JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 32

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 33

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JS7 - Deployment of Scheduling Objects makes use of Signing Certificates to digitally sign workflows and other objects. Certificates are deployed to Controllers and Agents. Use of certificates for signing is not related to use of certificates to secure HTTPS connections, see JS7 - How to create X.509 SSL TLS Certificates.

Users can choose one of the following approachs specified with RFC5280:

  • Self-issued Certificates are created individually per user and are deployed from individual certificate files to Controllers and Agents.
    • There is no security gap in use of self-issued Certificates. When users store certificate files to Controllers and Agents then this proves that they trust the certificates.
  • Private CA-signed Certificates are issued by users who operate their own Private Certificate Authority (CA). Individual Signing Certficates on behalf of users are not deployed to Controllers and Agents. Instead, the CA Certificate is deployed that was used to sign individual Signing Certificates.
    • The approach includes that any Signing Certificate signed by the CA will be accepted for deployment of scheduling objects.
    • For better control which certificates are made available for deplyoment, users might decide to use a specific Private CA.
  • Public CA-signed Certificates are issued by a trusted Certificate Authority (CA) that validates the domain owner. They are not created by users but are purchased from the trusted CA and therefore are not considered in the article.

...

Expand
titleClick to expand/collapse...
Code Block
languagebash
titleExample how to create Private Key and Certificate Signing Request using RSA encryption (Unix)
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes \
    -keyout ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"
Expand
titleWindows version...
Code Block
languagetext
titleExample how to create Private Key and Certificate Signing Request using RSA encryption (Windows)
linenumberstrue
@rem Specify key name used for file names
set key_name=signing
 
@rem Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes ^
    -keyout %key_name%.key ^
    -out %key_name%.csr ^
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%"
Expand
titleExplanations...
  • In the example the Private Key is created using the specified key size 4096.Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
  • For use of the SHA hash algorithm -sha256 and the -subj option see Using ECDSA Encryption.
  • The following files will be created with this step:
    • The signing.key file will hold the Private Key.
    • The signing.csr file will hold the Certificate Signing Request.

Anchor
creating_self_signed_certificates
creating_self_signed_certificates
Creating the Signing Certificate

Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files.

...

Expand
titleExplanations...
  • The SHA option such as -sha256, -sha384, -sha512 can be freely chosen.
  • The -days argument optionally specifies the validity period of the resulting certificate.
  • The -signkey option specifies the location of the Private Key file created from the previous step.
  • The -in option specifies the location of the Certificate Signing Request file created from the previous step.
  • The -out option specifies the location of the resulting Certificate file.
  • The -extfile option specifies a number of extensions recommended for use with Signing Certificates. 
  • The following files will be created with this step:
    • The <key_name> signing.crt file will hold the self-signed issued Certificate.

Self-signed issued Certificates must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.

Anchor
creating_certificates
creating_certificates
Creating CA-signed Certificates

...

CA-signed Certificates

...

Anchor
creating_ca
creating_ca
Setting up the Private CA

...

The CA Certificate must be copied to the <data>/config/private/trusted-x509-keys directory of Controller and Agent instances.

Anchor
creating_signing_certificates
creating_signing_certificates
Creating Signing Certificates

...

The steps explained with this section are performed for each Signing Certificate created on behalf of a user.

Anchor
creating

...

_signing_private_key
creating_signing_private_key
Creating the

...

Private

...

Key and Certificate Signing Request

Steps include to create the signing.key Private Key file and signing.csr Certificate Signing Request file both in PEM format.

Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files.

Anchor
using_private_key_ecdsa
using_private_key_ecdsa
Using ECDSA Encryption

Code Block
languagebash
titleExample how to create Signing CA Private Key and Certificate Signing Request (Unix)
linenumberstrue
# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key

# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
    -key ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"
Expand
titleExplanationsWindows version...
Code Block
languagetext
titleExample how to create Private Key
Explanations are the same as with Creating Private Key
and Certificate Signing Request
for self-signed Certificates.
  • Users can choose Using ECDSA Encryption or Using RSA Encryption.

