JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 4

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleCreate Signing CA Certificate
linenumberstrue
# Generate Signing Certificate Authority (CA) Private Key
openssl ecparam -name secp384r1prime256v1 -genkey -noout -out signing-ca.key

# Generate Signing CA Certificate
openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -out signing-ca.crt

# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [XX]:DE
# State or Province Name (full name) []:Berlin
# Locality Name (eg, city) [Default City]:Berlin
# Organization Name (eg, company) [Default Company Ltd]:SOS
# Organizational Unit Name (eg, section) []:JS7
# Common Name (eg, your name or your server's hostname) []:JS7 Deployment CA
# Email Address []:

# Alternative: Generate RootSigning Certificate Authority (CA) Private Key using passphrase
# openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -passout pass:jobscheduler -out signing-ca.key

 # Generate RootSigning CA Certificate
openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -passin pass:jobscheduler -out signing-ca.crt

...

As a response to the second command the OpenSSL utility prompts for a number of specifications for the Distinguished Name, i.e. the unique name of the Root Signing CA Certificate:

  • Country Name: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
  • State or Province Name: the name of a state is expected
  • Locality Name:  the name of a city is expected
  • Organization Name: arbitrary input is allowed
  • Organizational Unit Name: arbitrary input is allowed
  • Common Name: an arbitrary name can be chosen as the name of the Root Signing CA
  • Email Address: empty input is allowed

...

Code Block
languagebash
titleCreate Signing Certificate
linenumberstrue
# Specify server for which the certificate should be created
certificate_name=signing

# Step 1 - Generate Private Key and Certificate Signing Request
openssl req -new -config openssl-cert.config -extensions 'standard exts' -nodes \
    -days 5475 -newkey rsa:4096ec:<(openssl ecparam -name prime256v1) -keyout ${certificate_name}.key -out ${certificate_name}.csr

# Step 2 - Generate and sign the Server Certificate
openssl x509 -req \
    -in ${certificate_name}.csr \
    -CA signing-ca.crt \
    -CAkey signing-ca.key \
    -CAcreateserial \
    -out ${certificate_name}.crt -days 7300 \
    -extfile <(printf 'keyUsage = critical, nonRepudiation, digitalSignature\n' "${certificate_name}")

...

Code Block
titleOpenSSL configuration file openssl-cert.config
linenumberstrue
[ req ]
prompt             = no
distinguished_name = standard dn

[ standard dn ]
            commonName = signing
           countryName = DE
          localityName = Berlin
      organizationName = SOS
organizationalUnitName = IT
   stateOrProvinceName = Berlin

[ standard exts ]
keyUsage = critical, nonRepudiation, digitalSignature

# see x509v3_config for other extensions

...