Overview

A CryptoToken using a keystore, either a PKCS#12 (.p12/.pfx), or legacy Java JKS (.jks) keystore in the local file system, or a keystore stored in the configuration (in the database).

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreCryptoToken.

Available Properties

Property
Description

KEYSTOREPATH

Full path to the keystore file to load. Required.

KEYSTOREPASSWORD

Password that locks the keystore. Used for automatic activation.

KEYSTORETYPE

Type of keystore:

  • PKCS12 for a P12 keystore.
  • JKS for a Java JKS keystore.
  • INTERNAL to use an in-configuration keystore.

Required.

DEFAULTKEY

The key to use. If a key is not derived from each signing request (using an implementation of the AliasSelector interface), this needs to be defined. Optional.

NEXTCERTSIGNKEY

The next key to use. Optional. For more information, see PKCS11CryptoToken.

When Using an Internal Keystore

The content of the keystore is not part of the regular worker properties. Thus, it is not included when running the dump properties command. It is also removed when removing the crypto worker (or regular worker when using the legacy method to set up crypto tokens). To backup the content of the crypto token, a database backup should be made. The password supplied when activating the token the first time will be used as the keystore password.

Special Case Type-specific Implementations

As a convenience, three type-specific implementations are available

P12CryptoToken

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.P12CryptoToken

JKSCryptoToken

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.JKSCryptoToken

KeystoreInConfigCryptoToken

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreInConfigCryptoToken

These implementations work the same way as using a KeyStoreCryptoToken and setting KEYSTORETYPE to PKCS12, JKS, or INTERNAL respectively.