Undestanding tls keystores (docker setup)

[srmo]

Hello,

I'm having a hard time understanding how a custom keystore for the TLS Server certificate is supposed to work with the ejbca-ce:9.0.0 image

Please bear with me, I'm feeling pretty noobish.

I've created a jks with the (unencrypted) private key, a signed certificate and the certificate of the signing ca.

I then bind-mounted a directory, containing this jks into the container.
I.e. /var/docker/stuff/tls/ contains the jks in a 'ks' subfolder and I've bind mounted per directive in the docker compose file
/var/docker/stuff/tls:/opt/keyfactor/secrets/external/tls

I've provided the APPSERVER_KEYSTORE_SECRET variable with the password of the jks

The log says, its trying to import the keystore but then gets stuck with an error:

2025-04-03 15:13:02,880+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Setting up in-bound connectivity...
2025-04-03 15:14:07,892+0000 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2025-04-03 15:14:07+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1936615394
2025-04-03 15:14:08,623+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Use provided secret for the keystore
2025-04-03 15:14:08,629+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) No key password file were detected at '/opt/keyfactor/secrets/external/tls/ks/server.keypasswd'. Keystore password will also be used to access private key.
2025-04-03 15:14:08,636+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Importing keystore /opt/keyfactor/secrets/external/tls/ks/server.jks to /opt/keyfactor/tmp/tmp.c66Lh8EQNk/keystore.jks...
2025-04-03 15:14:08,636+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enter key password for <alias>Enter key password for <alias>Enter key password for <alias>keytool error: java.lang.Exception: Too many failures - try later
2025-04-03 15:14:09,566+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) keytool error: java.lang.Exception: Keystore file does not exist: /opt/keyfactor/tmp/tmp.c66Lh8EQNk/keystore.jks
2025-04-03 15:14:09,926+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Will use externally provided server side TLS keystore.
2025-04-03 15:14:21,393+0000 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2025-04-03 15:14:21+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1936615394
2025-04-03 15:14:21,462+0000 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2025-04-03 15:14:21+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1936615394
2025-04-03 15:14:21,818+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) No truststore and/or password file were detected at '/opt/keyfactor/secrets/external/tls/ts/truststore.[jks|storepasswd]'. Check mount points and file permissions if this is not what you expected.

Now:

• is this even the right way? Am I using the correct env variable for the jks password?
• does this even work with an unencrypted password, given that the logs suggest the key has to be encrypted?
• my Java-Keystore-Foo is pretty rusty, so, what do I have to do about the Truststore? Should I bother?

Scenario:

An EJBCA docker instance, with TLS_SETUP_ENABLED=later, the Management CA will be exported from an external CA.
The EJBCA docker instance should present a custom TLS Server certificate.
Client certificates will be signed by the same CA that signed the TLS Server certificate.

I hope that makes sense and you can bring me up to speed. I know, this is a bit of a hoshposh and I'm not even sure I've asked the right questions.

Hope you can help me get this sorted, cheers! :)

[srmo]

I've played a bit more and now also created a storepasswd with the password for the jks and a keypasswd file with the password for the key. Still no luck and the "keytool error: java.lang.Exception: Too many failures" still freaks me out.
Am I missing something in the docs about the many different parameters and their usage? Trying to understand the start.sh including its "source" files just confuses me more, like, some parameters are for the keystore to be imported, some for the target keystore, some are the same..

