Key management
Update keys
When you update keys, DS servers load them and begin using them for new connections. This section covers common rotation operations, such as renewing and replacing keys.
Renew a TLS certificate
-
Choose the appropriate method to renew an expiring certificate:
-
If the certificate depends on a deployment ID and password, renew it with the
dskeymgr
command:$ dskeymgr \ create-tls-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin \ --hostname localhost \ --hostname ds.example.com \ --subjectDn CN=DS,O=ForgeRock
For more command options, refer to dskeymgr. The default validity for the certificate is one year.
-
If you use a CA, renew the CA signature:
-
Create a certificate signing request.
-
Have the request signed by the CA you use.
-
Import the signed certificate from the CA reply.
-
-
If you used a self-signed certificate, sign it again, and distribute the new certificate as appropriate.
Have each server and client application that trusted the old certificate import the renewed certificate.
For details, refer to Trust a server certificate.
-
Replace a TLS key pair
-
Choose the appropriate method to replace or rotate a key pair used for secure communications:
-
If the certificate depends on a deployment ID and password, use the
dskeymgr
command:$ dskeymgr \ create-tls-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin \ --hostname localhost \ --hostname ds.example.com \ --subjectDn CN=DS,O=ForgeRock
The default validity for the certificate is one year.
-
If you provided your own keys in the server keystore, do the following:
-
Generate a new key pair in the server keystore with a new alias.
-
If you use a CA, get the certificate signed by the CA.
-
If you use a self-signed certificate, distribute the certificate for import by all servers and clients that trust your server.
-
Once the old key pair is no longer used anywhere, delete the keys using the
keytool -delete
command with the old alias.
-
-
Retire secret keys
You do not need to retire secret keys for the following, because encryption is only performed once per key:
-
Backup uses a new secret key for each file.
-
Confidential replication changelog backends use a new secret key for each file.
You can retire secret keys for confidential database backends:
-
Change the cipher-key-length property for the backend.
Each time you change the setting, the server generates a new secret key. After you retire the key, DS servers will only use that key for decryption, not for encryption.
The server keeps the retired key in the backend indefinitely for decryption.
Replace deployment IDs
Follow these steps if you must:
-
Renew an expiring deployment ID-based CA.
The default validity period is 10 years.
-
Replace a lost or compromised deployment ID password.
-
Generate a new deployment ID with a new password:
$ dskeymgr \ create-deployment-id \ --outputFile new.deployment.id \ --deploymentIdPassword password
For more command options, refer to dskeymgr. The default validity for the deployment ID is 10 years.
-
On each server, add the new shared master key:
$ dskeymgr \ export-master-key-pair \ --alias new-master-key \ --deploymentId "$(<new.deployment.id)" \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin
Servers continue to use the existing shared master key to decrypt existing symmetric keys. Do not overwrite a shared master key that is already in use.
-
On each server that uses the deployment ID and password for PKI, add the new CA certificate:
$ dskeymgr \ export-ca-cert \ --alias new-ca-cert \ --deploymentId "$(<new.deployment.id)" \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin
Also distribute the new CA certificate to any client applications that rely on the old CA certificate.
-
On each server that uses the deployment ID and password for PKI, renew the key pair used for secure communications.
Before completing this step, make sure you have added the new CA certificate on all servers. Any peer servers missing the new CA certificate will not trust the new keys:
$ dskeymgr \ create-tls-key-pair \ --deploymentId "$(<new.deployment.id)" \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin \ --hostname localhost \ --hostname ds.example.com \ --subjectDn CN=DS,O=ForgeRock
For more command options, refer to dskeymgr. The default validity for the certificate is one year.
Also renew any client application key pairs that were generated using the old deployment ID and password.
-
On each server, update the master key alias to use the new key:
$ dsconfig \ set-crypto-manager-prop \ --set master-key-alias:new-master-key \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
Stop trusting the old CA certificate by removing all references to it.
For example, remove the old CA certificate from all client and server truststores.
