Skip to content

How to Generate a Client Secret

The EuroDaT Client uses a secret for authentication at EuroDaT's API that must be registered beforehand.

Create a keystore file

You may use the keystore files in the local-certs folder for testing purposes. For other cases, either use provided keystores or create your own keystore using keytool:

keytool -genkeypair -v -keystore keystore.jks -keyalg RSA -keysize 4096 -validity 365 -alias certificate

Please always specify the alias "certificate" during creation or configure the EuroDaT Client accordingly.


Use a strong password during keystore creation and keep it secret.

Create the matching PEM file

The EuroDaT Client expects a keystore (.jks) and a PEM file. Generate the PEM file from the keystore keystore.jks using

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -clcerts -nokeys | openssl x509 -out tls.crt
rm keystore.p12

You should end up with two files keystore.jks and tls.crt.

Create the K8S secret

Base64-encode both files:

cat keystore.jks | base64 
cat tls.crt | base64

Use the results to create the k8s secret with the following template:

apiVersion: v1
kind: Secret
  name: eurodat-certificate-secret
type: Opaque
  tls.crt: "<base64-encoded tls.crt>"
  keystore.jks: "<base64-encoded keystore.jks>"