/secon-keystore-generator

Tool to generate PKCS12 key store from ITSG Trust Center certificates.

Primary LanguageJavaMIT LicenseMIT

SECON KeyStore Generator

CI Actions Status

This tool generates a PKCS12 key store containing public certificates published by the ITSG Trust Center. The generated key store can for example be used by Diga API Client or secon-tool.

Usage

Download the latest generator release from here and download the latest annahme-rsa4096.key file from ITSG Trust Center website (direct link to key).

Public certificates keystore

Use the following command to generate a key store containing all the public certificates. It will prompt you for a password which will be used to secure the key store.

java -jar secon-keystore-generator-<version>.jar -k <insurance-keys-input-filename> -s <key-store-output-filename>

Public certificates and your private certificate keystore

You can also generate a key store containing all public certificates and also embed your private certificate.

For example, this could be used as the only certificate file you need to use the DiGA API Client.

To do this, you also need these files:

  • Your private key. This must be a PKCS1 .pem file which only contains the private key. It should start with -----BEGIN RSA PRIVATE KEY----- When you created your keys to send to ITSG, you saved this somewhere.
  • The certificate chain you received from ITSG. When ITSG approves your certificate application they send you some files. There should be a .p7c file there which contains your private certificate chain.
java -jar secon-keystore-generator-<version>.jar \\
    -k <insurance-keys-input-filename> \\
    -s <key-store-output-filename> \\
    -p <private-key-filename> \\
    -c <private-certificate-chain-filename>

for example

java -jar secon-keystore-generator.jar -k annahme-rsa4096.key -p my.prv.key.pem -c my.chain.p7c

will prompt you for a password, and generate a file called certificates.p12 which contains all public certificates as well as your private certificate with the alias private.

Alternative private key format

In case you have problems loading the private key, it might help to convert your my.prv.key.pem into PKCS8 format before using this tool:

# Convert key
openssl pkcs8 -topk8 -inform PEM -outform DER -in my.prv.key.pem -out my.prv.key.der -nocrypt

# Use pkcs8 key to create the certificates.p12 file
java -jar secon-keystore-generator.jar -k annahme-rsa4096.key -p my.prv.key.der -c my.chain.p7c

License

MIT