-
When installing a new server after replacing deployment IDs:
-
Use the new deployment ID and password to set up the server, and do not start the server at setup time.
-
Copy the keystore and PIN from an existing server, overwriting the existing keystore and PIN.
This adds the older shared master key to the new server’s keystore.
-
Renew the local key pair used for secure communications using the new deployment ID and password.
-
Start the server.
-
Use new keys
Generate a key pair (wildcard certificate)
A wildcard certificate uses a *
to replace the leading subdomain.
The wildcard hostname appears in the certificate’s list of subject alternative names:
-
Generate a key pair with a wildcard certificate:
$ dskeymgr \ create-tls-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --hostname localhost \ --hostname "*.example.com" \ --subjectDn CN=DS,CN=Example,CN=com \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin
For more command options, refer to dskeymgr. The default validity for the certificate is one year.
Generate a key pair (CA-signed certificate)
-
Generate a server key pair in the existing server keystore.
Many client applications will check that the server’s DNS name in the certificate matches the server hostname.
Find the hostname for the server in the
status
command output. When creating the key pair, set it as aDNSName
in the certificate’sSubjectAlternativeName
list. If the server can respond on multiple FQDNs, use multiple subject alternative names. -
Create a certificate signing request
.csr
file for the generated certificate. -
Have the CA sign the request in the
.csr
file.Refer to the instructions from your CA on how to provide the request.
The CA returns the signed certificate, for example, in a
.crt
file. -
If you have set up your own CA and signed the certificate, or are using a CA whose certificate is not included in the Java runtime environment, import the CA certificate into the DS keystore and truststore so that it can be trusted.
For an example command, refer to Trust a CA certificate.
-
Import the signed certificate, such as the
.crt
file, from the CA reply into the keystore where you generated the key pair. -
If you use a CA certificate that is not known to clients, such as a CA that you set up yourself rather than a well-known CA, import the CA certificate into the client application truststore. For an example command, refer to Trust a CA certificate.
Otherwise, the client application cannot trust the signature on the server certificate.
Generate a key pair (self-signed certificate)
-
Generate a server key pair in the existing server keystore.
The certificate is considered self-signed, because the issuer DN and subject DN are the same.
Many client applications will check that the server’s DNS name in the certificate matches the server hostname.
Find the hostname for the server in the
status
command output. When creating the key pair, set it as aDNSName
in the certificate’sSubjectAlternativeName
list.
Use an alternative keystore type
To use an alternative keystore implementation, start with a different keystore type when generating the keypair.
When generating a key pair for TLS with the The |
-
Use one of the keystore types supported by the Java runtime environment:
- Java Keystore
-
The basic Java keystore type is
JKS
:$ keytool \ -genkeypair \ -keyalg EC \ -alias new-keys \ -ext "san=dns:ds.example.com" \ -dname "CN=ds.example.com,O=Example Corp,C=FR" \ -keystore /path/to/new-keystore.jks \ -storetype JKS \ -storepass:env KEYSTORE_PASSWORD \ -keypass:env KEYSTORE_PASSWORD
This is the keystore type if you do not specify a
-storetype
option. - Java Cryptography Extension Keystore
-
The
JCEKS
type implements additional Java cryptography extensions and stronger protection for private keys:$ keytool \ -genkeypair \ -keyalg EC \ -alias new-keys \ -ext "san=dns:ds.example.com" \ -dname "CN=ds.example.com,O=Example Corp,C=FR" \ -keystore /path/to/new-keystore.jceks \ -storetype JCEKS \ -storepass:env KEYSTORE_PASSWORD \ -keypass:env KEYSTORE_PASSWORD
- PKCS#11 device
-
A PKCS#11 device, such as an HSM, can be used as a keystore.
For details, refer to PKCS#11 hardware security module.
