...
JS7 - Deployment of Scheduling Objects makes use of Signing Certificates to digitally sign workflows and other objects. Certificates are deployed to Controllers and Agents. Use of certificates for signing is not related to use of certificates to secure HTTPS connections, see JS7 - How to create X.509 SSL TLS Certificates.
Users can choose one of the following approachs specified with RFC5280:
- Self-issued Certificates are created individually per user and are deployed from individual certificate files to Controllers and Agents.
- There is no security gap in use of self-issued Certificates. When users store certificate files to Controllers and Agents then this proves that they trust the certificates.
- Private CA-signed Certificates are issued by users who operate their own Private Certificate Authority (CA). Individual Signing Certficates on behalf of users are not deployed to Controllers and Agents. Instead, the CA Certificate is deployed that was used to sign individual Signing Certificates.
- The approach includes that any Signing Certificate signed by the CA will be accepted for deployment of scheduling objects.
- For better control which certificates are made available for deplyoment, users might decide to use a specific Private CA.
- Public CA-signed Certificates are issued by a trusted Certificate Authority (CA) that validates the domain owner. They are not created by users but are purchased from the trusted CA and therefore are not considered in the article.
...
Expand |
---|
title | Click to expand/collapse... |
---|
|
Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption (Unix) |
---|
linenumbers | true |
---|
| # Specify key name used for file names
key_name=signing
# Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
Expand |
---|
| Code Block |
---|
language | text |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption (Windows) |
---|
linenumbers | true |
---|
| @rem Specify key name used for file names
set key_name=signing
@rem Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes ^
-keyout %key_name%.key ^
-out %key_name%.csr ^
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%" |
|
Expand |
---|
| - In the example the Private Key is created using the specified key size
4096 .Choice of algorithm such as secp256k1 , secp384r1 depends on support by the Java version used with JS7. - For use of the SHA hash algorithm
-sha256 and the -subj option see Using ECDSA Encryption. - The following files will be created with this step:
- The
signing.key file will hold the Private Key. - The
signing.csr file will hold the Certificate Signing Request.
|
|
Anchor |
---|
| creating_self_signed_certificates |
---|
| creating_self_signed_certificates |
---|
|
Creating the Signing CertificateUsers can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files.
...
Expand |
---|
|
- The SHA option such as
-sha256, -sha384, -sha512 can be freely chosen. - The
-days argument optionally specifies the validity period of the resulting certificate. - The
-signkey option specifies the location of the Private Key file created from the previous step. - The
-in option specifies the location of the Certificate Signing Request file created from the previous step. - The
-out option specifies the location of the resulting Certificate file. - The
-extfile option specifies a number of extensions recommended for use with Signing Certificates. - The following files will be created with this step:
- The
<key_name> signing.crt file will hold the self-signed issued Certificate.
|
Self-signed issued Certificates must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
Anchor |
---|
| creating_certificates |
---|
| creating_certificates |
---|
|
Creating
CA-signed Certificates...
CA-signed Certificates
...
Setting up the Private CA
...
The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys
directory of Controller and Agent instances.
Anchor |
---|
| creating_signing_certificates |
---|
| creating_signing_certificates |
---|
|
Creating Signing Certificates...
The steps explained with this section are performed for each Signing Certificate created on behalf of a user.
...
_signing_private_key | | creating_signing_private_key |
---|
|
Creating the ...
Private
...
Key and Certificate Signing Request
Steps include to create the signing.key
Private Key file and signing.csr
Certificate Signing Request file both in PEM format.
Users can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files.
