...
- Encryption and decryption can be performed directly by related jobs or outside of JS7 products.
- This includes that JS7 products have no knowledge of secrets involved that potentially could be compromised by logging, database persistence etc.
For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.
Display feature availability |
---|
|
Display feature availability |
---|
|
Display feature availability |
---|
|
...
Managing the Private Key and Certificate
Assymetric Asymetric encryption makes use of a Private Key and Certificate/Public Key that can be created in a number of ways:
- Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 certificate. The X.509 Private Key or Certificate X.509 Certificate allow to derive the Public Key.
- User can create a selfCA-signed X.509 Certificate, see JS7 - How to create self-signed X.509 SSL TLS Certificates.
- Users can create a Private Key and Certificate as explained in the next chapter.
...
The following step is performed on the server hosting the Agent that should decrypt secrets. The example makes use of the openssl
command line utility that can be installed for Windows. There are alternative ways how to create Private Keys and Certificates. Find more examples and explanations from JS7 - How to create X.509 Encryption Keys.
Code Block |
---|
language | bash |
---|
title | Example how to create ECDSA private key and certificatePrivate Key and Certificate using ECDSA encryption |
---|
linenumbers | true |
---|
collapse | true |
---|
|
#@rem navigate to the Agent's <agent-data>/\config/\private directory
cd /var/%Programdata%\sos-berlin.com/\js7/\agent/\config/\private
#@rem create thePrivate privateKey
@rem key infor pkcs#1 format
# withoutuse with passphrase
openssl ecparamadd: -passout pass:"secret"
openssl ecparam -name secp256k1secp384r1 -genkey -noout -out agent.key
#@rem create Certificate withSigning passphraseRequest
# openssl ecparamreq -genkeynew -name secp256k1 | openssl ecsha512 -aes256nodes -passout pass:"jobscheduler"key agent.key -out agent.key
# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Agent"
@rem create Certificate
set user_crt_tmp_file=user-crt-%RANDOM%.tmp
echo keyUsage=critical,keyAgreement,keyEncipherment > %user_crt_tmp_file%
@rem for passphrase add: -passin pass:"secret"
openssl x509 -req -sha512 -days 1825 -signkey agent.key -in agent.csr -out agent.crt -extfile %user_crt_tmp_file%
del /q %user_crt_tmp_file% |
Code Block |
---|
language | bash |
---|
title | Example how to create Private Key and Certificate using RSA encryption |
---|
linenumbers | true |
---|
collapse | true |
---|
|
@rem navigate to the Agent's <agent-data>\config\private directory
cd %Programdata%\sos-berlin.com\js7\agent\config\private
@rem create Private Key and Certificate Signing Request
@rem for passphrase add: -passout pass:"secret"
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout agent.key -out agent.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Agent"
@rem create Certificate
set user_crt_tmp_file=user-crt-%RANDOM%.tmp
echo keyUsage=critical,keyAgreement,keyEncipherment > %user_crt_tmp_file%
@rem for passphrase add: -passin pass:"secret"
openssl x509 -req -sha512 -days 1825 -signkey agent.key -in agent.csr -out agent.crt -extfile %user_crt_tmp_file%
del /q %user_crt_tmp_file% |
Code Block |
---|
language | bash |
---|
title | Example how to create RSA private key and certificate |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private
# create the private key in pkcs#1 format
# without passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout agent.key -out agent.crt
# with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt |
Step 2: Making the Certificate available
...