Page History
...
- Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 certificate. The X.509 Private Key or Certificate allow to derive the Public Key.
- User can create a self-signed X.509 Certificate, see JS7 - How to create self-signed Certificates.
- Users can create a Private Key and Certificate as explained in the next chapter.
...
Note: Private Keys can be protected using a passphrase that acts as a second factor when a human user will access the key: while the Private Key
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private
# create the private key in pkcs#1 format
# without passphrase
openssl ecparam -name secp256k1 -genkey -noout -out agent.key
# with passphrase
# openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler" -out agent.key
# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825
# extract public key from private key (not required)
# openssl ec -in agent.key -pubout > agent.pub
# openssl ec -in agent.key -passin pass:"jobscheduler" -pubout > agent.pub |
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private
# create the private key in pkcs#1 format
# without passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout agent.key -out agent.crt
# with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt
# extract public key from certificate (not required)
# openssl x509 -pubkey -noout -in agent.crt > agent.pub
# openssl x509 -pubkey -noout -passin pass:"jobscheduler" -in agent.crt > agent.pub |
Step 2: Making the Certificate available
Copy the Certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt variables:
...
| language | bash |
|---|---|
| title | Example where to copy the certificate |
| linenumbers | true |
| collapse | true |
is in the file system, the passphrase is in the user's memory. However, this does not improve security for unattended processing: it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media.
Step 1: Creating the Private Key and Certificate
The following step is performed on the server hosting the Agent that should decrypt secrets. The example makes use of the openssl command line utility that can be installed for Windows. There are alternative ways how to create Private Keys and Certificates.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private
# create the private key in pkcs#1 format
# without passphrase
openssl ecparam -name secp256k1 -genkey -noout -out agent.key
# with passphrase
# openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler" -out agent.key
# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825 |
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private
# create the private key in pkcs#1 format
# without passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout agent.key -out agent.crt
# with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt |
Step 2: Making the Certificate available
Copy the Certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt variables:
...
Encryption
Usage
Invoking the script without arguments displays the usage clause:
...
--key- Specifies the path to a the Private Key file that matches the X.509 Certificate or Public Key used for previous encryption.
- The argument is required.
--key-password- Specifies the password passphrase if the Private Key file indicated with the
--keyoption is protected by a password.
- Specifies the password passphrase if the Private Key file indicated with the
--iv- Specifies the base64 encoded initialization vector as returned during encryption.
- The argument is required.
--encrypted-key- Specifies the base64 encoded, encrypted symmetric key as returned during encryption.
- The argument is requiredpassphrase.
--in- Specifies the encryption result that should be decrypted. The result includes the encrypted symmetric key, initialization vector and path to encrypted file separated by spaces as returned from the encryption step.
- The argument is required. If the option
--infileis specified, then its value takes precedence to the path specified with the--inoption.
--infile- Specifies the path to an encrypted file that should be decrypted.
- If this option is specified then its value takes precedence to the path specified with the
--inoption. - This option requires use of the
--outfileoption.
--outfile- Specifies the path to the output file that will be created holding the decrypted content of the input file.
- The option is required if the
--infileoption is specified.
...
Overview
Content Tools