Documentation

About keystores

Most cryptographic operations require keys. Keys are usually best kept in a keystore file.

To manipulate keystore files, we suggest the excellent, cross platform and free Keystore Explorer.

To get a reference to a java.security.Keystore, use the <crypt:keystore> element:

<crypt:keystore id="fooKeystore" location="classpath:keystore-foo.jks"
    password="password" type="JKS" provider="SUN"/>

type

The type attribute is optional: JKS is the default keystore type if no type attribute is specified.

location

The location attribute follows the spring resources conventions (see table 5.1 in the spring reference documentation for an overview)

provider since 1.3.0

The provider attribute is optional.

Since 1.0.1

If you prefer to configure the keystore by defining the java system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword, you can get a reference to the keystore simply with:

<crypt:defaultKeystore id="defaultKeystore"/>

A keystore can also be embedded in the xml config file itself using the base64 encoding:

<crypt:b64Keystore id="keystore" password="password" type="JKS"
                   provider="SUN">
    <crypt:file>
        /u3+7QAAAAIAAAABAAAAAQAEdGVzdAAAASazcnA7AAACvTCCArkwDgYKKwYBBAEq
        AhEBAQUABIICpXWgVfoBjEXhW7TUr4i8npIcnRfWKy8i5Mly28DaiNQIcbUmqVol
        hfjbmoz930cT+puKpVmt+Rv28MEWEHDH3JFixM7aQgjmMsXL4z0AE/cgW0bn5C3P
        LBrvG3Ieq0Kj1ZebLuBtHM92LwrkctTq3dvy6sCQHLtpefInmdjqfAbJnls/y2RX
        PoNwwwu6yIWw6GnXQ41TjhIOcXhmog4e7aH+2Ch+6vFsnNf0hHDdGI/PPvGnIvf9
        kGb1a9894sy1xApi1oV/OzH3ZZ8WKlXZmycke3QtVfREFRv22400tayoFyQzCbNE
        jNpzExRhHd5W1fEaVBXIjw73eB8l31XgIQlBFnUBkBXkQ56nYPRL6ODPNIYEYJSE
        XJnN8POgc+TFEisP4MK4fzr7pb5iVBokbWMS6ixCayaUSksn/U8mtAQSSy3Wx8KS
        0S+HvHCv7g8qflLuQD3TC7dBF4ai8O7U4TXljqugW53UzmcSHbY+3js2R3SYdOxI
        1CZ+Ly59WYHsAwtVhor1QFqmx1GwI/OJFy5cdd0Kcn2IKcQwEuTZcNEL7ZzBSrKQ
        WQ/Vysn2rHr/iWZBg7H/8Ybk3yBoPvn9xi6IFOV74a9EPn3eb8h4yF6yFLieIKXo
        2pM1BFmvkbQYcg8HhWWb8ppJC5He2j6LCmhMBciVY5ltSXe8siyPqGi1uSNeqduv
        O+JGfCgpcAezpGL2KFCbcHyISPlhDERKWdI560OR8ytQXmX996OcM34aRl0D+cgL
        hblZOzXCv9bj9ePWMTytF/YeVebsjU4clxLWnGBU9hbkvdBTf8q795DAcbqnL6QC
        mo+1wq8OZTxRcF2Er97A3QCSrvK5hWrG2rkUcw55TSPeoaobj6YgYOnv1dpuHCXs
        6J8V/b4FGCDn2XAcgEUOAAAAAQAFWC41MDkAAAI5MIICNTCCAZ6gAwIBAgIES3GF
        tjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJJVDELMAkGA1UECBMCUk0xDTAL
        BgNVBAcTBFJvbWUxDTALBgNVBAoTBE5vbmUxDTALBgNVBAsTBE5vbmUxFjAUBgNV
        BAMTDU1pcmtvIENhc2VydGEwHhcNMTAwMjA5MTU1NjM4WhcNMTAwNTEwMTU1NjM4
        WjBfMQswCQYDVQQGEwJJVDELMAkGA1UECBMCUk0xDTALBgNVBAcTBFJvbWUxDTAL
        BgNVBAoTBE5vbmUxDTALBgNVBAsTBE5vbmUxFjAUBgNVBAMTDU1pcmtvIENhc2Vy
        dGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKjtmUJ2Y06oi/e90tgfvNLt
        TadWre36dsKvhrhxaXtcGC54cjaN/r2iAlLnTrqJN9K7cWYHI5Rh1bYZzOSGY2PX
        6DoLis5OsDzP/9rXZRMVfNynLsjTeIkG579qht6j6JAtyvHIdH5hrDjE32xx/X78
        iLTYMAuXb+Uo8VNZTft7AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEApXFvvASzzw4G
        VmbJB1os/PnKAD82WpDDP6pjDOE4ALAzJoP71uqvLffr4qRBmMOMX6IGmLBckYRS
        axQ8OCU6QBU4RU1cY/xxrXgfKditL8SAY4Ll07uwoilBJqxM9clT0AtYwxTgS5KF
        7bw6Q7mk5Ki1d9hpmBBn+HGB9+MCqTCz/VETRUu45lQPtwUuwvOmff2WHg==
    </crypt:file>
</crypt:b64Keystore>

type

The type attribute is optional: JKS is the default keystore type if no type attribute is specified.

provider since 1.3.0

The provider attribute is optional.

The Base64 block above was generated with:

$ openssl enc -base64 -in keystore.jks