Storing and retriveing a JKS from Azure key vault

Asked 20/2, 2018 at 18:44 Answered 20/10, 2021 at 2:47

I would like to refer to a Java Key store from the Azure Key vault instead of packaging it with my spring boot application that is deployed as a docker image into Kubernetes cluster.

As per Azure documentation, only.PFX files are allowed to be imported into the Key vault. Currently I am successful in packaging and retreiving JKS from within the spring boot but I am looking for more secure approach and want to have my certificates outside codebase.

Any pointers and code snippets would be helpful.

Quimby answered 20/2, 2018 at 18:44 Comment(0)

I know this is old, but answering this because I had the exact same issue and had to read a lot to figure it out.

Tutorial from Microsoft

This article will give you a pretty good overview.

To summarize, if you want to enable SSL for your application using a self signed certificate stored in the azure key vault, below are the steps

Add the azure-spring-boot-starter-keyvault-certificates dependency in your pom.

Add the ssl configuration and the keyvault configuration as follows

server:
  port: 8443
  ssl:
    key-alias: <keystore name>
    key-store-password: <password>
    keyStoreType: AzureKeyVault
    key-store-type: AzureKeyVault

azure:
  keyvault:
    uri: <keystore uri>
    client-id: <client-id>
    client-secret: <secret>
    enabled: true
    tenant-id: <tenant-id>

This will enable ssl on your application and use the key store from azure for https.

If you need to load a trust store for only outbound TLS, things are a bit more simpler. You only need to configure key vault as below.


    azure:
      keyvault:
        uri: <keystore uri>
        client-id: <client-id>
        client-secret: <secret>
        enabled: true
        tenant-id: <tenant-id>

And then, initialize your SSLContext using the key vault.


    KeyStore azureKeyVaultKeyStore = KeyStore.getInstance("AzureKeyVault");
            KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
                    System.getProperty("azure.keyvault.uri"),
                    System.getProperty("azure.keyvault.tenant-id"),
                    System.getProperty("azure.keyvault.client-id"),
                    System.getProperty("azure.keyvault.client-secret"));
            azureKeyVaultKeyStore.load(parameter);
            SSLContext sslContext = SSLContexts.custom()
                    .loadTrustMaterial(azureKeyVaultKeyStore, null)
                    .build();

This will load all your certificates available on the key vault to the trust store. I am not sure if this is needed if you only need the certificates for outbound TLS since Azure key vault can only store certificates which contain both private and public key pairs.

Winni answered 20/10, 2021 at 2:47 Comment(1)

Thanks for the detailed explanation. But I want to do similar steps for kafka consumer validation through Azure Key vault certificate within Spring boot application. Any help would be appreciated. – Kendricks 4/1, 2022 at 7:23

One solution is to store the key as a base64 encoded string as a key/value pair in Azure key vault, set it to an environment variable, and decode it into a file on the server in the build.

Encode: openssl base64 -A -in keystore.jks

Set to environment variable from Azure Key Vault

Decode: echo $KEYSTORE_BASE64 | base64 --decode > keystore.jks

Ujiji answered 9/5, 2019 at 20:23 Comment(1)

@Riddle Sort of. I ended up saving the keys as environment variables in my CI pipeline, but I have stored the base64 encrypted strings in Azure key vault as well as a backup. – Ujiji 20/6, 2019 at 0:15

Recommended topics

Hot tags