Custom Token Certificates
Token certificates are used for signing and validating tokens. The certificates essentially akey paircomprised of a private key and root certificate: theprivate.keyis used to sign access tokens and theroot.crtis the matching public key, used to verify the token's signatures.
The JFrog Platform enables users to use token certificates, also called custom certificate keys. This section details how to createcustom token certificates, and how to load them via bootstrapping files.
Prerequisites
The custom token certificate must meet the following prerequisites:
- The certificate must match the provided private key.
- The certificate must be valid for the next 7 days at least.
Loading the Key Pair to the JFrog Platform Deployment (JPD) viaBootstrap Files
During certificate initialization, certificates and private keys will be read from the following paths, if present:
- /bootstrap/etc/access/keys/ca.crt- certificate authority PEM
- /bootstrap/etc/access/keys/ca.private.key- certificate authority private key PEM
- /bootstrap/etc/access/keys/root.crt- token issuer PEM
- /bootstrap/etc/access/keys/private.key- token issuer private key PEM
Implications of Creating and Changing the Key Pair
Resetting the token certificate (by loading new ones) will effectively revoke all of the tokens that have been generated. If you want to reset your certificates but maintain the token that were created previously, you will need to copy the oldroot.certinto the trusted directory:/var/etc/access/keys/trusted. SeeResetting Token Certificates.
Creating a Private-Public Key Pair
The following is an example how to create a public-private key pair using OpenSSL.
Steps for Generating the Root CA
The CA certificate must contain the extensions:CA:TRUEbasic constraints, digital signature and key certificate sign key usages.
Create a configuration file with the required CA extensions. This can usually be derived from
`/etc/ssl/openssl.cnf`.cp /etc/ssl/openssl.cnf ca.cnf echo "\n[ v3_ca ]\nbasicConstraints = critical, CA:TRUE\nkeyUsage = critical, digitalSignature, keyCertSign" >> ca.cnf
Here is an example`ca.cnf`:
[ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, fully qualified host name) emailAddress = Email Address [ v3_ca ] basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, keyCertSign
Create a private key for the CA (Certificate Authority).
openssl genrsa -out ca.key 2048
Generate a self-signed CA certificate.
The following command will prompt for the Distinguished Name (DN) parameters.openssl要求之事\ \ x509 \沙256 \ -days 365 \ -key ca.key \ -out ca.crt \ -config ca.cnf \ -extensions v3_ca
Example prompt parameters:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:CA Locality Name (eg, city) []:Sunnyvale Organization Name (eg, company) []:JFrog Ltd Organizational Unit Name (eg, section) []:JFrog Infra Common Name (eg, fully qualified host name) []:JFrog Root CA Email Address []:info@www.si-fil.com
Verify the generated CA certificate.
Example prompt parameters:openssl x509 -in ca.crt -text -noout
Example result:
证书:数据:版本:3 (0 x2)编号:15701892499106404289 (0xd9e85409269b97c1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@www.si-fil.com Validity Not Before: Aug 28 15:57:05 2019 GMT Not After : Aug 27 15:57:05 2020 GMT Subject: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@www.si-fil.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:1e:36:48:ac:c1:e2:13:78:f6:24:46:a5:70: 6b:2a:a9:a0:33:dc:77:e9:b5:e8:52:bb:46:79:32: 7f:e6:64:d1:be:f4:ae:c0:95:ea:7b:cd:63:88:7f: 60:8f:2e:53:e6:7d:9c:cc:22:f6:41:91:04:4f:b1: f4:1c:dc:74:89:a2:81:46:9c:66:72:83:40:a7:26: 3b:4b:f1:0d:6d:bc:b9:bd:1a:ae:81:0a:ab:37:96: b0:f1:2b:9c:f4:18:a4:ae:45:d2:38:e6:9a:8f:7b: 2f:45:0b:70:ae:d9:25:d6:5c:b2:67:15:11:ab:7c: e2:02:4c:b7:0c:15:2d:32:22:b3:f9:be:99:4d:28: 93:6d:37:a8:2e:8d:57:54:63:ec:0d:c3:96:f1:2a: 9c:6f:e0:d4:3c:23:98:31:6a:a4:76:52:64:2c:9b: 23:5d:e1:56:f4:43:13:12:c0:27:73:78:99:68:c3: dc:b2:79:af:a3:98:09:d3:69:69:ca:64:18:8d:15: 8f:97:f8:27:14:e3:53:a7:af:ca:9b:2e:3d:6e:df: 3e:f6:d6:e3:ab:43:de:8c:25:32:61:e1:fe:6d:73: e5:52:12:35:af:8a:dc:b3:d8:e1:88:ec:56:c3:3c: a2:35:31:90:e4:6d:e2:9c:78:c6:6c:26:60:72:25: 08:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign Signature Algorithm: sha256WithRSAEncryption 26:6a:e9:2e:d0:00:8a:d6:f2:94:e8:50:c6:e0:1c:fc:76:70: 0c:fe:1f:87:5a:01:d2:5c:77:29:fa:22:19:7f:8c:77:3b:c2: 2d:f1:58:22:0c:c5:db:41:d5:c9:71:1b:33:b3:8b:a9:a8:79: df:35:92:6c:e2:3c:38:0c:af:8f:78:82:63:94:64:36:cd:4f: 3a:8d:17:04:59:d1:c5:49:d0:3b:df:26:c4:b6:e0:7f:0a:ab: 7a:e1:a5:8a:6b:36:8b:2a:6b:57:ea:57:fe:91:33:36:89:13: a1:a6:55:d6:fe:93:ab:8f:5f:88:1b:be:98:86:4f:52:9f:1b: ee:23:51:61:ce:17:b4:ed:cb:2f:7c:38:6f:9f:ac:e9:a6:43: 74:1b:0c:94:e6:b3:3d:ee:d2:49:bb:84:19:e3:6b:d2:17:8c: 17:c0:bd:59:ad:03:df:05:49:9b:4d:ea:d5:8d:6a:c0:1c:81: f2:ae:fa:20:b3:0b:a1:6f:87:6d:c2:a7:47:37:4d:76:57:d0: 74:dc:8d:cb:57:f3:41:32:87:2e:52:3f:3d:e5:f3:66:83:f4: 71:82:8b:54:1e:00:8d:7c:54:43:7e:93:7b:55:3a:36:d4:5e: ec:4f:87:9c:54:45:19:d8:7a:cd:71:df:6c:a4:7e:71:ed:fb: 09:60:d0:eb
