Skip to content

Story #15211: separate client and server certificate #3445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mkhediri wants to merge 2 commits into
base: develop
Choose a base branch
from
+10,852 −6,851
Open

Story #15211: separate client and server certificate #3445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b97e63
Story #15211: separate client and server certificate
mkhediri Jan 16, 2026
9720f64
Story #15211: certificates regeneration
mkhediri Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
8 changes: 4 additions & 4 deletions api/api-archive-search/archive-search/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ server:
host:
port: 8089
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
Copy link
Contributor

@GiooDev GiooDev Jan 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ça sert à quoi ces fichiers application-dev, est-ce qu'ils fonctionnent ? @mkhediri

Car en tout cas ils ne semblent pas alignés avec les configs dans le rôle vitamui/
trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks avec vitamui_certificate_type: external

Si on fait référence au fichiers de application.yml du rôle, ça devrait être truststore_external vu l'appel effectué.

Copy link
Contributor Author

@mkhediri mkhediri Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dans application-dev.yml, la configuration est destinée aux exécutions en mode DEVet ca pointe vers les keystores/truststores générés pour les services VitamUI.
En revanche je ne saisi pas pourquoi pour le cas des role ansible ca pointe vers le trustore external

Copy link
Contributor

@GiooDev GiooDev Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bbenaissa @lotfivitam Une idée ? :)

trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.2,TLSv1.3
Expand All @@ -53,10 +53,10 @@ archive-search:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/archive-search/keystore_archive-search.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
4 changes: 2 additions & 2 deletions api/api-archive-search/archive-search/src/test/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,10 @@ archive-search:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
8 changes: 4 additions & 4 deletions api/api-collect/collect/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ server:
host:
port: 8090
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_collect.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/collect/keystore_collect.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.2,TLSv1.3
Expand All @@ -51,10 +51,10 @@ collect:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_collect.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/collect/keystore_collect.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
4 changes: 2 additions & 2 deletions api/api-gateway/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
server:
port: 8070
ssl:
key-store: ../../dev-deployment/environments/keystores/server/localhost/keystore_api-gateway.jks
key-store: ../../dev-deployment/environments/keystores/vitamui-services/server/api-gateway/keystore_api-gateway.jks
key-store-password: changeme
key-password: changeme
client-auth: need
trust-store: ../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
max-http-request-header-size: 16KB

Expand Down
16 changes: 8 additions & 8 deletions api/api-iam/iam/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@ server:
host:
port: 8083
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/iam/keystore_iam.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.2,TLSv1.3
Expand Down Expand Up @@ -53,10 +53,10 @@ cas-client:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down Expand Up @@ -112,11 +112,11 @@ provisioning-client:
secure: false
ssl-configuration:
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
key-password: changeme
type: JKS
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand All @@ -126,11 +126,11 @@ provisioning-client:
secure: true
ssl-configuration:
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
key-password: changeme
type: JKS
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
4 changes: 2 additions & 2 deletions api/api-iam/iam/src/test/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ cas-client:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/iam/keystore_iam.jks
key-password: changeme
type: JKS
hostname-verification: false
8 changes: 4 additions & 4 deletions api/api-ingest/ingest/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ server:
host:
port: 8088
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_ingest.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/ingest/keystore_ingest.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.2,TLSv1.3
Expand All @@ -43,10 +43,10 @@ ingest:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_ingest.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/ingest/keystore_ingest.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
4 changes: 2 additions & 2 deletions api/api-ingest/ingest/src/test/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,10 @@ ingest:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
8 changes: 4 additions & 4 deletions api/api-pastis/pastis/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ server:
host:
port: 8015
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_pastis.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/pastis/keystore_pastis.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.1,TLSv1.2,TLSv1.3
Expand All @@ -62,10 +62,10 @@ pastis:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_pastis.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/pastis/keystore_pastis.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
8 changes: 4 additions & 4 deletions api/api-referential/referential/src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ server:
port: 8087
tomcat.connection-timeout: 60000
ssl:
key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_referential.jks
key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/referential/keystore_referential.jks
key-store-password: changeme
key-password: changeme
trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
trust-store-password: changeme
client-auth: want
enabled-protocols: TLSv1.2,TLSv1.3
Expand All @@ -49,10 +49,10 @@ referential:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_referential.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/referential/keystore_referential.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
4 changes: 2 additions & 2 deletions api/api-referential/referential/src/test/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@ referential:
secure: true
ssl-configuration:
truststore:
key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
key-password: changeme
type: JKS
hostname-verification: false
Expand Down
8 changes: 4 additions & 4 deletions cas/cas-server/src/main/config/cas-server-application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ spring:
server:
ssl:
#client-auth: want
key-store: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
key-store: ../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
key-store-password: changeme
key-password: changeme
enabled-protocols: TLSv1.2,TLSv1.3
ciphers: ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
#trust-store: ../../dev-deployment/environments/keystores/server/truststore_server.jks
#trust-store: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
#trust-store-password: changeme
host: dev.vitamui.com
port: 8080
Expand Down Expand Up @@ -49,11 +49,11 @@ iam-client:
secure: true
ssl-configuration:
keystore:
key-path: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
key-path: ../../dev-deployment/environments/keystores/vitamui-services/clients/cas-server/keystore_cas-server.jks
key-password: changeme
type: JKS
truststore:
key-path: ../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
hostname-verification: false

