JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 25

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

JS7 - Deployment of Scheduling Objects makes use of Signing Certificates to digitally sign workflows and other objects. Use of certificates for signing is not related to use of certificates to secure connections using HTTPS.

...

Examples in the article make use of OpenSSL 1.1.1k  FIPS 25 Mar 2021 and JS7 Release 2.7.2.

Anchor
creating_private_key_and_csr
creating_private_key_and_csr
Creating the Private Key and Certificate Signing Request

The steps to create a Private Key and Certificate Signing Request are the same for use of self-signed Certificates and CA-signed Certificates. Users have the option to use ECDSA or RSA for the encryption type applied to the Private Key.

Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files.

Anchor
using_private_key_ecdsa
using_private_key_ecdsa
Using ECDSA Encryption

Code Block
languagebash
titleExample how to create Private Key and Certificate Signing Request using ECDSA encryption
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out "${key_name}".key

# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
    -key "${key_name}".key \
    -out "${key_name}".csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"

...

  • Private Key
    • Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
  • Certificare Signing Request
    • The hash algorithm such as -sha256, -sha512 can be freely chosen.
    • The -subj option specifies the Distinguished Name used for the subject of the CSR and resulting Certificate.
      • The Distinguished Name is a unique identifier frequently using the hierarchy of Country C, State ST, Location L, Organization O, Organizational Unit OU and Common Name CN.
      • For self-signed Certificates the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name CN=<name> where <name> can freely be chosen.
      • For CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the CA Certificate's Distinguished Name. Both Distinguished Names should match except for the Common Name CN.
  • The following files will be created with this step:
    • The <key_name>.key file will hold the Private Key.
    • The <key_name>.csr file will hold the Certificate Signing Request.

Anchor
using_private_key_rsa
using_private_key_rsa
Using RSA Encryption

Code Block
languagebash
titleExample how to create Private Key and Certificate Signing Request using RSA encryption
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key and Certificate Signing Request (CSR)
openssl req -new -newkey rsa:4096 -sha256 -nodes \
    -keyout "${key_name}".key \
    -out "${key_name}".csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"

...

  • In the example the Private Key is created using the specified key size 4096.
  • Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
  • For use of the -subj option see Using ECDSA Encryption.
  • The following files will be created with this step:
    • The <key_name>.key file will hold the Private Key.
    • The <key_name>.csr file will hold the Certificate Signing Request.

Anchor
creating_certificates
creating_certificates
Creating Certificates

Users have the option to create self-signed Certificates or CA-signed Certificates.

Anchor
creating_self_signed_certificates
creating_self_signed_certificates
Creating self-signed Certificates

Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files.

...

Self-signed Certificates must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.

Anchor
ca_signed_certificates
ca_signed_certificates
Creating CA-signed Certificates

For CA-signed Certificates a Certificate Authority (CA) is required owning a CA Private Key and CA Certificate. The CA Private Key and CA Certificate will be used to sign Certificates on behalf of users.

  • Setup of the Certificate Authority is performed once.
  • Signing is performed for each Certificate on behalf of users.

Anchor
creating_ca
creating_ca
Creating the Certificate Authority (CA)

The steps to create the CA Private Key and CA Certificate are similar to Creating the Private Key and Certificate Signing Request for self-signed Certificates.

Anchor
creating_ca_private_key
creating_ca_private_key
Creating the CA Private Key and Certificate Signing Request

Steps include to create the signing-ca.key CA Private Key file and signing-ca.csr CA Certificate Signing Request file both in PEM format.

...

Anchor
creating_ca_certificate
creating_ca_certificate
Creating the CA Certificate

Steps include to create the signing-ca.crt CA-signed Certificate file in PEM format.

...

  • Explanations are similar to Creating self-signed Certificates with a few exceptions.
    • The -days option specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates.
    • The -extfile option specifies the Basic Constraint CA:TRUE which is required for a CA Certificate. Key Usage is limited to signing certificates.
  • The following files will be created with this step:
    • The signing-ca.crt file will hold the CA Certificate.

The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.

Anchor
creating_signing_certificates
creating_signing_certificates
Creating Signing Certificates

Anchor
creating_signing_private_key
creating_signing_private_key
Creating the Signing Private Key and Certificate Signing Request

Steps include to create the signing.key Private Key file and signing.csr Certificate Signing Request file both in PEM format.

...

Anchor
creating_signing_certificate
creating_signing_certificate
Creating the Signing Certificate

Steps include to create the signing.crt CA-signed Certificate file in PEM format.

...

  • Explanations are similar to Creating self-signed Certificates with a few exceptions:
    • The -days option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate.
    • The -in option specifies the location of the Certificate Signing Request.
    • The -CA option specifies the location of the CA Certificate file.
    • The -CAkey option specifies the location of the CA Private Key file.
    • The -extfile option specifies the Key Usage being limited to code signing.
  • The following files will be created with this step:
    • The signing.crt file will hold the Signing Certificate..

...