March 28, 2020
Estimated Post Reading Time ~

How to manage certificates in AEM Truststore

In this blog, we will talk about what is Truststore, how to manage certificates in AEM Truststore and challenges we face while managing the certificates in publish server.

What is Truststore:
TrustStore is used in context of setting up SSL connection in Java application between
client and server. In SSL handshake, purpose of trustStore is to verify credentials.
The public key certificates provided by CA authorities for encrypting the content are
also be stored in the TrustStore.
TrustStore stores public key or certificates from CA (Certificate Authorities) which is
used to trust remote party or SSL connection.

How to manage these certificates in AEM and how to fetch the public key from that certificate in your AEM Code.
1.Go to AEM-> Tools->Security->TrustStore.
2. Go to Add Certificates from CER File Section and Select Certificate File to Upload and click on Submit.

Fig1: AEM Truststore Console to Upload Certificates

3. Every certificate will generate a unique Alias Name(certalias___1577961678433 for the above certificate).
The above uploaded certificates gets stored in "/etc/truststore" in CRX:


Fig2: Certificates get Stored in CRX

How to fetch the public key from the certificate using Alias Name:
import com.adobe.granite.keystore.KeyStoreService;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.sling.api.resource.ResourceResolver;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.X509Certificate;

/**
* The type PublicKeyCertificate Service.
*/
@Component(name = "PubliccKey Certificate Service", service = PublicKeyCertificate.class, immediate = true)
public class PublicKeyCertificate {

private static final Logger LOG = LoggerFactory.getLogger(PublicKeyCertificate.class);
@Reference
private KeyStoreService keyStoreService;

public PublicKey getPublicKeyFromAlias(ResourceResolver resourceResolver, String certAlias) {
KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
PublicKey publicKey = null;
try {
if (trustStore != null) {
X509Certificate crt = (X509Certificate) trustStore.getCertificate(certAlias);
publicKey = crt.getPublicKey();
}
} catch (Exception ex) {
LOG.error("Exception in getting the public key from certificate:{}", ExceptionUtils.getStackTrace(ex));
}
return publicKey;
}
}


Note: To fetch the certificate public key from alias, you must have an OSGI config for Alias.Ideally you should upload all certificates in author and replicate /etc/truststore path to all the publishers to maintain same alias for all the servers sitting on the same environment.

If we upload certificates in publishers without replication, the publisher may generate different alias Id and if two publishers of same environment generate different alias then to maintain the different OSGi configurations for both publishers is not possible.So always upload in author and replicate it all the publishers.

Note: If you have few certificates in author and some of them you don’t want in publish server, in AEM there is no way that you can replicate only one certificate but not another but if you really don't want some certificates in publish, then you replicate first all certificates and go to publish server and delete the unwanted one.

Note: Don’t ever pass the anonymous resourceResolver in KeyStoreService API because to access the certificates in publishing, you need to give /etc/truststore anonymous access and you should be very aware of anonymous access in publishing servers. So always get resourceResolver from System User. There is an OOTB Service user named “truststore-reader-service” available for fetching the trustore values in the publishing server.


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.