Expand Down
6 changes: 3 additions & 3 deletions cas/cas-server/src/main/config/cas-server-application-recette.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ spring:

server:
ssl:
key-store: ../../../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
key-store: ../../../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
key-store-password: changeme
key-password: changeme
enabled-protocols: TLSv1.2,TLSv1.3
Expand All @@ -29,11 +29,11 @@ iam-client:
secure: true
ssl-configuration:
keystore:
key-path: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
key-path: ../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
key-password: changeme
type: JKS
truststore:
key-path: ../../dev-deployment/environments/keystores/server/truststore_server.jks
key-path: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
key-password: changeme
hostname-verification: false

Expand Down
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_api_gateway.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.api_gateway }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_api_gateway }}"
password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}"
password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_archive_search.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.archive_search }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_archive_search }}"
password_keystore_server: "{{ keystores_server_vitamui_services_archive_search }}"
password_keystore_client: "{{ keystores_client_vitamui_services_archive_search }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_collect.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.collect }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_collect }}"
password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
password_keystore_client: "{{ keystores_client_vitamui_services_collect }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_ingest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.ingest }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_ingest }}"
password_keystore_server: "{{ keystores_server_vitamui_services_ingest }}"
password_keystore_client: "{{ keystores_client_vitamui_services_ingest }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_pastis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.pastis }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_pastis }}"
password_keystore_server: "{{ keystores_server_vitamui_services_pastis }}"
password_keystore_client: "{{ keystores_client_vitamui_services_pastis }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
3 changes: 2 additions & 1 deletion deployment/ansible-vitamui/app_referential.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
vars:
vitamui_struct: "{{ vitamui.referential }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_referential }}"
password_keystore_server: "{{ keystores_server_vitamui_services_referential }}"
password_keystore_client: "{{ keystores_client_vitamui_services_referential }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
10 changes: 6 additions & 4 deletions deployment/ansible-vitamui/vitamui_apps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
vars:
vitamui_struct: "{{ vitamui.security }}"
vitamui_certificate_type: server
password_keystore: "{{ keystores_server_security }}"
password_truststore: "{{ truststores_server }}"
password_keystore_server: "{{ keystores_server_vitamui_services_security }}"
password_truststore: "{{ truststores_vitamui }}"
tags: security

# External apps
Expand All @@ -22,7 +22,8 @@
vars:
vitamui_struct: "{{ vitamui.iam }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_iam }}"
password_keystore_server: "{{ keystores_server_vitamui_services_iam }}"
password_keystore_client: "{{ keystores_client_vitamui_services_iam }}"
password_truststore: "{{ truststores_client_external }}"
vitam_cert: "{{ vitam_certs.vitamui }}"
tags: iam
Expand All @@ -36,6 +37,7 @@
vars:
vitamui_struct: "{{ vitamui.cas_server }}"
vitamui_certificate_type: external
password_keystore: "{{ keystores_server_cas_server }}"
password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}"
password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}"
password_truststore: "{{ truststores_client_external }}"
tags: cas-server
4 changes: 2 additions & 2 deletions deployment/pki/config/crt-config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ issuerAltName = issuer:copy
subjectAltName = ${ENV::OPENSSL_SAN}
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType = server, client
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server
extendedKeyUsage = serverAuth

[ extension_client ]
nsComment = "Certificat Client SSL"
Expand Down
Loading
Loading