Shibboleth Developers

["Scott Cantor" <>]

> Extkeytool won't create a new Java keystore -- it requires that your
> named keystore already exist.  This is important if you're creating a
> new, independent keystore for signing bilateral trust metadata, for
> example.

Well, that's not really what it's for. It was originally intended as a way
of getting Apache-style PEM keys into a JKS file so that a Shib deployer
could use a single keypair for SSL and signing.

> Looking over the 1.3 IdP checklist, in the section on extkeytool (IdP
> Deployment Guide > Configuration > PKI & Credentials; infocreds.html), I
> notice that all the scenarios assume that you already have a keystore.
> I think it would be helpful for those users unfamiliar with Java and/or
> JSSE to give some basics on creating a new JKS.

Actually, I don't think we expect anybody to use them anymore, with the
unfortunate exception of metadatatool. The real bug here is that
metadatatool hasn't been redone so that it can read and use PEM keys like
the IdP can. This was just due to time/interest.

> You might find that some different approach suits the needs of the
> community better -- or, alternatively, extkeytool could be extended to
> create a nonexistent keystore.

I guess I'd say the former, we don't really advocate using JKS files and
trapping your keys in their silly format. Keystores are of more use as an
API to get at hardware tokens, for example, but seem pretty worthless as
file stores.

-- Scott