JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 31

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Certificates for the specific use of code signing must be used.
  • Users choose which approach they want to follow:
    • Creating self-signed issued Certificates.
    • Creating Private CA-signed Certificates.
    • Buy Purchasing Public CA-signed Certificates

...

  • Self-issued Certificates have to be deployed from individual certificate files made available to Controllers and Agents.
    • There is no security gap in use of self-issued Certificates. When users store certificate files to Controllers and Agents then this proves that they trust the certificates.
  • Private CA-signed Certificates are issued by users who operate their own Private Certificate Authority (CA). Individual Signing Certficates on behalf of users are not deployed to Controllers and Agents. Instead, the CA Certificate is deployed that was used to sign individual certificatesSigning Certificates.
    • The approach includes that any signing certificate Signing Certificate signed by the CA will be accepted for deployment of scheduling objects.
    • For better control which certificates are made available for deplyoment, users might decide to use a specific Private CA.
  • Public CA-signed Certificates are issued by a trusted Certificate Authority (CA) that validates the domain owner. They are not created by users but are purchased from a the trusted CA and therefore are not considered by in the article.

There is no difference in using a Private CA or Public CA concerning the functionality of X.509 certificates, usage for Signing, or security of certificates. The only difference is that users trust the Private CA that they set up on their own.

SelfSelf-issued Certificates and Private CA Certificates are deployed to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.

The article suggests the following steps for creation of both Self-signed Certificates and Private CA-signed Certificates:

...

-x509-keys directory of Controller and Agent instances.

The article explains how to create Signing Certificates for use with JS7. Users who operate their an existing Private Certificate Authority might find different approaches and different responsibilities for the indicated steps. There's more than one way how to do it.

Examples in the article make use of JS7 Release 2.7.2, OpenSSL 1.1.1k  FIPS 25 Mar 2021 and JS7 Release 2.7.2for Unix and OpenSSL 3.1.4 24 Oct 2023 for Windows. OpenSSL ships with Linux & other Unix OS and is available for Windows. The examples are focused on Unix.

Anchor
creating_private_key_and_csr
creating_private_key_and_csr
Creating the Private Key and Certificate Signing Request

The steps to create a Private Key and Certificate Signing Request are the same for use of self-signed issued Certificates and Private CA-signed Certificates. Users have the option to use ECDSA or RSA for the encryption type applied to the Private Key.

...