Public | Automated Build

Last pushed: a year ago
Short Description
Fetch a CA and request certificates from vault and stick them into JAVA keystore files.
Full Description

Vault JKS

A simple script to fetch a CA and request certificates from vault and stick
them into JAVA keystore files.


A working vault server and PKI backend mounted with long enough TTLs.


  • VAULT_ADDR - Vault address. Required.
  • VAULT_AUTH_FILE - If specified, this file will be sourced. This file can
  • VAULT_TOKEN - If specified, the token will be used for auth.
  • VAULT_USER - If VAULT_TOKEN is unset, then this needs to be set.
  • VAULT_PASSWORD - Required if VAULT_TOKEN is not being used.
  • VAULT_PKI_PATH - Vault pki backend mount path. Default: shared/pki.
  • VAULT_ROLE_NAME - Vault pki backend role for requesting a new cert. Default: cert-request.
  • CERT_COMMON_NAME - Certificate request CN. Default: localhost.
  • IP_SAN - IP address to add to ip_sans. Default: $(hostname -i).
  • ALT_NAMES - Requested Subject Alternative Names, in a comma-delimited list.
    These can be host names or email addresses; they will be parsed into their
    respective fields.
  • IMPORT_SYSTEM_TRUSTSTORE: If true, import /etc/pki/java/cacerts into a TRUSTSTORE_FILE. Default: true.
  • TRUSTSTORE_FILE - Where to write truststore file. Default: truststore.jks.
  • KEYSTORE_FILE - Where to write keystore file. Default: keystore.jks.
  • SLEEP_FOREVER - If set to true, will sleep forever after it
    successfully created keystores. This can be useful if vaultjks is run as part
    of a kubernetes pod.


$ docker run -ti \
  -e VAULT_ADDR=https://vault:8200 \
  -e VAULT_TOKEN=44eecf54-5b01-4bd5-a8c4-f4032b9e7e10 \
  -v /keystore:/data \
Docker Pull Command
Source Repository