JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 5

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 Certificate. The X.509 Private Key or Certificate allow to derive the Public Key.
  • User can create a self-signed X.509 Certificate, see JS7 - How to create self-signed Certificates.
  • Users can create a Private Key and Certificate as explained in the next chapter.

Note: Private Keys can be protected using a passphrase that acts as a second factor when a human user will access the key: while the Private Key is in the file system, the passphrase is in the user's brains. However, this does not improve security for unattended processing: it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media.

Step 1: Creating the Private Key and Certificate

...

Code Block
languagebash
titleExample how to create ECDSA private key and certificate
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
openssl ecparam -name secp256k1 -genkey -noout -out agent.key
#   with passphrase
# openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler" -out agent.key

# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825

# extract public key from private key (not required)
# openssl ec -in agent.key -pubout > agent.pub
# openssl ec -in agent.key -passin pass:"jobscheduler" -pubout > agent.pub
Code Block
languagebash
titleExample how to create RSA private key and certificate
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -keyout agent.key -out agent.crt
#   with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt

# extract public key from certificate (not required)
# openssl x509 -pubkey -noout -in agent.crt > agent.pub

Step 2: Making the Certificate available

Copy the certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt secrets:

...

languagebash
titleExample where to copy the certificate
linenumberstrue
collapsetrue

...

Encryption

Usage

PowerShell CLI 2.0 - Cmdlets - Invoke-JS7Encrypt

...