PEM is a well know file format when it comes to certificates. And when using Kubernetes (or OpenShift in my case) it is so easy to re-use the internal CA for some tasks.
Except when it comes to Java. As Java does only use JKS (its Java-only, binary keystore) or PKCS12 for keys and certificates. Google offers you a bunch of tutorials, on how to convert PEM encoded certificates to JKS or PKCS12, so that Java can consume that. But that may be ugly in a lot of situations. Doing that manually once if fine. But adding this to e.g. a pod, becomes a lengthy YAML init container setup, which seems unnecessary to me.
But Java does allow the use of security providers, which may extend the security system. However searching the net, I couldn’t find anything which would provider a PEM based KeyStore. Maybe that was simply due to the fact that the over “convert PEM to …” tutorials spammed the search results.
So I went along and simply created my own provider. For my own use case, which is using the OpenShift service CA certificate. It only took a few minutes to do the actual implementation as reading a PEM file is no mystery.
In case you need to use a PEM encoded X.509 certificate in Java, you now can either re-encode that with
openssl on the command line or simply drop on this provider and use
PEM as the KeyStore type:
<dependency> <groupId>de.dentrassi.crypto</groupId> <artifactId>pem-keystore</artifactId> <version>2.0.0</version> </dependency>
KeyStore keyStore = KeyStore.getInstance("PEM");
For more information see: ctron/pem-keystore at GitHub
If you know some other provider which supports this, please let me know and I would be happy to switch as this is only a scratch to my itch :) On the other hand if this is useful to you, then please let me know. There are still a few things missing, like
keys and Java 9+ support. But maybe you want to submit a pull request for that :D
Update: I did release an update of this provider. Version 2.0 has support for keys and CA bundles.