- PKCS#12 Keystore
-
The
PKCS12
type lets you use a PKCS#12 format file. This is the default for DS servers. It is a standard format and is interoperable with other systems that do not use Java:$ keytool \ -genkeypair \ -keyalg EC \ -alias new-keys \ -ext "san=dns:ds.example.com" \ -dname "CN=ds.example.com,O=Example Corp,C=FR" \ -keystore /path/to/new-keystore \ -storetype PKCS12 \ -storepass:env KEYSTORE_PASSWORD \ -keypass:env KEYSTORE_PASSWORD
-
After setting up an alternate keystore type, make sure that you configure:
-
A key manager provider to open the correct keystore with the correct credentials.
-
Any components using the key manager provider to use the correct certificate alias.
-
Add a new keystore
These steps demonstrate adding a new PKCS#12 keystore with existing server keys. Follow these steps if you have existing keys in a PKCS#12 keystore:
-
Create a Key Manager Provider that references your keystore:
$ dsconfig \ create-key-manager-provider \ --provider-name MyKeystore \ --type file-based \ --set enabled:true \ --set key-store-file:/path/to/keystore \ --set key-store-pin:password \ --set key-store-type:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
For each configuration object that needs to use the keys in the keystore, update the
key-manager-provider
andssl-cert-nickname
properties:$ dsconfig \ set-connection-handler-prop \ --handler-name LDAPS \ --set key-manager-provider:MyKeystore \ --set ssl-cert-nickname:ssl-key-pair \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
Many configuration objects use key manager providers. For a full list, refer to the page of configuration properties that start with K, and review the
key-manager-provider
properties links.Do not update the key manager provider for the Crypto Manager. The Crypto Manager needs access to the shared master key.
Generate a test deployment ID
-
Use the
dskeymgr
command to generate a deployment ID for testing.This example records the deployment ID in a file:
$ dskeymgr \ create-deployment-id \ --deploymentIdPassword password \ --outputFile test.deployment.id
If you do not specify the deployment ID password or file containing the password, the tool prompts you for the password interactively.
Use this deployment ID when setting up test servers. The test servers trust each others' certificates.
Trust certificates
Trust a client certificate
These steps let the DS server trust a self-signed client application certificate:
If you control the application, issue the client a certificate from a private CA instead. For an example, refer to Certificate-based authentication. |
-
Import the self-signed client certificate.
The following example imports the client certificate into the default truststore:
$ keytool \ -import \ -trustcacerts \ -alias myapp-cert \ -file myapp-cert.pem \ -keystore /path/to/opendj/config/keystore \ -storepass:file /path/to/opendj/config/keystore.pin \ -storetype PKCS12 \ -noprompt Certificate was added to keystore
If the truststore was provided during the setup process, specify the truststore and password.
Trust a server certificate
These steps let a client trust the DS server.
If the server certificate was signed by a well-known CA, the client may not have to configure any further trust.
To trust a certificate signed using a deployment ID and password, get the CA certificate. Either:
-
Copy the server’s truststore file and PIN.
-
Export the CA certificate as a PEM format file, as described in PEM format keys.
For an unknown CA or a self-signed server certificate, follow these steps:
-
Export the CA certificate from its truststore or the server certificate from the server keystore.
You can export the certificate in PEM format using the
keytool -exportcert -rfc
command.Some client applications can use the PEM format directly.
-
If the client uses a Java truststore, import the certificate into the client truststore.
You can import the server certificate using the
keytool -import -trustcacerts
command.
Trust a CA certificate
These steps let the DS server trust a CA. If the CA’s certificate is included with Java, you can let the server use the JVM truststore.
If the CA is not well-known, you can import the trusted CA certificate into a truststore:
-
Import the certificate as a CA certificate.
The following example imports the CA certificate into the default truststore:
$ keytool \ -import \ -trustcacerts \ -alias my-ca-cert \ -file ca.pem \ -keystore /path/to/opendj/config/keystore \ -storepass:file /path/to/opendj/config/keystore.pin \ -storetype PKCS12 \ -noprompt Certificate was added to keystore
If the truststore was provided during the setup process, specify the truststore and password.
-
If no trust manager provider is configured to access the truststore, create one.
For reference, refer to create-trust-manager-provider.
Also, configure connection handlers to use the new trust manager provider.