    • ...

    using ECDSA encryption (Windows)
    linenumberstrue
    @rem Specify key name used for file names
set key_name=signing-ca
 
@rem Create Private Key
openssl ecparam -genkey -name secp384r1 -out %key_name%.key
 
@rem Create Certificate Signing Request 
openssl req -new -sha512 -nodes ^
    -key %key_name%.key ^
    -out %key_name%.csr ^
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%"
    Expand
    titleExplanations...

    Anchor
    using_private_key_rsa
    using_private_key_rsa
    Using RSA Encryption

    Expand
    titleClick to expand/collapse...
    Code Block
    languagebash
    titleExample how to create Private Key and Certificate Signing Request using RSA encryption (Unix)
    linenumberstrue
    # Specify key name used for file names
key_name=signing

# Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes \
    -keyout ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"
    Expand
    titleWindows version...
    Code Block
    languagetext
    titleExample how to create Private Key and Certificate Signing Request using RSA encryption (Windows)
    linenumberstrue
    @rem Specify key name used for file names
set key_name=signing
 
@rem Create Private Key and Certificate Signing Request
openssl req -new -newkey rsa:4096 -sha256 -nodes ^
    -keyout %key_name%.key ^
    -out %key_name%.csr ^
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=%key_name%"
    Expand
    titleExplanations...
    • In the example the Private Key is created using the specified key size 4096.
    • For use of the SHA hash algorithm -sha256 and the -subj option see Using ECDSA Encryption.
    • The following files will be created with this step:
      • The signing.key file will hold the Private Key.
      • The signing.csr file will hold the Certificate Signing Request.

    Anchor
    creating_signing_certificate
    creating_signing_certificate
    Creating the Signing Certificate

    Steps include to create the signing.crt Private CA-signed Certificate file in PEM format.

    Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files:

    Code Block
    languagebash
    titleExample how to create Signing Certificate (Unix)
    linenumberstrue
    # Specify key name used for file names
key_name=signing

# Create Certificate
openssl x509 -req -sha512 -days 3652 \
    -CA signing-ca.crt \
    -CAkey signing-ca.key \
    -CAcreateserial \
    -in ${key_name}.csr \
    -out ${key_name}.crt \
    -extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n')
    Expand
    titleWindows version...
    Code Block
    languagetext
    titleExample how to create Signing Certificate (Unix)
    linenumberstrue
    @rem Specify key name used for file names
set key_name=signing
 
@rem Create Certificate
set user_crt_tmp_file=user-crt-%RANDOM%.tmp
echo basicConstraints=CA:TRUE >> %user_crt_tmp_file%
echo keyUsage=critical,nonRepudiation,digitalSignature >> %user_crt_tmp_file%
echo extendedKeyUsage=critical,codeSigning >> %user_crt_tmp_file%

    ...

    Steps include to create the signing.crt Private CA-signed Certificate file in PEM format.

    Users can run the following commands from the shell and replace the value of the key_name environment variable with a name of their choice that is used when creating related files:

    Code Block
    languagebash
    titleExample how to create Signing Certificate
    linenumberstrue
    # Specify key name used for file names key_name=signing # Create Certificate
    
openssl x509 -req -sha512 -days 3652
    \ -in ${key_name}.csr \
    ^
    -CA signing-ca.crt
    \
    ^
    -CAkey signing-ca.key
    \
    ^
    -CAcreateserial
    \
     ^
    -in %key_name%.csr ^
    -out
    ${key_name}
    %key_name%.crt
    \
    ^
    -
    extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n')
    extfile %user_crt_tmp_file%

del /q %user_crt_tmp_file%
    Expand
    titleExplanations...
    • Explanations are similar to Creating self-signed Certificates with a few exceptions:
      • The -days option specifying the validity period of the Signing Certificate should indicate a shorter period than the validity period of the CA Certificate.
      • The -inCA option specifies the location of the CA Certificate Signing Requestfile.
      • The -CACAkey option specifies the location of the CA Certificate Private Key file.
      • The -CAkeyin option specifies the location of the CA Private Key fileCertificate Signing Request.
      • The -extfile option specifies the Key Usage and Extended Key Usage being limited to code signing.
    • The following files will be created with this step:
      • The signing.crt file will hold the Signing Certificate.

    The Signing Certificate file does not require to be deployed to Controller and Agent instances. Instead, the CA Certificate file is deployed to Controller and Agent instances.

    Further Resources