Java keystore with multiple keys and different passwords

Question

i have created a java JKS keytore:

keytool -genkey -alias mydomain -keyalg RSA -keystore mytest.jks -keysize 2048

after that i created a P12 file, using the server's CRT with openssl:

openssl pkcs12 -export -in server.crt -inkey server.key > server.p12

now i imported the P12 file into my previously created JKS keystore:

keytool -importkeystore -srckeystore server.p12 -destkeystore mytest.jks -srcstoretype pkcs12

It works, i can use this JKS to initialize an SSL connection to the server:

public static SSLContext initSSLContext(String keystoreLocation, String keystorePwd, String truststorePwd, String serverCrtPwd)
SSLContext context;
context = SSLContext.getInstance("TLS");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(keystoreLocation), keystorePwd.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, serverCrtPwd.toCharArray());

KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream(keystoreLocation), truststorePwd.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);

context.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());

Putting the keystore location, password and the password for the imported CRT file in the parameters it works.

Now i have to convert and import multiple P12 files into the same JKS keystore, running the import part multiple times it works, i have multiple keys imported with different alias names and of course with different password. My problem is that now every imported keys have it own password. I would like to initialize the SSL connection only once with every available aliases from the given keystore. Because more server will send data to my application with SSL, they have different password, they are imported to my keystore but i cannot initialize my keystore with multiple passwords it accepts only one. How can i init my keystore with multiple imported P12 with different aliases and with different passwords? The init method accepts only one parameter for the "keys recovery from keystore".

Thanks!

Answer 1

Recently I had the same challenge to achieve this. When searching for a solution I came across your questions. Maybe I am 5 years too late but after founding out the solution I wanted to share it with you.

So What I have discovered is that you have couple of options:

• All the keys should have the same password, or
• Instantiate for each key a separate SSLContext with it's own KeyManager, or

Obviously you already knew these options and you didn't wanted to do these actions. An alternative would be still having a keystore with different keys and passwords. Lets assume you have a keystore containing keys with the following aliases and passwords:

• foo -> foo-password
• bar -> bar-password
• lorum-ipsum -> lorum-ipsum-password

The following setup would do the trick for you:

var sslContext = SSLContext.getInstance("TLS");
var keyStore = ... // your custom KeyStore

var keyManager = KeyManagerUtils.createKeyManager(keyStore, Map.of(
        "foo","foo-password".toCharArray(),
        "bar","bar-password".toCharArray(),
        "lorum-ipsum","lorum-ipsum-password".toCharArray()
));

sslContext.init(new KeyManager[]{keyManager}, trustManagers, null);

What this KeyManagerUtils is doing behind the scenes is creating a KeyManager for each key/password and merging it into a base KeyManager which has the ability to contain multiple KeyManagers and returning it as a single one so you can use it within your SSLContext. See here for the details and usage: Github - SSLContext-Kickstart