Custom keystore

This section covers configuring a custom keystore for the Token Server used for the SSL listener. It's divided into the following subsections:

Migrate cert and key to keystore

If you have already a key and cert. You can transform this cert and key in to a java keystore as followed

  openssl pkcs12 -export -in cert.pem -inkey key.pem > keystore.p12
  keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12

Make sure that the keystore password and alias password is the same.

Generate new keystore

Java keystore

It is possible to run the Onegini Token Server container with a custom keystore.

Create folder

Before we can use the keystore, we need a folder to store the keystore file. This folder will be mounted to the Onegini Token Server container later on.

mkdir -p /opt/onegini/data/keystore

If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:

chcon -Rt svirt_sandbox_file_t /opt/onegini/data/keystore

Generate keystore

Perform the following command to generate the keystore.

keytool -genkey -alias tokenserver -keyalg RSA -keystore keystore.jks

Once prompted, enter the information required to generate a CSR.


Now we can copy the keystore to the folder we created.

cp keystore.jks /opt/onegini/data/keystore/keystore.jks

Grant access

Before we can use the keystore in the Onegini Token Server container we need to give the onegini user access to the keystore.

chown -R onegini:onegini /opt/onegini/data/keystore

Setup truststore

If the server's certificate is not trusted by default cacerts, setup a custom truststore.

Start container

Now add the following line to the docker-compose.yml

    - "/opt/onegini/data/keystore:/opt/token-server/engine/data"

and edit the following Docker Compose environment variables:


Apply the same settings to admin docker service if needed. Restart the container with docker-compose.