Skip to main content
Version: 10.0

Trust store

In order for the webPDF server to be able to retrieve external resources via TLS, the server must trust these external servers and their SSL/TLS certificates. This trust is established via the root certificates of the issuing certificate authorities. For this purpose, the server stores the certificates of the authorities in a trust store.

This is important in the case of access to resources that work with a self-signed certificate. In this case, the server's certificate must be imported into the trust store; otherwise access is not possible.

Access to external server resources is needed, for example, when mail documents are converted and resources such as CSS content or images need to be retrieved. It is particularly problematic when these resources are retrieved from servers that are only configured with “self-signed” certificates.

In order for the server to trust the certificates (especially the “self-signed” certificates), you must import them into a trust store (keystore file) and configure it on the server.

Default trust store

In the standard installation (without additional configuration), the server uses the trust store cacerts of the OpenJDK. The cacerts file is located in the folder jre/lib/security of the installation. The file cacerts is a JKS (Java Keystore) with all known certificates of the public certification authorities. The server automatically trusts certificates issued by this certification authority. You can expand this certificate store with your own certificates (password changeit).

info

Please note that the certificate store is reset when webPDF or the OpenJDK is updated. If you want to use your own certificates, it is better to use your own trust store.

tip

You can edit the default trust store with the "Keystore Explorer" tool.

Portal configuration

The easiest way to configure your own trust store is in the Admin Portal, with the function Truststore (1).

img.png

All existing certificates are displayed in the dialog (2). These are either the certificates of the "Default trust store" or the certificates of the already configured trust store.

With Enter new keystore (3) you can select your own trust store with the option Custom JKS. Select the keystore file and enter the password. After entering and saving the configuration, the server must be restarted.

tip

To switch back to the default trust store, call up the dialog again and select Standard (Java Runtime Engine).

Manual configuration

Alternatively, the trust store can also be configured manually directly via the server.xml configuration file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>  
<server xmlns="http://schema.webpdf.de/1.0/configuration/server">  
   <!-- ... -->  
   <truststore file="" password=""/>  
   <!-- ... -->  
</server>

Enter the file under file. Currently, only keystore files in JKS format are supported for the trust store. You can create this type of keystore with the "Keystore Explorer" tool, for example.

Enter the password for the keystore file in password.

In order for the trust store to be enabled, you will have to restart the server.