Add a new truststore
These steps demonstrate adding a new PKCS#12 truststore with existing trusted certificates. Follow these steps if you have existing certificates in a PKCS#12 truststore:
-
Create a Trust Manager Provider that references your truststore:
$ dsconfig \ create-trust-manager-provider \ --provider-name MyTruststore \ --type file-based \ --set enabled:true \ --set trust-store-file:/path/to/truststore \ --set trust-store-pin:password \ --set trust-store-type:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
For each configuration object that needs to trust the certificates in the truststore, update the
trust-manager-provider
property:$ dsconfig \ set-connection-handler-prop \ --handler-name LDAPS \ --set trust-manager-provider:MyTruststore \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
Many configuration objects use trust manager providers. For a full list, refer to the page of configuration properties that start with T, and review the
trust-manager-provider
properties links.
Show deployment ID information
The dskeymgr show-deployment-id
command displays key information about a given deployment ID,
such as the expiration date for the derived CA certificate:
$ dskeymgr show-deployment-id ASIQ8nH5BypHIB7AmmmJZ5VfCVKZXg5CBVN1bkVDAIT3myJF1rRsipI
Not before: 2024-03-15T06:42:38Z
Not after: 2034-03-13T06:42:38Z
Version: 1
Serial number: 84F79B2245D6B46C8A92
Provider name: SunEC
If you depend on an expiring deployment ID CA, refer to Replace deployment IDs.
PEM format keys
DS servers can read keys and trusted certificates from files that contain keys in Privacy-Enhanced Mail (PEM) format:
-
Choose or create a directory for PEM format keys.
This example uses
/path/to/opendj/pem
:$ mkdir -p /path/to/opendj/pem
-
Use the
dskeymgr
command to generate PEM format keys.-
Add a master key using the deployment ID and password, even if you have your own CA and server keys:
$ dskeymgr \ export-master-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile /path/to/opendj/pem/master-key.pem
-
Add a trusted CA certificate.
This example exports a deployment ID CA certificate:
$ dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile /path/to/opendj/pem/ca-cert.pem
-
Add server keys.
This example exports a server key pair based on a deployment ID:
$ dskeymgr \ create-tls-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --hostname localhost \ --hostname ds.example.com \ --subjectDn CN=DS,O=ForgeRock \ --outputFile /path/to/opendj/pem/ssl-key-pair.pem
For more command options, refer to dskeymgr. The default validity for the certificate is one year.
-
-
Allow only the user running the server to read any PEM files that contain private keys.
The keys are not encrypted, so you must protect the PEM files. For example, if the server runs with user ID
opendj
, restrict access to that user:$ sudo chown opendj /path/to/opendj/pem/*.pem && \ sudo chmod 600 /path/to/opendj/pem/master-key.pem && \ sudo chmod 600 /path/to/opendj/pem/ssl-key-pair.pem
-
Configure a PEM key manager provider for the master key and server keys:
$ dsconfig \ create-key-manager-provider \ --provider-name PEM \ --type pem \ --set enabled:true \ --set pem-directory:/path/to/opendj/pem \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
Configure a PEM trust manager provider for trusted certificates, such as CA certificates:
$ dsconfig \ create-trust-manager-provider \ --provider-name PEM \ --type pem \ --set enabled:true \ --set pem-directory:/path/to/opendj/pem \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
Configure other components to use the new providers by setting their
key-manager-provider
andtrust-manager-provider
properties.When using PEM keys, the alias or
ssl-cert-nickname
property is filename of the key. In this example:-
The master key alias is
master-key.pem
. -
The CA certificate alias is
ca-cert.pem
. -
The TLS keys alias is
ssl-key-pair.pem
.
-
Notice that the PEM key manager provider, and the PEM trust manager provider share the same pem-directory
.
This works because the key manager provider loads key pairs, and the trust manager provider loads trusted certificates.
When the PEM files change, the server regularly reloads the files.
For details, refer to Pem Key Manager Provider
and Pem Trust Manager Provider.