2025-04-04 14:59:26,060+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Setting up in-bound connectivity...
2025-04-04 15:00:31,455+0000 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2025-04-04 15:00:31+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1936615394
2025-04-04 15:00:32,221+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) ********************************************************************************************
2025-04-04 15:00:32,226+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Keystore password found at /opt/keyfactor/secrets/external/tls/ks/server.storepasswd
2025-04-04 15:00:32,232+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) We recommend using 'APPSERVER_KEYSTORE_SECRET' env variable to set the TLS keystore password.
2025-04-04 15:00:32,238+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) ********************************************************************************************
2025-04-04 15:00:32,244+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Use provided secret for the keystore
2025-04-04 15:00:32,251+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Importing keystore /opt/keyfactor/secrets/external/tls/ks/server.jks to /opt/keyfactor/tmp/tmp.Q5NlkNRJtu/keystore.jks...
2025-04-04 15:00:32,251+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enter key password for <ejbca.ponton.de>Enter key password for <ejbca.ponton.de>Enter key password for <ejbca.ponton.de>keytool error: java.lang.Exception: Too many failures - try later
2025-04-04 15:00:33,193+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) keytool error: java.lang.Exception: Keystore file does not exist: /opt/keyfactor/tmp/tmp.Q5NlkNRJtu/keystore.jks
2025-04-04 15:00:33,562+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Will use externally provided server side TLS keystore.

Output still freaks me out...

[primetomas]

There is an example toward the bottom of the doc page. I tested and added this sample command recently when there was another question here on the forum.
https://hub.docker.com/r/keyfactor/ejbca-ce

[srmo]

Hi, thanks for the answer. And this is basically solved but I'd like to hear your thoughts on my observations.

TL;DR
It works now if I use the same password for jks and key or use a p12 without encrypted key. It looks like the inititialisation scripts do not support a dedicated key password in the initial, external store.
I had to use the same password for key and keystore (jks) or use a bare p12, which has the key unencrypted if I'm not mistaken.
(created via: openssl pkcs12 -export -in <certificate> -inkey <encrypted_private_key> -certfile <ca-certificate> -out ejbca.p12 -name <alias>)

(Addendum: I'm not entirely sure if the key in this p12 is really unencrypted, its just my assumption based on some simple keytests of the resulting store)

The long text

I'm not sure how this is supposed to work. For a password protected keystore (jks) with a password protected key, where the key password is different from the keystore, the start script report

INFO  [/opt/keyfactor/bin/start.sh] (process:1) Importing keystore /opt/keyfactor/secrets/external/tls/ks/server.jks to /opt/keyfactor/tmp/tmp.Q5NlkNRJtu/keystore.jks...
INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enter key password for <alias>Enter key password for <alias>Enter key password for <alias>keytool error: java.lang.Exception: Too many failures - try later
INFO  [/opt/keyfactor/bin/start.sh] (process:1) keytool error: java.lang.Exception: Keystore file does not exist: /opt/keyfactor/tmp/tmp.Q5NlkNRJtu/keystore.jks
INFO  [/opt/keyfactor/bin/start.sh] (process:1) Will use externally provided server side TLS keystore.

When checking the (probable) source of this error message I assume it comes from:
after-deployed.sh and the code:

java_keytool -importkeystore -noprompt \
        -srckeystore "$keyStoreJks" -srcstorepass "$storepasswd" \
        -destkeystore "$targetKeyStore" -deststoretype jks -deststorepass "$targetKeyStoreProtection" \
        | log "INFO"

But this clearly doesn't take a parameter for the keypassword, and at most assumes that the key-password is the same as the jks password (based on keytool behaves)
So, is my assumption to have the key encrypted with its own password wrong?
I already changed all passwords (keystore and key) to bei just alphanumeric, to rule out any special characters.

What am I missing? Did I look in the wrong places and my analysis/interpretation is wrong?
Given, that I'm not importing from a p12 but a jks, maybe I should test that because I stumbled upon the fact that keytool didn't let me create a key with the same password as the store in the jks, which again might have been my mistake.

[primetomas]

The key in PKCS#12 is encrypted, but everything sensitive is encrypted using the same password derived encryption key, typically AES in modern systems.

Actually JKS keystores are a deprecated feature in WildFly, their desire is to move to PKCS#12 as the JKS format is not being updated with more modern cryptography.

[srmo]

Alright, so I document that we need to use p12 and that the secret protecting the key material in the p12 store is basically unlocked by the p12 store. Thanks for sticking with me and clarifying those details!