Configuring Key Material and Certificates
In nevisAdmin 4, the terms keystore and truststore are defined as described in the following sections.
A keystore contains:
- Exactly 1 private key.
- A certificate that matches the private key.
- The certificate chain - up to and including a certificate authority (CA) trusted by clients.
- A passphrase getter script which can be executed by components to use the keystore.
Keystores are used by Nevis components for the following cases:
- To provide secure endpoints (HTTPs / TLS)
- For outbound connections (2-way TLS)
- For signing tokens
A truststore may contain:
- CA certificate(s) for trust validation (TLS)
- Certificate(s) used to sign tokens
For trust validation during a TLS handshake the truststore must contain the CA (or a parent thereof) which has issued the certificate of the other party.
For signature validation the truststore must contain the signer certificate.
Patterns for Key Management
Patterns that require a keystore or truststore have dedicated references, which allow you to assign a pattern that provides the keystore / truststore.
The standard pattern library provides the following patterns for key management:
- Automatic Key Store/ Automatic Trust Store: See the chapter Automatic Key Management.
- These patterns can be used in classic VM and Kubernetes deployments. nevisAdmin 4 automatically sets up the keystore / truststore during deployment. This is the default behavior when no pattern is assigned.
- nevisKeybox Store: See the chapter nevisKeybox-Based Key Management.
- The nevisKeybox Store pattern can act as keystore or truststore or both. This pattern can be used for classic deployments only. The pattern requires that nevisKeybox is installed and an instance named default has been created on the target hosts. nevisAdmin 4 does not deploy into nevisKeybox. You have to manage the content manually using the neviskeybox command-line interface.
- PEM Key Store/ PEM Trust Store: See the chapter PEM-Based Key Management.
- These patterns can be used in classic and Kubernetes deployments. The key material is uploaded in PEM format in the pattern or via the inventory. Formats for Java-based components (JKS and PKCS12) are generated automatically. The files are deployed by nevisAdmin 4 and will be exposed to NEVIS components.