AEM has built-in user key stores where you can upload your private and public keys and use them in your Java code. This is useful because, if you need to use a key in your Java code, ideally you don’t want to add it to the OSGI configuration, or include it as a resource in your OSGI bundle, as it will be available for anyone to see in your version repository and when using CRX/DE.
Preparing the Key Store
You can access the trust store by going to Tools -> Security -> Users
Select the user and access, click on properties and select the key store tab. The first time you access it, you’ll be asked to create a key store and supply a password. This password will be used to access it in the future.
Preparing the keys
You need to convert your keys to a format supported by AEM. AEM support uploading a DER private key or a from a key store file. We will focus on the latter.
If you only have a RSA private key, you’ll need to generate a X509 certificate.
openssl req -new -x509 -key pivate.key -out mycertificate.pem After filling in the details it will generate the mycertificate.pem.
cat private.key mycertificate.pem | openssl pkcs12 -export -out mycertificate.pfx -name mycertificateYou will need to enter a password – this is mandatory. It will generate the mycertificate.pfx file that can be uploaded to AEM.
Upload the certificate
In the key store select “Add private key from keystore file”. Select the pfx file.
- Enter the new key store alias. e.g.
admin-key - Enter the key store password and the private key passwords. These should be the same and were defined on the previous step.
- Enter the Private Key Alias – this should be the same specified on the
-nameparameter when generating the pfx file - Submit
Using the certificate in Java
We use the KeyStoreService to retrieve the keys. More details about this service here.
Here’s how to get the private and public keys we just uploaded:
@Reference
private KeyStoreService keyStoreService;
public PrivateKey getPrivateKey(ResourceResolver resourceResolver){
KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
return keyPair.getPrivate();
}
public PublicKey getPublicKey(ResourceResolver resourceResolver){
KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
return keyPair.getPublic();
}
If you want to get the private key string you could do the following:
public String getPrivateKeyString(ResourceResolver resourceResolver){
KeyPair keyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver,"admin", "admin-key");
return DatatypeConverter.printBase64Binary(keyPair.getPrivate().getEncoded());
}Notes
The examples below are adding keys to the admin user. In production code it would be added to a service user that you could easily get their resource resolver.
Bear in mind that these certificates have expiration date and they need to be renewed before they expire.