PKCS12GeneratorValve
This valve is used for creating a PKCS#12 keystore from, for example, a PKCS#7 with a certificate (chain), or a plain set of X.509 certificate(s), optionally with a private key.
Remarks
Per item
This will execute once per item - you must have at least one item inte the flow before executing this valve. You can create an item if needed, for example with the ItemCreateValve or ItemCreateFromRequestValve (place the valve that creates the item before this valve in the pipe).
Secrets
This valve utilizes secrets to avoid accidentally leaking secrets into, for example, logs or similar by accident.
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| keyPairSecretId | Id of the secret where the key pair for the certificate can be found. | Yes | ||
| certificates | The certificate(s) to embed. X.509 certificate, PEM-encoded. Can be multiple certificates appended after each other ("certificate chain") | Yes | ||
| pkcs7 | The certificates to embed. Multiple X.509 certificates embedded in a PKCS#7, PEM-encoded. | Yes | ||
| pkcs12PropertyName | Name of the property where the PKCS#12 will be stored, as base64 | Yes | ||
| pkcs12PasswordSecretIdPropertyName | Name of the property where id of the secret where the randomly generated password for the PKCS#12 will be stored. Required if a private key will be stored in the PKCS#12. |
Example configuration
{
"name": "PKCS12GeneratorValve",
"enabled": "true",
"config": {
"keyPairSecretId": "{{item.keyPairSecretId}}",
"certificates": "{{item.certificate}}",
"pkcs12PropertyName": "pkcs12",
"pkcs12PasswordSecretIdPropertyName": "pkcs12PasswordSecretId"
}
}
In the example above, the assumption is that we have an item with the properties:
keyPairSecretId - id of a secret where the keypair for the certificate resides
certificate - a PEM-encoded X.509 certificate (or possibly a chain of certificates, ie. just appending them after each other)
After executing this, the item will then get these two additional properties:
pkcs12 - the base64-encoded PKCS#12
pkcs12PasswordSecretId - id of a secret where the randomly generated password for the PKCS#12 has been stored
Requirements
In order to create a PKCS#12 with a private key, the private key must have been stored previously in a secret
This can be used, for example, to combine a generated certificate (issued by a CA from a CSR, for example by AdcsRequestCertificateValve) with the corresponding private key (generated by, for example, KeyPairGeneratorValve)