This article describes the configuration of the truststore and timestamp signer keystore for the timestamp services configured in Nexus Timestamp Server.
The signing certificate used by the timestamp service must be a valid timestamping certificate. This means that a timestamping certificate must have Extended Key Usage set to Timestamping.
These settings are used by more than one filter and are defined in service.properties.
Step-by-step instructions
-
Open the service.properties configuration file.
-
Set the applicable parameters, described in this table:
|
Parameter |
Description |
Possible values |
Default value |
|---|---|---|---|
|
signer.store |
The path to the keystore used for signing the timestamp response. Must be a PKCS#12, JKS or PKCS#11 library (.dll, .so) file. |
Path |
- |
|
signer.store.pin |
The password to unlock the keystore. |
String |
- |
|
signer.password |
The password needed to unlock the signing certificate/key. |
String |
- |
|
signer.nopinpad |
Suppress the use of a PIN-pad reader. If set to true, then force login with password even if the device reports that it has a PIN-pad reader |
true/false |
false |
|
signer.alias |
The friendly name of the certificate/key in the keystore in PKCS#12 and JKS. Only required if the file contains more than one private key. In PKCS#11, this must be the CKA_LABEL of the certificate and private key. |
String |
- |
|
signer.store.reinitializeDeviceOnErrors |
Defines upon which errors (e.g. restart of HSM or other network problems) the PKCS11 library should be reinitialized (calls C_FINALIZE) when it performs a login operation. The device will not be reinitialized by default. |
White space separated list of hexadecimal codes. Eg:
|
- |
|
signer.store.tokenlabel |
The label name of the PKCS#11 token which contains the key and certificate to be used. This parameter is OPTIONAL. |
String |
- |
|
trust.store.default store |
The path to the trust store. Used for validating the timestamp request if client authentication is enabled. |
Path |
|
Examples
PKCS#12
signer.store=${ServiceDir}/keys/tsaDemo.p12
signer.store.pin=1234
signer.password=1234
signer.pinpad=false
signer.alias=TSA Demo Signing Certificate
PKCS#11 (HSM)
signer.store=${ConfigurationDir}/keys/cs_pkcs11_R2.dll
signer.store.pin=1234
signer.password=1234
signer.pinpad=false
signer.alias=tsa
signer.store.tokenlabel=tss_keys
signer.store.reinitializeDeviceOnErrors=0x30 0x32 0xE0 0xE1 0x101 0x190