Storing and retriveing a JKS from Azure key vault

Question

I would like to refer to a Java Key store from the Azure Key vault instead of packaging it with my spring boot application that is deployed as a docker image into Kubernetes cluster.

As per Azure documentation, only.PFX files are allowed to be imported into the Key vault. Currently I am successful in packaging and retreiving JKS from within the spring boot but I am looking for more secure approach and want to have my certificates outside codebase.

Any pointers and code snippets would be helpful.

Answer 1

I know this is old, but answering this because I had the exact same issue and had to read a lot to figure it out.

Tutorial from Microsoft

This article will give you a pretty good overview.

To summarize, if you want to enable SSL for your application using a self signed certificate stored in the azure key vault, below are the steps

1. Add the azure-spring-boot-starter-keyvault-certificates dependency in your pom.

2. Add the ssl configuration and the keyvault configuration as follows

   server:
     port: 8443
     ssl:
       key-alias: <keystore name>
       key-store-password: <password>
       keyStoreType: AzureKeyVault
       key-store-type: AzureKeyVault
   
   azure:
     keyvault:
       uri: <keystore uri>
       client-id: <client-id>
       client-secret: <secret>
       enabled: true
       tenant-id: <tenant-id>
   
   

This will enable ssl on your application and use the key store from azure for https.

If you need to load a trust store for only outbound TLS, things are a bit more simpler. You only need to configure key vault as below.

    azure:
      keyvault:
        uri: <keystore uri>
        client-id: <client-id>
        client-secret: <secret>
        enabled: true
        tenant-id: <tenant-id>

And then, initialize your SSLContext using the key vault.

    KeyStore azureKeyVaultKeyStore = KeyStore.getInstance("AzureKeyVault");
            KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
                    System.getProperty("azure.keyvault.uri"),
                    System.getProperty("azure.keyvault.tenant-id"),
                    System.getProperty("azure.keyvault.client-id"),
                    System.getProperty("azure.keyvault.client-secret"));
            azureKeyVaultKeyStore.load(parameter);
            SSLContext sslContext = SSLContexts.custom()
                    .loadTrustMaterial(azureKeyVaultKeyStore, null)
                    .build();

This will load all your certificates available on the key vault to the trust store. I am not sure if this is needed if you only need the certificates for outbound TLS since Azure key vault can only store certificates which contain both private and public key pairs.

Answer 2

One solution is to store the key as a base64 encoded string as a key/value pair in Azure key vault, set it to an environment variable, and decode it into a file on the server in the build.

Encode: openssl base64 -A -in keystore.jks

Set to environment variable from Azure Key Vault

Decode: echo $KEYSTORE_BASE64 | base64 --decode > keystore.jks