Keystore/trustore file of certs loaded in supplemental folder

derrickdvdsn · June 1, 2023, 1:06pm

After placing certificates in "Ignition\data\certificates\supplemental" in which keystore/truststore are they loaded to?

I don't see them in Ignition\lib\runtime\jre-win\lib\security\cacerts nor do I see them in metro-keystore

Thanks in advance.

Kevin.Herron · June 1, 2023, 1:12pm

This should be where they end up.

Did you restart the Ignition Gateway after adding certs to that directory?

derrickdvdsn · June 1, 2023, 3:42pm

Yes, I did restart it.

I have a .pfx file in the folder

But I can't seem to find it in the cacerts

The one highlighted in yellow is another cert that I inserted manually.
so ideally I would have to have 2 certs.

Kevin.Herron · June 1, 2023, 3:43pm

You need to drop a DER-encoded or PEM-encoded certificate file into that directory, not a PFX file.

derrickdvdsn · June 5, 2023, 12:34pm

Does this load into the "cacerts"?

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream(certPath), certPass);

Kevin.Herron · June 5, 2023, 1:25pm

https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html#getInstance-java.lang.String-

A new KeyStore object encapsulating the KeyStoreSpi implementation from the first Provider that supports the specified type is returned.

derrickdvdsn · June 5, 2023, 2:03pm

@Kevin.Herron
can you please help me understand why this piece of code works only when I put the "xyz.pfx" file in the Ignition\data\certificates\supplemental folder?

String certPath = "C:\folder\xyz.pfx";
String pass = "test_password";
char certPass[] = pass.toCharArray();
try {
    KeyStore keyStore = KeyStore.getInstance("PKCS12");
    keyStore.load(new FileInputStream(certPath), certPass);
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, certPass);
    SSLContext ctx = SSLContext.getInstance("TLSv1.3");
    ctx.init(keyManagerFactory.getKeyManagers(), null, null);
    HttpClient client = HttpClient.newBuilder().sslContext(ctx).build();

Without the "xyz.pfx" in the supplemental folder, the code compiles and executes but I get "java.net.ConnectException' error"

Kevin.Herron · June 5, 2023, 2:07pm

Sorry, I have no idea why that makes a difference.

I'd only expect it to work if there was actually a PFX at this path containing the appropriate root for whatever server you're talking to.

derrickdvdsn · June 5, 2023, 2:31pm

There is a PFX file in that directory but even if I put it in another directory like

String certPath = "D:\folder\xyz.pfx";

it seems to work as long as the PFX file is in the supplemental folder.