-mail: server-dev-h...@james.apache.org > >
