JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Creating the Signing CA Certificate

The first step includes to create the signing-ca.key private key file and the signing-ca.crt self-signed certificate file for the Signing CA both in PEM format. This step is performed just once.

Create Signing CA Certificate
# Generate Signing Certificate Authority (CA) Private Key
openssl ecparam -name secp384r1 -genkey -noout -out signing-ca.key

# Generate Signing CA Certificate
openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -out signing-ca.crt

# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [XX]:DE
# State or Province Name (full name) []:Berlin
# Locality Name (eg, city) [Default City]:Berlin
# Organization Name (eg, company) [Default Company Ltd]:SOS
# Organizational Unit Name (eg, section) []:JS7
# Common Name (eg, your name or your server's hostname) []:JS7 Deployment CA
# Email Address []:

# Alternative: Generate Root Certificate Authority (CA) Private Key using passphrase
openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -passout pass:jobscheduler -out signing-ca.key

 # Generate Root CA Certificate
openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -passin pass:jobscheduler -out signing-ca.crt
Alternative: Create Signing CA Certificate using passphrase
# Generate Signing Certificate Authority (CA) Private Key using passphrase
openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -passout pass:jobscheduler -out signing-ca.key

 # Generate Signing CA Certificate
openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -passin pass:jobscheduler -out signing-ca.crt

Explanation:

As a response to the second command the OpenSSL utility prompts for a number of specifications for the Distinguished Name, i.e. the unique name of the Root CA Certificate:

  • Country Name: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
  • State or Province Name: the name of a state is expected
  • Locality Name:  the name of a city is expected
  • Organization Name: arbitrary input is allowed
  • Organizational Unit Name: arbitrary input is allowed
  • Common Name: an arbitrary name can be chosen as the name of the Root CA
  • Email Address: empty input is allowed

Creating a Signing Certificate

For a new signing certificate the steps include to create a private key and Certificate Signing Request (CSR). The resulting signing certificate will be signed by the Signing CA.

Run the following commands from a bash shell and replace the value of the certificate_name variable with an arbitrary name for the certificate:

Create Signing Certificate
# Specify server for which the certificate should be created
certificate_name=signing

# Step 1 - Generate Private Key and Certificate Signing Request
openssl req -new -config openssl-cert.config -extensions 'standard exts' -nodes \
    -days 5475 -newkey rsa:4096 -keyout ${certificate_name}.key -out ${certificate_name}.csr

# Step 2 - Generate and sign the Server Certificate
openssl x509 -req \
    -in ${certificate_name}.csr \
    -CA signing-ca.crt \
    -CAkey signing-ca.key \
    -CAcreateserial \
    -out ${certificate_name}.crt -days 7300 \
    -extfile <(printf 'keyUsage = critical, nonRepudiation, digitalSignature\n' "${certificate_name}")


Explanation:

  • The following files will be created for the given server:
    • <certificate_name>.key: the Private Key
    • <certificate_name>.csr: the Certificate Signing Request
    • <certificate_name>.crt: the Signing Certificate

In order to run the script successfully the following openssl-cert.config file has to be present. To create a Server Certificate the CommonName attribute has to be adjusted.

  • Download: openssl-cert.config
  • Replace the value of the commonName attribute with the hostname of the server for which the certificate should be created.
  • Adjust other attributes in the [ standard_dn ] section to your needs.

OpenSSL configuration file openssl-cert.config
[ req ]
prompt             = no
distinguished_name = standard dn

[ standard dn ]
            commonName = signing
           countryName = DE
          localityName = Berlin
      organizationName = SOS
organizationalUnitName = IT
   stateOrProvinceName = Berlin

[ standard exts ]
keyUsage = critical, nonRepudiation, digitalSignature

# see x509v3_config for other extensions

Resources



  • No labels