Anchor |
---|
| using_private_key_ecdsa |
---|
| using_private_key_ecdsa |
---|
|
Using ECDSA Encryption Code Block |
---|
language | bash |
---|
title | Example how to create Signing CA Private Key and Certificate Signing Request (Unix) |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key
# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
-key ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
Expand |
---|
title | ExplanationsWindows version... |
---|
|
Code Block |
---|
language | text |
---|
title | Example how to create Private Key |
---|
| Explanations are the same as with Creating Private Key and Certificate Signing Request |
| for self-signed Certificates.Users can choose Using ECDSA Encryption or Using RSA Encryption. |
...
using ECDSA encryption (Windows) | linenumbers | true |
---|
| @rem Specify key name used for file names
set key_name=signing-ca
@rem Create Private Key
openssl ecparam -genkey -name secp384r1 -out %key_name%.key
@rem Create Certificate Signing Request
openssl req -new -sha512 -nodes ^
-key %key_name%.key ^
-out %key_name%.csr ^
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%" |
|
Anchor |
---|
| using_private_key_rsa |
---|
| using_private_key_rsa |
---|
|
Using RSA Encryption Expand |
---|
title | Click to expand/collapse... |
---|
|
Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption (Unix) |
---|
linenumbers | true |
---|
| # Specify key name used for file names
key_name=signing
# Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
Expand |
---|
| Code Block |
---|
language | text |
---|
title | Example how to create Private Key and Certificate Signing Request using RSA encryption (Windows) |
---|
linenumbers | true |
---|
| @rem Specify key name used for file names
set key_name=signing
@rem Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes ^
-keyout %key_name%.key ^
-out %key_name%.csr ^
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%" |
|
Expand |
---|
| - In the example the Private Key is created using the specified key size
4096 . - For use of the SHA hash algorithm
-sha256 and the -subj option see Using ECDSA Encryption. - The following files will be created with this step:
- The
signing.key file will hold the Private Key. - The
signing.csr file will hold the Certificate Signing Request.
|
|
Anchor |
---|
| creating_signing_certificate |
---|
| creating_signing_certificate |
---|
|
Creating the Signing CertificateSteps include to create the signing.crt
Private CA-signed Certificate file in PEM format.
Users can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files:
Code Block |
---|
language | bash |
---|
title | Example how to create Signing Certificate (Unix) |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 \
-CA signing-ca.crt \
-CAkey signing-ca.key \
-CAcreateserial \
-in ${key_name}.csr \
-out ${key_name}.crt \
-extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
Expand |
---|
|
Code Block |
---|
language | text |
---|
title | Example how to create Signing Certificate (Unix) |
---|
linenumbers | true |
---|
| @rem Specify key name used for file names
set key_name=signing
@rem Create Certificate
set user_crt_tmp_file=user-crt-%RANDOM%.tmp
echo basicConstraints=CA:TRUE >> %user_crt_tmp_file%
echo keyUsage=critical,nonRepudiation,digitalSignature >> %user_crt_tmp_file%
echo extendedKeyUsage=critical,codeSigning >> %user_crt_tmp_file%
|
|
...
Steps include to create the signing.crt
Private CA-signed Certificate file in PEM format.
Users can run the following commands from the shell and replace the value of the key_name
environment variable with a name of their choice that is used when creating related files:
Code Block |
---|
language | bash |
---|
title | Example how to create Signing Certificate |
---|
linenumbers | true |
---|
|
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 | \
-in ${key_name}.csr \\\ \ ^
-in %key_name%.csr ^
-out | ${key_name}\extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n')extfile %user_crt_tmp_file%
del /q %user_crt_tmp_file% |
|
Expand |
---|
|
- Explanations are similar to Creating self-signed Certificates with a few exceptions:
- The
-days option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate. - The
-inCA option specifies the location of the CA Certificate Signing Requestfile. - The
-CACAkey option specifies the location of the CA Certificate Private Key file. - The
-CAkeyin option specifies the location of the CA Private Key fileCertificate Signing Request. - The
-extfile option specifies the Key Usage and Extended Key Usage being limited to code signing.
- The following files will be created with this step:
- The
signing.crt file will hold the Signing Certificate.
|
The Signing Certificate file does not require to be deployed to Controller and Agent instances. Instead, the CA Certificate file is deployed to Controller and Agent instances.
Further Resources