...
- Create Private Key
- Create Certificate Signing Request (CSR)
- Create and sign Certificate
...
Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using ECDSA encryption |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key
# Create Certificate Signing Request
(CSR)
openssl req -new -sha512 -nodes \
-key ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Expand |
---|
|
- Private Key
- Choice of algorithm such as
secp256k1 , secp384r1 depends on support by the Java version used with JS7.
- Certificare Signing Request
- The hash algorithm such as
-sha256, -sha512 can be freely chosen. - The
-subj option specifies the Distinguished Name used for the subject of the CSR and resulting Certificate.- The Distinguished Name is a unique identifier frequently using the hierarchy of Country
C , State ST , Location L , Organization O , Organizational Unit OU and Common Name CN . - For self-signed Certificates the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name
CN=<name> where <name> can freely be chosen. - For Private CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the Private CA Certificate's Distinguished Name using different values.
- The following files will be created with this step:
- The
<key_name> .key file will hold the Private Key. - The
<key_name> .csr file will hold the Certificate Signing Request.
|
Anchor |
---|
| using_private_key_rsa |
---|
| using_private_key_rsa |
---|
|
Using RSA Encryption
Expand |
---|
title | Click to expand/collapse... |
---|
|
Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption |
---|
linenumbers | true |
---|
| # Specify key name used for file names
key_name=signing
# Create Private Key and Certificate Signing Request | (CSR)
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
|
...
Expand |
---|
| - In the example the Private Key is created using the specified key size
4096 . - Choice of algorithm such as
secp256k1 , secp384r1 depends on support by the Java version used with JS7. - For use of the
-subj option see Using ECDSA Encryption. - The following files will be created with this step:
- The
<key_name> .key file will hold the Private Key. - The
<key_name> .csr file will hold the Certificate Signing Request.
|
|
Anchor |
---|
| creating_certificates |
---|
| creating_certificates |
---|
|
Creating Certificates
...
Code Block |
---|
language | bash |
---|
title | Example how to create self-signed Certificate |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 \
-signkey ${key_name}.key \
-in ${key_name}.csr \
-out ${key_name}.crt \
-extfile <(printf "keyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n") |
...
Expand |
---|
|
- The SHA option such as
-sha256, -sha384, -sha512 can be freely chosen. - The
-days argument optionally specifies the validity period of the resulting certificate. - The
-signkey option specifies the location of the Private Key file created from the previous step. - The
-in option specifies the location of the Certificate Signing Request file created from the previous step. - The
-out option specifies the location of the resulting Certificate file. - The
-extfile option specifies a number of extensions recommended for use with Signing Certificates. - The following files will be created with this step:
- The
<key_name> .crt file will hold the self-signed Certificate.
|
Self-signed Certificates must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
...
Code Block |
---|
language | bash |
---|
title | Example how to create CA Private Key and Certificate Signing Request |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
ca_key_name=signing-ca
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${ca_key_name}.key
# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
-key ${ca_key_name}.key \
-out ${ca_key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${ca_key_name}" |
...
Anchor |
---|
| creating_ca_certificate |
---|
| creating_ca_certificate |
---|
|
Creating the CA Certificate
...
Code Block |
---|
language | bash |
---|
title | Example how to create CA Certificate |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
ca_key_name=signing-ca
# Create Certificate
openssl x509 -req -sha512 -days 7305 \
-signkey ${ca_key_name}.key \
-in ${ca_key_name}.csr \
-out ${ca_key_name}.crt \
-extfile <(printf "basicConstraints=CA:TRUE\nkeyUsage=critical,nonRepudiation,keyCertSign,cRLSign\n") |
...
Expand |
---|
|
- Explanations are similar to Creating self-signed Certificates with a few exceptions.
- The
-days option specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates. - The
-extfile option specifies the Basic Constraint CA:TRUE which is required for a CA Certificate. Key Usage is limited to Signing Certificates.
- The following files will be created with this step:
- The
signing-ca.crt file will hold the CA Certificate.
|
The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
...
Code Block |
---|
language | bash |
---|
title | Example how to create Signing Private Key and Certificate Signing Request |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key
# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
-key ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Anchor |
---|
| creating_signing_certificate |
---|
| creating_signing_certificate |
---|
|
Creating the Signing Certificate
...
Code Block |
---|
language | bash |
---|
title | Example how to create Signing Certificate |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 \
-in ${key_name}.csr \
-CA signing-ca.crt \
-CAkey signing-ca.key \
-CAcreateserial \
-out ${key_name}.crt \
-extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
...
Expand |
---|
|
- Explanations are similar to Creating self-signed Certificates with a few exceptions:
- The
-days option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate. - The
-in option specifies the location of the Certificate Signing Request. - The
-CA option specifies the location of the CA Certificate file. - The
-CAkey option specifies the location of the CA Private Key file. - The
-extfile option specifies the Key Usage being limited to code signing.
- The following files will be created with this step:
- The
signing.crt file will hold the Signing Certificate
|
...
The Signing Certificate file does not require to be deployed to Controller and Agent instances. Instead, the CA Certificate file is deployed to Controller and Agent instances.
...