Setting Up TLS Keystores for Aerospike Connect
To use TLS, an Aerospike Connect connector requires a public/private key pair and corresponding certificate, which needs to be provided in a keystore file.
The connector supports both the proprietary Java Keystore format ("JKS") as well as the "PKCS12" format, based on the RSA PKCS12 Personal Information Exchange Syntax Standard. Up to Java 8, the default keystore format is JKS, but in JKD 9 and later, the default is the PKCS12 format. One of the differences between the two formats is that JKS protects each private key with its individual password, while also protecting the integrity of the entire keystore with a (possibly different) password. A PKCS12 keystore, on the other hand, only uses a single password for the entire keystore. For the JMS Connector, we recommend using the PKCS12 keystore format.
For development and testing, you can generate a new key pair and certificate
using the JDK's keytool
command line utility. The following command creates a
new keystore file and key/cert pair:
keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA
The keytool will prompt for a new password for the keystore file as well as some additional information about the certificate.
keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
If you have an existing private key and certificate (chain) as separate PEM files, such as a key pair generated by OpenSSL and a cert issued by a CA, then you can combine these two files into a PKCS12 keystore using the OpenSSL tools:
openssl pkcs12 -inkey ./key.pem -in ./cert.pem --export -out resources/keystore
If you have a chain of certificates, because your CA is an intermediary, build the PKCS12 file as follows:
cat ./cert.pem intermediate.pem rootCA.pem > cert-chain.pem
openssl pkcs12 -inkey ./key.pem -in ./cert-chain.pem -export -out resources/keystore
The command will prompt for an export password. This will be the keystore
password of the newly created keystore file. Update the tls
configuration section as per above to use the test keystore.