Manage the keystore

TrustEdge uses a keystore to store certificates, private keys, and Certificate Signing Requests (CSRs).

Default keystore

The default keystore is located at /etc/digicert/keystore and contains the following subfolders:

Table 1. Default keystore directory structure

Directory path	Purpose
`/etc/digicert/keystore/ca`	Stores CA certificates.
`/etc/digicert/keystore/certs`	Stores signed certificates.
`/etc/digicert/keystore/conf`	Stores configuration files for Certificate Signing Requests (CSR).
`/etc/digicert/keystore/keys`	Holds generated private keys.
`/etc/digicert/keystore/req`	Stores certificate requests.

Ownership and permissions

To ensure proper functionality, the keystore directory, along with all its subdirectories and files, must be owned by the trustedge group. This guarantees that TrustEdge and trusted users have the necessary permissions to read from and write to the keystore securely.

Set up a custom keystore

Warning

Use a custom keystore only in non-production environments, when working with custom trust chains, or if you need a non-standard or customized keystore. Make sure you fully understand and can manage the associated security risks.

Instead of using the default keystore directory, you can specify a custom keystore location for TrustEdge. To successfully use a custom keystore, you must understand the following requirements:

Permissions: The custom keystore directory and its subdirectories must be owned by the trustedge group. The user creating and managing these directories must be a member of the trustedge group.
Directory structure: The custom keystore directory must contain specific subdirectories required by TrustEdge. These subdirectories are:
- ca: Stores CA certificates.
- certs: Stores signed certificates.
- keys: Holds generated private keys.
- conf: Contains configuration files.
- req: Stores certificate requests (CSRs).
Custom keystore configuration: To use a custom keystore for individual TrustEdge command line tool commands, specify the path with the --key-store-path option. For permanent use, update the keystore_dir parameter in the trustedge.json file. This allows you to either override the default keystore on a per-command basis or set a global custom keystore for all operations.

To set up a custom keystore:

Start by creating the main directory for the custom keystore. Replace /path/to/custom/keystore/ with the desired path for your keystore.
```
mkdir /path/to/custom/keystore/
```
Set the group ownership of the directory to the trustedge group. This ensures that TrustEdge and group members can manage the keystore.
```
chown -R $(whoami):trustedge /path/to/custom/keystore/
```
Important
The user running the above command must be a member of the trustedge group. Use the groups $(whoami) command to view group membership.
Adjust the permissions of the keystore directory to ensure secure access while maintaining functionality.
```
chmod 2770 /path/to/custom/keystore/
```
Note
Command breakdown:
- chmod: Changes file or directory permissions.
- 2770: 2 Sets the SetGID (Set Group ID) bit, ensuring that all new files and directories created within inherit permissions. 7 Grants read (r), write (w), and execute (x) permissions to the directory owner. 7 Grants the same permissions to the group. 0 Denies all permissions to others.
- /path/to/custom/keystore/: Specifies the target directory.
Create the required subdirectories inside the keystore directory for organizing different types of files, such as root CAs, certificates, keys, and configurations).
```
mkdir -p /path/to/custom/keystore/{ca,certs,keys,conf,req}
```
Verify the directory structure and permissions.
```
ls -l -R /path/to/custom/keystore/
```

You can test the custom keystore by using the --key-store-path option when running TrustEdge certificate tool commands.

 trustedge certificate --key-store-path /path/to/custom/keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem

Notice

The command-line option will always override the keystore path specified in the trustedge.json configuration file. You can update the keystore_dir path in the trustedge.json file to make the custom keystore the new default keystore.

In this section: