I have a few java applications that use JKS files for storing client private keys for things like DB certificates. Once these certificates get renewed I'd like an easy way to edit jks file, and replace the old key.
The problem is storing these JKS files. Obviously they shouldn't be in the repository, so i want to use some sort of secret management tool like Hashicorp Vault but it doesn't support JKS files directly so it seems everyone encodes them to base64 and store them that way. Using this method, you have to read the secret, decode it, and then use some tool like keytool or openssl to edit the certificates inside, and I would like a better solution that would be easier for the developers to maintain.
Keep in mind that in my organization we're in a private network with our own cloud provider so we dont have access to any Amazon or Google cloud services.
I looked for some other tools to provide a UI to edit these JKS files and the only decent thing I found was Keystore Explorer which is a desktop app and I'd like to deploy a web app so everyone would be able to easily use it, like Vault is. I also looked for any open issues or requests for this kind of feature but no one mentions it since it seems they're all ok with encoding the files to base64 and thats it.
Am I overthinking this? Seems like it would be pretty easy to develop a feature for Vault to edit JKS files inside the UI. I might just do it myself and try to contribute that code or just create another app to specifically do this. Should i move on from using JKS files and just store the certificates as PEM files and maybe dynamically create a JKS file in my Kubernetes cluster on an initContainer script or something?
