AEM uses public/private key pairs to securely communicate with Adobe I/O and other web services. This short tutorial illustrates how compatible keys and keystores can be generated using the openssl command line tool that works with both AEM and Adobe I/O.
This guide creates self-signed keys useful for development and use in lower environments. In production scenarios, keys are typically generated and managed by an organization’s IT security team.
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
To complete the openssl generate command, provide the certificate information when requested. Adobe I/O and AEM do not care what these values are, however they should align with, and describe your key.
Generating a 2048 bit RSA private key ...........................................................+++ ...+++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) :US State or Province Name (full name) :CA Locality Name (eg, city) :San Jose Organization Name (eg, company) :Example Co Organizational Unit Name (eg, section) :Digital Marketing Common Name (eg, fully qualified host name) :com.example Email Address :firstname.lastname@example.org
Key pairs can be added to a new PKCS12 keystore. As part of openssl’s pcks12 command, the name of the keystore (via
- caname), the name of the key (via
-name) and the keystore’s password (via
- passout) are defined.
These values are required to load the keystore and keys into AEM.
$ openssl pkcs12 -export -caname my-keystore -in certificate.crt -name my-key -inkey private.key -out keystore.p12 -passout pass:my-password
The output of this command is a
The parameter values of my-keystore, my-key and my-password are to be replaced by your own values.
The Java keytool command line tool provides visibility into a keystore to ensure the keys are successfully loaded in the keystore file (keystore.p12).
$ keytool -keystore keystore.p12 -list Enter keystore password: my-password Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry my-key, Feb 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): 7C:6C:25:BD:52:D3:3B:29:83:FD:A2:93:A8:53:91:6A:25:1F:2D:52
AEM uses the generated private key to securely communicate with Adobe I/O and other web services. In order for the private key to be accessible to AEM, it must be installed into an AEM user’s keystore.
Navigate to AEM > Tools > Security > Users and edit the user the private key is to be associated with.
AEM > Tools > Security > Users > Edit user
If prompted to create a keystore, do so. This keystore will exist only in AEM and is NOT the keystore created via openssl. The password can be anything and does not have to be the same as the password used in the openssl command.
User > Keystore > Add private key from keystore
In the user’s keystore console, click Add Private Key form KeyStore file and add the following information:
New Alias: the key’s alias in AEM. This can be anything and does not have to correspond with the name of the keystore created with the openssl command.
Keystore File: the output of the openssl pkcs12 command (keystore.p12)
Private Key Alias: The password set in the openssl pkcs12 command via
- passout argument.
Private Key Password: The password set in the openssl pkcs12 command via
- passout argument.
User > Keystore
When the private key is successfully loaded from the provided keystore into the AEM keystore, the private key’s metadata displays in the user’s keystore console.
The matching public key must be uploaded to Adobe I/O to allow the AEM service user, who has the public key’s corresponding private to securely communicate.
Create Adobe I/O Integration > New Integration
Creating a new integration in Adobe I/O requires uploading a public certificate. Upload the certificate.crt generated by the
openssl req command.
The installed public keys and their expiry dates are listed in the Integrations console on Adobe I/O. Multiple public keys can be added via the Add a public key button.
Now AEM hold the private key and the Adobe I/O integration holds the corresponding public key, allowing AEM to securely communicate with Adobe I/O.