PaaS Key Management Service

No download for private key, which encrypted by AWS KMS, and can be decrypted by other AWS Services, if Granted.

No import function

IBM Key Protect

Link

Key Management

Development Stack

Development Guide

Flow

1. Generate Key set with CA

IBM guide

1
2
3
4
5
6
7
8
9
10
# admin private key and csr
openssl genrsa -out privateKey.key 2048 -sha256
openssl req -new -key privateKey.key -out cert.csr

# CA private key, csr, and cert
openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -sha256
openssl x509 -signkey ca.key -days 7300 -req -in ca.csr -out ca.arm -sha256

# CA signing the admin csr
openssl x509 -req -days 7300 -in cert.csr -CA ca.arm -CAkey ca.key -out cert.arm -set_serial 01 -sha256

2. Upload Key set to AWS ACM, and then can download Cert and CA from it.

3. Upload Private Key to AWS S3, by encrypted with AWS KMS

Self Signed X509 Certificate

Concept

The problem to resolve

  1. The way to generate self-signed X509 certificate

    a) Java keytool, however the keytool in JDK package sun.* not public supported.

    b) BC to do so.

  2. Java doesn’t provide api for converting X509 Certificate to PEM format by native.

    a) Using Base64 to do converting, and adding the BEGIN and END.

    b) Using BC’s PEMWriter class is also a good alternate.

  3. Convert String to InputStream in Java 8? Baeldung - Java String to InputStream

  4. The private key PEM converted above is not parsable in Proxy. Exception “java.io.IOException: Invalid DER: object is not integer” Janos Pasztor - Private Key format in Java

  5. How to verify Certificate format programmatically?

References

comments powered by Disqus