My apologies for the long post.
I read on AWS docs that, when keys are generated using java keytool, the certificates are stored in a local store file and the actual private key material is stored in Cloud HSM.
Generate keypair with a certificate without store file
keytool -genkeypair -alias alias1 "CN=alias1.example.com, OU=Research, O=Acme, L=XYZ, ST=CA, C=US" -storepass password -keyalg rsa -keysize 2048 -sigalg sha512withrsa -validity 360 -storetype CLOUDHSM -dname -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib
Is there a default location where the default local store file is created?
When I execute the list command using java keytool, I am getting all the keys I added, and some how it is able to access the default store file.
Listing all alias without store file
keytool -list -v -storetype CLOUDHSM -storepass password -keystore -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib/
If I generate keys passing keystore option then the certificate is getting stored in the store file as expected.
Generate keypair with a certificate with store file
keytool -genkeypair -alias alias1 -keystore /home/user/my_cloudhsm/my-cloudhsm.store "CN=alias1.example.com, OU=Research, O=Acme, L=XYZ, ST=CA, C=US" -storetype CLOUDHSM -storepass password -keyalg rsa -keysize 2048 -sigalg sha512withrsa -validity 360 -dname -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib
Listing all alias without store file
keytool -list -keystore /home/user/akana_cloudhsm/eap-cloudhsm.store -v -storetype CLOUDHSM -storepass password -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib/
But when I execute the list command with the keystore option it is returning all the aliases from all the keystores. I am expecting keys only from my-cloudhsm.store.
Why is this happening?
I downloaded my-cloudhsm.store and opened it in keystore explorer and I see symmetric keys, trusted certs and public-private keys pairs all in that store file. As per documentation I should see only certificates corresponding to keypairs and any imported trusted certificates.
I am also able to export the private key from the store file, but as expected the private key is not complete.
Symmetric keys, Trusted certs and public-private keys pairs
Exporting private key
Private key is not complete
My understanding is, CloudHSM maintains a local store file and has references to all the items added, including asymmetric keypairs, and symmetric keys but the actual key material is stored in Cloud HSM.
If this is correct, then if I have 3 applications running on 3 different machines accessing Cloud HSM then this local file needs to be synced on all 3 machines or copy the store file to an external file system and mount that onto all 3 machines?
Questions
- Why/how list returns all aliases from all the store files even when a particular file is passed?
- Java integration with Cloud HSM work with only store file (some input stream). I can not have different applications read directly from Cloud HSM without syncing the store file.
- Is there an inbuilt mechanism to sync the store file on all machines?
- Is it an idea to have a dedicated machine to manage keys(generate, delete) and sync the store file to all the applications?
