Introduction
JS7 - Deployment of Scheduling Objects makes use of Signing Certificates to digitally sign workflows and other objects. Use of certificates for signing is not related to use of certificates to secure connections using HTTPS.
...
Examples in the article make use of OpenSSL 1.1.1k FIPS 25 Mar 2021 and JS7 Release 2.7.2.
Anchor |
---|
| creating_private_key_and_csr |
---|
| creating_private_key_and_csr |
---|
|
Creating the Private Key and Certificate Signing RequestThe steps to create a Private Key and Certificate Signing Request are the same for use of self-signed Certificates and CA-signed Certificates. Users have the option to use ECDSA or RSA for the encryption type applied to the Private Key.
Users can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files.
Anchor |
---|
| using_private_key_ecdsa |
---|
| using_private_key_ecdsa |
---|
|
Using ECDSA Encryption Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using ECDSA encryption |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out "${key_name}".key
# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
-key "${key_name}".key \
-out "${key_name}".csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
- Private Key
- Choice of algorithm such as
secp256k1
, secp384r1
depends on support by the Java version used with JS7.
- Certificare Signing Request
- The hash algorithm such as
-sha256, -sha512
can be freely chosen. - The
-subj
option specifies the Distinguished Name used for the subject of the CSR and resulting Certificate.- The Distinguished Name is a unique identifier frequently using the hierarchy of Country
C
, State ST
, Location L
, Organization O
, Organizational Unit OU
and Common Name CN
. - For self-signed Certificates the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name
CN=<name>
where <name>
can freely be chosen. - For CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the CA Certificate's Distinguished Name. Both Distinguished Names should match except for the Common Name
CN
.
- The following files will be created with this step:
- The
<key_name>
.key
file will hold the Private Key. - The
<key_name>
.csr
file will hold the Certificate Signing Request.
Anchor |
---|
| using_private_key_rsa |
---|
| using_private_key_rsa |
---|
|
Using RSA Encryption Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Private Key and Certificate Signing Request (CSR)
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout "${key_name}".key \
-out "${key_name}".csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
- In the example the Private Key is created using the specified key size
4096
. - Choice of algorithm such as
secp256k1
, secp384r1
depends on support by the Java version used with JS7. - For use of the
-subj
option see Using ECDSA Encryption. - The following files will be created with this step:
- The
<key_name>
.key
file will hold the Private Key. - The
<key_name>
.csr
file will hold the Certificate Signing Request.
Anchor |
---|
| creating_certificates |
---|
| creating_certificates |
---|
|
Creating CertificatesUsers have the option to create self-signed Certificates or CA-signed Certificates.
Anchor |
---|
| creating_self_signed_certificates |
---|
| creating_self_signed_certificates |
---|
|
Creating self-signed CertificatesUsers can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files.
...
Self-signed Certificates must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
Anchor |
---|
| ca_signed_certificates |
---|
| ca_signed_certificates |
---|
|
Creating CA-signed CertificatesFor CA-signed Certificates a Certificate Authority (CA) is required owning a CA Private Key and CA Certificate. The CA Private Key and CA Certificate will be used to sign Certificates on behalf of users.
- Setup of the Certificate Authority is performed once.
- Signing is performed for each Certificate on behalf of users.
Creating the Certificate Authority (CA)The steps to create the CA Private Key and CA Certificate are similar to Creating the Private Key and Certificate Signing Request for self-signed Certificates.
Anchor |
---|
| creating_ca_private_key |
---|
| creating_ca_private_key |
---|
|
Creating the CA Private Key and Certificate Signing RequestSteps include to create the signing-ca.key
CA Private Key file and signing-ca.csr
CA Certificate Signing Request file both in PEM format.
...
Anchor |
---|
| creating_ca_certificate |
---|
| creating_ca_certificate |
---|
|
Creating the CA CertificateSteps include to create the signing-ca.crt
CA-signed Certificate file in PEM format.
...
- Explanations are similar to Creating self-signed Certificates with a few exceptions.
- The
-days
option specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates. - The
-extfile
option specifies the Basic Constraint CA:TRUE
which is required for a CA Certificate. Key Usage is limited to signing certificates.
- The following files will be created with this step:
- The
signing-ca.crt
file will hold the CA Certificate.
The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
Anchor |
---|
| creating_signing_certificates |
---|
| creating_signing_certificates |
---|
|
Creating Signing Certificates Anchor |
---|
| creating_signing_private_key |
---|
| creating_signing_private_key |
---|
|
Creating the Signing Private Key and Certificate Signing RequestSteps include to create the signing.key
Private Key file and signing.csr
Certificate Signing Request file both in PEM format.
...
Anchor |
---|
| creating_signing_certificate |
---|
| creating_signing_certificate |
---|
|
Creating the Signing CertificateSteps include to create the signing.crt
CA-signed Certificate file in PEM format.
...
- Explanations are similar to Creating self-signed Certificates with a few exceptions:
- The
-days
option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate. - The
-in
option specifies the location of the Certificate Signing Request. - The
-CA
option specifies the location of the CA Certificate file. - The
-CAkey
option specifies the location of the CA Private Key file. - The
-extfile
option specifies the Key Usage being limited to code signing.
- The following files will be created with this step:
- The
signing.crt
file will hold the Signing Certificate..
...