Skip to content

Downloading a keystore

You can only download a keystore if the certificate was previously issued using Automated Secure Keypair (ASK). Downloading a keystore involves the exchange of passphrases and private keys with a VSatellite. For greater security, Venafi as a Service has been designed to prevent exposure of that sensitive data in the cloud by leveraging the NaCl libsodium library and its SealedBox component.

Since there are multiple steps and a third party library involved in requesting a certificate using ASK and downloading a keystore, it is easiest to illustrate using a code sample. You can also greatly simplify this task by using one of the VCert SDKs.

The flow in the code samples is:

  • Create a certificate using ASK.

  • Use the id in the response to call the 'certificates{id}' function and get the data encryption key (DEK) hash.

  • Call the edgeencryptionkeys/{DEK} function to get the public key hash.

  • Use the DEK hash, password, and a nonce to encrypt the passphrase. Encryption is via a NaCl/libsodium library.

  • Call the keystore function to download the keystore as a zip.

To run the sample

Make these preliminary function calls to get the data that seeds the sample.

  1. If you have not already done so, obtain an API key.

    GET https://api.venafi.cloud/v1/certificateissuingtemplates
    tppl-api-key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    

  2. Get and save the application identifier of a Business Application. The value is also known as the Application id. For example:

    {
       "applications": [
          {
             "id": "785a6260-28f5-11eb-804b-6769144073a1",
             ...
    

  3. Get and save the identifier of a certificate Issuing Template. The value is also known as the Certificate Issuing Template (CIT) id. For example:

    {
       "certificateIssuingTemplates": [
          {
             "id": "7f3ff940-bcdf-11eb-9af9-c947417e28d0",
             ...
    

  4. Get and save the keystore type for an Application Server Type. The value you need is the id. For example:

    {
    "applicationServerTypes":[
       {
          "id": "784938d1-ef0d-11eb-9461-7bb533ba575b",
          "companyId": "85d375a0-8038-11e5-bf87-317fe88bb23a",
          "creationDate": "2021-07-27T19:04:29.661+0000",
          "keyStoreType": "PEM",
          "applicationServerType": "APACHE",
          ...
    

  5. Click a language tab (below). In an IDE, open the sample. Paste the values from previous steps, and run it.

    To install NaCl, open a command prompt and type pip install pynacl.

    1. Type, pip install six.

    2. If you're using Python 3.x, replace import six.moves.urllib.parse as urlparse and use import urllib.parse instead.

    3. Download the Python sample.

    4. Set your environment variables based on parameters in the # VaaS credentials section.

    5. Run the sample.

    The NaCl library is already present in the Go environment. No installation is necessary.

    1. Download the Go language sample.

    2. Use a line editor. If necessary, set constants in the 'Const' declaration.

    3. Run the sample.

    To run the Java sample:

    1. Download the Java sample.

    2. Use a line editor to customize the script:

      • Follow the script instructions about installing import libraries.
      • If necessary, set the private static final string values.
    3. Run the sample.


Last update: December 2, 2021