PaaS Key Management Service
Key Management Link
ACM - AWS Certificate Manager Link
No download for private key, which encrypted by
AWS KMS, and can be decrypted by other AWS Services, if
Key Vault Link
No import function
- Spring Boot 2
- Spring 5 Flux / Netty
- AWS SDK for
1. Generate Key set with CA
1 2 3 4 5 6 7 8 9 10 # admin private key and csr openssl genrsa -out privateKey.key 2048 -sha256 openssl req -new -key privateKey.key -out cert.csr # CA private key, csr, and cert openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -sha256 openssl x509 -signkey ca.key -days 7300 -req -in ca.csr -out ca.arm -sha256 # CA signing the admin csr openssl x509 -req -days 7300 -in cert.csr -CA ca.arm -CAkey ca.key -out cert.arm -set_serial 01 -sha256
2. Upload Key set to AWS
ACM, and then can download
CA from it.
3. Upload Private Key to AWS
S3, by encrypted with AWS
Self Signed X509 Certificate
- Self-signed vs CA-signed
- JCA (Java Cryptography Architecture) vs. BC (Bouncy Castle) IDR - differences between JCA and BC Oracle - Sun package no public support
The problem to resolve
The way to generate self-signed X509 certificate
a) Java keytool, however the keytool in JDK package sun.* not public supported.
b) BC to do so.
Java doesn’t provide api for converting X509 Certificate to PEM format by native.
a) Using Base64 to do converting, and adding the BEGIN and END.
b) Using BC’s PEMWriter class is also a good alternate.
Convert String to InputStream in Java 8? Baeldung - Java String to InputStream
The private key PEM converted above is not parsable in Proxy. Exception “java.io.IOException: Invalid DER: object is not integer” Janos Pasztor - Private Key format in Java
How to verify Certificate format programmatically?