JSS KeyStore

From Dogtag
Jump to: navigation, search


Prior to version 4.5 JSS did not support keystore. The org.mozilla.jss.crypto.CryptoStore class might be able to provide some of keystore functionality.

In JSS 4.5 the keystore functionality will be implemented to support the following functionality:

  • running Tomcat with SSL server certificate and key stored in HSM.

See also:


Alias is an identifier for an entry in the PKCS #11 token. An alias has the following format:


The <token> is the token name. It only needs to be specified for external tokens.

The <nickname> is the identifier of the entry within the token, which could be a certificate nickname or a hexadecimal key ID.

For example, in internal token:

  • cert nickname: ca_signing
  • key ID: b9f35690a423c5047b6a37fb15a8a5af5ed33012

In external token (e.g. HSM):

  • cert nickname: HSM:sslserver
  • key ID: HSM:7ec9ebac7a47faa47a9ca74e728abdfa11f14869

Creating a KeyStore

Before creating a keystore, make sure that:

  • the NSS database already exists
  • the CryptoManager instance has been initialized
  • token authentication has been done

then the keystore can be created as follows:

KeyStore ks = KeyStore.getInstance("pkcs11", "Mozilla-JSS");

By default the keystore is not associated with a specific token, so operations such as aliases() will return aliases from all available tokens.

To configure the keystore to use a specific token:

CryptoToken token = ...
ks.load(new JSSLoadStoreParameter(token));

in that case aliases() will return aliases only from the specified token.

Getting Aliases

To get all aliases:

Enumeration<String> aliases = ks.aliases();

while (aliases.hasMoreElements()) {
    String alias = aliases.nextElement();

As mentioned above, by default the keystore is not associated with any specific token, so aliases() will return aliases from all available tokens.

If the keystore is configured using load() to use a specific token, the aliases() will return aliases from that token only.

Checking a Certificate

To check if an alias is a certificate:

boolean result = ks.isCertificateEntry(alias);

Getting a Certificate

To get a certificate:

Certificate cert = ks.getCertificate(alias);

Adding a Certificate

To add a certificate:

Certificate cert = ...;
ks.setCertificateEntry(alias, cert);

Removing a Certificate

To remove a certificate:


Getting a Certificate Chain

To get a certificate chain:

Certificate[] chain = ks.getCertificateChain(alias);

for (Certificate cert : chain) {

Checking a Key

To check if an alias is a key:

boolean result = ks.isKeyEntry(alias);

Getting a Key

To get a key:

Key key = ks.getKey(alias, null);

Removing a Key

To remove a key: