Specifying multiple certificates / keys in a keystore via alias - is this supported?
When building secure REST services, we are required to specify a keystore instance which has the certificate / key for the secured connection. This is generally fine, however when there are multiple services which have their own security constraints, we have to maintain multiple keystores within Pega.
Additionally, at the JVM level, we can specify only 1 keystore using something like -Djavax.net.ssl.keyStore = ./mykeystore.jks
My understanding is that a keystore is just a container for certs / keys, where each pair can be identified by an alias. So if this was built in direct code, a client can specify "for my HTTPS connection, use SSL cert/key where alias = 'mycertalias' "
Is this something which is currently supported in Pega (7.3.1) or planned to be supported? It would be a bit of management overhead if multiple keystores have to be managed, and neither of them can be used in the javax.net.ssl.keyStore jvm parameter.
Is it fair to say that Pega is aware of the issue and trying to implement this solution (at some future release) ?
Yes, exactly that.
I've shared your post with the people who are in the process of investigating such things.
Hi,
Thank you for your post! I cannot go into specifics at the moment, but we are aware of the lack of "alias" fields being problematic for use cases like the one you have described.
You seem to have a proper understanding of how things currently work. To answer your question: Pega 7.3.1 also lacks "alias" functionality.
Let me know if you have any other questions about it.
I would like to encourage you to reach out to Global Customer Support and describe how this limitation is impacting you, in order to bring attention to it. Please mention this post if you choose to do that.
Thanks!