Manage the keystore
TrustEdge uses a keystore to store certificates, private keys, and Certificate Signing Requests (CSRs).
Default keystore
The default keystore is located at /etc/digicert/Keystore
and contains the following subfolders:
Ownership and permissions
To ensure proper functionality, the keystore directory, along with all its subdirectories and files, must be owned by the trustedge
user and group. This guarantees that TrustEdge has the necessary permissions to read from and write to the keystore securely.
You can verify and set the ownership using the following command:
sudo chown -R trustedge:trustedge /etc/digicert/Keystore
Warning
Use a custom keystore only in non-production environments, when working with custom trust chains, or if you need a non-standard or customized keystore. Make sure you fully understand and can manage the associated security risks.
Instead of using the default keystore directory, you can specify a custom keystore location for TrustEdge. To successfully use a custom keystore, you must understand the following requirements:
To set up a custom keystore:
Create the custom keystore directory structure.
mkdir -p /path/to/custom/keystore/{ca,certs,keys,conf,req}
Make sure all sub directories in the custom keystore are owned by the
trustedge
user and group.sudo chown -R trustedge:trustedge /path/to/custom/keystore
You can test the custom keystore by using the
--key-store-path
option when running TrustEdge certificate tool commands.sudo -u trustedge trustedge certificate --key-store-path /path/to/custom/keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem
Notice
The command-line option will always override the keystore path specified in the trustedge.json configuration file. You can update the keystore_dir
path in the trustedge.json file to make the custom keystore the new default keystore.