Overview
A CryptoToken using a keystore, either a PKCS#12 (.p12/.pfx), or legacy Java JKS (.jks) keystore in the local file system, or a keystore stored in the configuration (in the database).
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreCryptoToken.
Available Properties
| |
|---|
| KEYSTOREPATH | Full path to the keystore file to load. Required. |
| KEYSTOREPASSWORD | Password that locks the keystore. Used for automatic activation. |
| KEYSTORETYPE | Type of keystore: - PKCS12 for a P12 keystore.
- JKS for a Java JKS keystore.
- INTERNAL to use an in-configuration keystore.
Required. |
| DEFAULTKEY | The key to use. If a key is not derived from each signing request (using an implementation of the AliasSelector interface), this needs to be defined. Optional. |
| NEXTCERTSIGNKEY | The next key to use. Optional. For more information, see PKCS11CryptoToken. |
When Using an Internal Keystore
The content of the keystore is not part of the regular worker properties. Thus, it is not included when running the dump properties command. It is also removed when removing the crypto worker (or regular worker when using the legacy method to set up crypto tokens). To backup the content of the crypto token, a database backup should be made. The password supplied when activating the token the first time will be used as the keystore password.
Special Case Type-specific Implementations
As a convenience, three type-specific implementations are available
P12CryptoToken
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.P12CryptoToken
JKSCryptoToken
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.JKSCryptoToken
KeystoreInConfigCryptoToken
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreInConfigCryptoToken
These implementations work the same way as using a KeyStoreCryptoToken and setting KEYSTORETYPE to PKCS12, JKS, or INTERNAL respectively.