Skip to main content

Manage the keystore

TrustEdge uses a keystore to store certificates, private keys, and Certificate Signing Requests (CSRs).

Default keystore

The default keystore is located at /etc/digicert/Keystore and contains the following subfolders:

Ownership and permissions

To ensure proper functionality, the keystore directory, along with all its subdirectories and files, must be owned by the trustedge user and group. This guarantees that TrustEdge has the necessary permissions to read from and write to the keystore securely.

You can verify and set the ownership using the following command:

sudo chown -R trustedge:trustedge /etc/digicert/Keystore

Warning

Use a custom keystore only in non-production environments, when working with custom trust chains, or if you need a non-standard or customized keystore. Make sure you fully understand and can manage the associated security risks.

Instead of using the default keystore directory, you can specify a custom keystore location for TrustEdge. To successfully use a custom keystore, you must understand the following requirements:

To set up a custom keystore:

  1. Create the custom keystore directory structure.

    mkdir -p /path/to/custom/keystore/{ca,certs,keys,conf,req}
  2. Make sure all sub directories in the custom keystore are owned by the trustedge user and group.

    sudo chown -R trustedge:trustedge /path/to/custom/keystore
  3. You can test the custom keystore by using the --key-store-path option when running TrustEdge certificate tool commands.

    sudo -u trustedge trustedge certificate --key-store-path /path/to/custom/keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem

Notice

The command-line option will always override the keystore path specified in the trustedge.json configuration file. You can update the keystore_dir path in the trustedge.json file to make the custom keystore the new default keystore.