DPBuddy 3.5 supports fully automated deployment of X.509 certificates and keys with the following capabilities:
- Deployment from standalone files in various formats (PEM, DER, PKCS8, etc.), encrypted and unencrypted.
- Deployment from Java keystores/truststores in various formats (JKS, PKSC12, etc.). You can specify a list of aliases to deploy a subset of certs/keys from a keystore.
- Deployment directly from TLS endpoints to DataPower.
- Automatic deployment of issuers/CA certs. DPBuddy can also download the issuer from the certificate’s AIA extension if exists (all certs issued by known CAs will have that extension).
- Auditing of all changes to crypto objects directly on DataPower. You can see who changed what when using DPBuddy’s crypto reporting task.
- Keystores and key passwords can be stored encrypted in DPBuddy’s conf file or provided directly on the command line.
- Deployment is automatically validated to make sure all crypto objects and password aliases are up.
- Crypto Identity Credential objects are created automatically for cert-key keypairs from a keystore.
We’ve also developed a framework for integrating with your Key Management System of choice, such as Hashicorp Vault or AWS Key Management Service.
DPBuddy copies keys/cert files to DataPower (as PEM files) and creates DataPower crypto objects. The names derived either from filenames or from the names (aliases) in the keystore.
DPBuddy automatically determines if the source is a key or a cert and creates the crypto objects of the appropriate type.
Read the rest of this post »