Ad Code

Saturday, January 4, 2020

How to manage certificates in AEM Truststore

Hello Everyone,

In this blog, we will talk about what is Truststore, how to manage certificates in AEM
Truststore and challenges we face while managing the certificates in publish server.

What is Truststore: TrustStore is used in context of setting up SSL connection in Java application between
client and server.  In SSL handshake, purpose of trustStore is to verify credentials.
The public key certificates provided by CA authorities for encrypting the content are
also be stored in the TrustStore.
TrustStore stores public key or certificates from CA (Certificate Authorities) which is
used to trust remote party or SSL connection.

How to manage these certificates in AEM and how to fetch the public key from
that certificate in your AEM Code.
1.Go to AEM-> Tools->Security->TrustStore.
2. Go to Add Certificates from CER File Section and Select Certificate File to Upload and click on Submit.
Fig1: AEM Truststore Console to Upload Certificates
3. Every certificate will generate a unique Alias Name(certalias___1577961678433 for the above certificate).
The above uploaded certificates gets stored in "/etc/truststore" in CRX:
Fig2: Certificates get Stored in CRX

How to fetch the public key from the certificate using Alias Name:

Note: To fetch the certificate public key from alias, you must have an OSGI config for Alias.Ideally you should upload all certificates in author and replicate /etc/truststore path to all the publishers to maintain same alias for all the servers sitting on the same environment.
If we upload certificates in publishers without replication, the publisher may generate different alias Id and if two publishers of same environment generate different alias then to maintain the different OSGi configurations for both publishers is not possible.So always upload in author and replicate it all the publishers.

Note:If you have few certificates in author and some of them you don’t want in publish server, in AEM there is no way that you can replicate only one certificate but not another but if you really don't want some certificates in publish, then you replicate first all certificates and go to publish server and delete the unwanted one .[Recommended by adobe]

Note: Don’t ever pass the anonymous resourceResolver in KeyStoreService API because to access the certificates in publish, you need to give /etc/truststore an anonymous access and you should be very aware about anonymous access in publish servers. So always get resourceResolver from System User. There is an OOTB Service user named “truststore-reader-service” available for fetching the trustore values in publish server.

Hope it will help you guys !!
Thanks and Happy Learning.


  1. This comment has been removed by a blog administrator.

  2. Is it possible to upload a same ceriticate but with different alias name ??

  3. ive tried replicating /etc/truststore in 6.5.5 version but the certificates are not visible in global trust store of publish environment.