This guide creates self-signed keys useful for development and use in lower environments. In production scenarios, keys are typically generated and managed by an organization's IT security team.
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
To complete the openssl generate command, provide the certificate information when requested. Adobe I/O and AEM do not care what these values are, however they should align with, and describe your key.
Generating a 2048 bit RSA private key ...........................................................+++ ...+++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) :US State or Province Name (full name) :CA Locality Name (eg, city) :San Jose Organization Name (eg, company) :Adobe Organizational Unit Name (eg, section) :Adobe Experience Manager Common Name (eg, fully qualified host name) :com.adobe Email Address :firstname.lastname@example.org
Key pairs can be added to a new PKCS12 keystore. As part of openssl's pcks12 command, the name of the keystore (via -
These values are required to load the keystore and keys into AEM.
$ openssl pkcs12 -export -caname my-keystore -in certificate.crt -name my-key -inkey private.key -out keystore.p12 -passout pass:my-password
The parameter values of my-keystore, my-key and my-password are to be replaced by your own values.
The Java keytool command line tool provides visibility into a keystore to ensure the keys are successfully loaded in the keystore file (keystore.p12).
$ keytool -keystore keystore.p12 -list
Enter keystore password: my-password Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry my-key, Feb 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): 7C:6C:25:BD:52:D3:3B:29:83:FD:A2:93:A8:53:91:6A:25:1F:2D:52
AEM uses the generated private key to securely communicate with Adobe I/O and other web services. In order for the private key to be accessible to AEM, it must be installed into an AEM user's keystore.
Navigate to AEM > Tools > Security > Users and edit the user the private key is to be associated with.
If prompted to Create KeyStore, do so. This Keystore will exist only in AEM and is NOT the keystore created via openssl. The password can be anything and does not have to be the same as the password used in the openssl command.
In the user's keystore console, click Add Private Key form KeyStore file and add the following information:
- New Alias: the key's alias in AEM. This can be anything and does not have to correspond with the name of the keystore created with the openssl command.
- Keystore File: the output of the openssl pkcs12 command (keystore.p12)
- Private Key Alias: The password set in the openssl pkcs12 command via -
- Private Key Password: The password set in the openssl pkcs12 command via -
When the private key is successfully loaded from the provided keystore into the AEM keystore, the private key's metadata displays in the User's Keystore console.
The matching public key must be uploaded to Adobe I/O to allow the AEM service user, who has the public key's corresponding private to securely communicate.
Creating a new Integration in Adobe I/O requires uploading a public certficate. Upload the certificate.crt generated by the openssl req command.
The installed public keys and their Expiry dates are listed in the Integrations console on Adobe I/O. Mutiple public keys can be added via the Add a public key button.
Now AEM hold the private key and the Adobe I/O integration holds the corresponding public key, allowing AEM to securely communicate with Adobe I/O.