I read on AWS docs that, when keys are generated using java keytool, the certificates are stored in a local store file and the actual private key material is stored in Cloud HSM.
Generate keypair with a certificate without store file
But when I execute the list command with the keystore option it is returning all the aliases from all the keystores. I am expecting keys only from my-cloudhsm.store.
Why is this happening?
I downloaded my-cloudhsm.store and opened it in keystore explorer and I see symmetric keys, trusted certs and public-private keys pairs all in that store file. As per documentation I should see only certificates corresponding to keypairs and any imported trusted certificates.
I am also able to export the private key from the store file, but as expected the private key is not complete.
Symmetric keys, Trusted certs and public-private keys pairs
Exporting private key
Private key is not complete
My understanding is, CloudHSM maintains a local store file and has references to all the items added, including asymmetric keypairs, and symmetric keys but the actual key material is stored in Cloud HSM.
If this is correct, then if I have 3 applications running on 3 different machines accessing Cloud HSM then this local file needs to be synced on all 3 machines or copy the store file to an external file system and mount that onto all 3 machines?
Questions
Why/how list returns all aliases from all the store files even when a particular file is passed?
Java integration with Cloud HSM work with only store file (some input stream). I can not have different applications read directly from Cloud HSM without syncing the store file.
Is there an inbuilt mechanism to sync the store file on all machines?
Is it an idea to have a dedicated machine to manage keys(generate, delete) and sync the store file to all the applications?
I am not sure if this is the right forum.
My apologies for the long post.
I read on AWS docs that, when keys are generated using
java keytool
, thecertificates
are stored in a local store file and the actual private key material is stored in Cloud HSM.Generate keypair with a certificate without store file
Is there a default location where the default local store file is created?
When I execute the list command using java keytool, I am getting all the keys I added, and some how it is able to access the default store file.
Listing all alias without store file
If I generate keys passing
keystore
option then the certificate is getting stored in the store file as expected.Generate keypair with a certificate with store file
Listing all alias without store file
But when I execute the list command with the
keystore
option it is returning all the aliases from all the keystores. I am expecting keys only frommy-cloudhsm.store
.Why is this happening?
I downloaded
my-cloudhsm.store
and opened it in keystore explorer and I see symmetric keys, trusted certs and public-private keys pairs all in that store file. As per documentation I should see only certificates corresponding to keypairs and any imported trusted certificates.I am also able to export the private key from the store file, but as expected the private key is not complete.
Symmetric keys, Trusted certs and public-private keys pairs
Exporting private key
Private key is not complete
My understanding is, CloudHSM maintains a local store file and has references to all the items added, including asymmetric keypairs, and symmetric keys but the actual key material is stored in Cloud HSM.
If this is correct, then if I have 3 applications running on 3 different machines accessing Cloud HSM then this local file needs to be synced on all 3 machines or copy the store file to an external file system and mount that onto all 3 machines?
Questions