JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 28

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 29

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create Private Key
  • Create Certificate Signing Request (CSR)
  • Create and sign Certificate

...

Code Block
languagebash
titleExample how to create Private Key and Certificate Signing Request using ECDSA encryption
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key

# Create Certificate Signing Request
 (CSR)
openssl req -new -sha512 -nodes \
    -key ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"

...

 Expand
titleExplanations...
  • Private Key
    • Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
  • Certificare Signing Request
    • The hash algorithm such as -sha256, -sha512 can be freely chosen.
    • The -subj option specifies the Distinguished Name used for the subject of the CSR and resulting Certificate.
      • The Distinguished Name is a unique identifier frequently using the hierarchy of Country C, State ST, Location L, Organization O, Organizational Unit OU and Common Name CN.
      • For self-signed Certificates the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name CN=<name> where <name> can freely be chosen.
      • For Private CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the Private CA Certificate's Distinguished Name using different values.
  • The following files will be created with this step:
    • The <key_name>.key file will hold the Private Key.
    • The <key_name>.csr file will hold the Certificate Signing Request.
 Anchor
using_private_key_rsa
using_private_key_rsa
Using RSA Encryption
 Expand
titleClick to expand/collapse...
 Code Block
languagebash
titleExample how to create Private Key and Certificate Signing Request using RSA encryption
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key and Certificate Signing Request
 (CSR)

openssl req -new -newkey rsa:4096 -sha256 -nodes \
    -keyout ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"
...
 Expand
titleExplanations...
  • In the example the Private Key is created using the specified key size 4096.
  • Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
  • For use of the -subj option see Using ECDSA Encryption.
  • The following files will be created with this step:
    • The <key_name>.key file will hold the Private Key.
    • The <key_name>.csr file will hold the Certificate Signing Request.
 Anchor
creating_certificates
creating_certificates
Creating Certificates
...
 Code Block
languagebash
titleExample how to create self-signed Certificate
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Certificate
openssl x509 -req -sha512 -days 3652 \
    -signkey ${key_name}.key \
    -in ${key_name}.csr \
    -out ${key_name}.crt \
    -extfile <(printf "keyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n")
...
 Expand
titleExplanations...
  • The SHA option such as -sha256, -sha384, -sha512 can be freely chosen.
  • The -days argument optionally specifies the validity period of the resulting certificate.
  • The -signkey option specifies the location of the Private Key file created from the previous step.
  • The -in option specifies the location of the Certificate Signing Request file created from the previous step.
  • The -out option specifies the location of the resulting Certificate file.
  • The -extfile option specifies a number of extensions recommended for use with Signing Certificates. 
  • The following files will be created with this step:
    • The <key_name>.crt file will hold the self-signed Certificate.
Self-signed Certificates must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.
...
 Code Block
languagebash
titleExample how to create CA Private Key and Certificate Signing Request
linenumberstrue
# Specify key name used for file names
ca_key_name=signing-ca

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${ca_key_name}.key

# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
    -key ${ca_key_name}.key \
    -out ${ca_key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${ca_key_name}"
...
 Expand
titleExplanations...
 Anchor
creating_ca_certificate
creating_ca_certificate
Creating the CA Certificate
...
 Code Block
languagebash
titleExample how to create CA Certificate
linenumberstrue
# Specify key name used for file names
ca_key_name=signing-ca

# Create Certificate
openssl x509 -req -sha512 -days 7305 \
    -signkey ${ca_key_name}.key \
    -in ${ca_key_name}.csr \
    -out ${ca_key_name}.crt \
    -extfile <(printf "basicConstraints=CA:TRUE\nkeyUsage=critical,nonRepudiation,keyCertSign,cRLSign\n")
...
 Expand
titleExplanations...
  • Explanations are similar to Creating self-signed Certificates with a few exceptions.
    • The -days option specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates.
    • The -extfile option specifies the Basic Constraint CA:TRUE which is required for a CA Certificate. Key Usage is limited to Signing Certificates.
  • The following files will be created with this step:
    • The signing-ca.crt file will hold the CA Certificate.
The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.
...
 Code Block
languagebash
titleExample how to create Signing Private Key and Certificate Signing Request
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key

# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
    -key ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"
...
 Expand
titleExplanations...
 Anchor
creating_signing_certificate
creating_signing_certificate
Creating the Signing Certificate
...
 Code Block
languagebash
titleExample how to create Signing Certificate
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Certificate
openssl x509 -req -sha512 -days 3652 \
    -in ${key_name}.csr \
    -CA signing-ca.crt \
    -CAkey signing-ca.key \
    -CAcreateserial \
    -out ${key_name}.crt \
    -extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n')
...
 Expand
titleExplanations...
  • Explanations are similar to Creating self-signed Certificates with a few exceptions:
    • The -days option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate.
    • The -in option specifies the location of the Certificate Signing Request.
    • The -CA option specifies the location of the CA Certificate file.
    • The -CAkey option specifies the location of the CA Private Key file.
    • The -extfile option specifies the Key Usage being limited to code signing.
  • The following files will be created with this step:
    • The signing.crt file will hold the Signing Certificate
...
    • .
The Signing Certificate file does not require to be deployed to Controller and Agent instances. Instead, the CA Certificate file is deployed to Controller and Agent instances.
...