How to use the AEM Key Store

assorted keys laid on a surface
Photo by Nikita Belokhonov on

AEM has built-in user key stores where you can upload your private and public keys and use them in your Java code. This is useful because, if you need to use a key in your Java code, ideally you don’t want to add it to the OSGI configuration, or include it as a resource in your OSGI bundle, as it will be available for anyone to see in your version repository and when using CRX/DE.

Preparing the Key Store

You can access the trust store by going to Tools -> Security -> Users

AEM security tab
AEM security tab

Select the user and access, click on properties and select the key store tab. The first time you access it, you’ll be asked to create a key store and supply a password. This password will be used to access it in the future.

Preparing the keys

You need to convert your keys to a format supported by AEM. AEM support uploading a DER private key or a from a key store file. We will focus on the latter.

If you only have a RSA private key, you’ll need to generate a X509 certificate.

openssl req -new -x509 -key pivate.key -out mycertificate.pem 

After filling in the details it will generate the mycertificate.pem.

cat private.key mycertificate.pem | openssl pkcs12 -export -out mycertificate.pfx -name mycertificate

You will need to enter a password – this is mandatory. It will generate the mycertificate.pfx file that can be uploaded to AEM.

Upload the certificate

AEM User Keystore
AEM User Keystore

In the key store select “Add private key from keystore file”. Select the pfx file.

  • Enter the new key store alias. e.g. admin-key
  • Enter the key store password and the private key passwords. These should be the same and were defined on the previous step.
  • Enter the Private Key Alias – this should be the same specified on the -name parameter when generating the pfx file
  • Submit

Using the certificate in Java

We use the KeyStoreService to retrieve the keys. More details about this service here.

Here’s how to get the private and public keys we just uploaded:

 private KeyStoreService keyStoreService;

public PrivateKey getPrivateKey(ResourceResolver resourceResolver){
    KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
    return keyPair.getPrivate();

public PublicKey getPublicKey(ResourceResolver resourceResolver){
    KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
    return keyPair.getPublic();

If you want to get the private key string you could do the following:

public String getPrivateKeyString(ResourceResolver resourceResolver){
    KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
    return DatatypeConverter.printBase64Binary(keyPair.getPrivate().getEncoded());


The examples below are adding keys to the admin user. In production code it would be added to a service user that you could easily get their resource resolver.

Bear in mind that these certificates have expiration date and they need to be renewed before they expire.

Leave a Reply