.png){kind=logo}
Keystore Crypto Token
The Keystore Crypto Token uses a keystore, either a PKCS#12 (.p12/.pfx), or legacy Java JKS (.jks) keystore in the local file system, or a keystore stored in the configuration (in the database).
Fully qualified class name: CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreCryptoToken
Overview
To download a sample configuration file for this Worker, see Sample Worker Configurations.
Available Properties
Required Property | Description |
|---|---|
KEYSTOREPATH | Full path to the keystore file to load. From SignServer 7.6, ensure that the directory where the keystorepath is read from is on the allowlist. See Deploy-time Configuration. |
KEYSTORETYPE | Type of keystore:
|
Property | Description |
DEFAULTKEY | (Optional) The key to use. If a key is not derived from each signing request (using an implementation of the Alias Selector interface), this needs to be defined. |
KEYSTOREPASSWORD | Password that locks the keystore. Used for automatic activation. |
NEXTCERTSIGNKEY | (Optional) The next key to use. For more information, see PKCS#11 Crypto Token. |
Using an Internal Keystore
The content of the keystore is not part of the regular Worker properties. Thus, it is not included when running the dump properties command. It is also removed when removing the Crypto Worker (or regular Worker when using the legacy method to set up crypto tokens). To backup the content of the crypto token, a database backup should be made. The password supplied when activating the token the first time will be used as the keystore password.
Special Case Type-specific Implementations
As a convenience, three type-specific implementations are available:
These implementations work the same way as using a Keystore Crypto Token and setting KEYSTORETYPE to PKCS12, JKS, or INTERNAL respectively.
Composite Certificates
The Keystore Crypto Token can be used to create a composite key. For more information, see SignServer Composite Certificates.