saml2.0 - idp-signing.key creation

[Curtis Ruck]

Does anyone know how to generate the idp-signing.key/crt with openssl?  It seems CAS is hardcoded to expect a PEMKeyPair object coming out of PEMParser, but I can't figure out how to use OpenSSL to generate an appropriate key file.

Yes, CAS generates it fine, using bouncycastle, but I have to generate these keys/certificates outside of CAS so I can distribute the trust to the various SAML 2.0 applications.

[David Curry]

This doesn't really answer your question (I don't know the answer), but can't you just start CAS and let it generate the keys (they end up in /etc/cas/saml), then stop CAS and copy the keys somewhere for safekeeping/redistribution?

For our installation with multiple CAS servers behind a load balancer that's what I did, and copied the keys into the Maven overlay's etc/cas/saml directory. Then when I install everything, I end up with the same keys (and metadata) on all the servers. And we've uploaded them to a SAML SP here and there, as well. Seems to work fine, so far.

Or do you need to use keys generated/signed by your CA or something?

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck <curti...@gmail.com> wrote:

Does anyone know how to generate the idp-signing.key/crt with openssl?  It seems CAS is hardcoded to expect a PEMKeyPair object coming out of PEMParser, but I can't figure out how to use OpenSSL to generate an appropriate key file.

Yes, CAS generates it fine, using bouncycastle, but I have to generate these keys/certificates outside of CAS so I can distribute the trust to the various SAML 2.0 applications.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org.

[Ray Bon]

Curtis,

Will this work: https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files

Ray

On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:

Does anyone know how to generate the idp-signing.key/crt with openssl?  It seems CAS is hardcoded to expect a PEMKeyPair object coming out of PEMParser, but I can't figure out how to use OpenSSL to generate an appropriate key file.

Yes, CAS generates it fine, using bouncycastle, but I have to generate these keys/certificates outside of CAS so I can distribute the trust to the various SAML 2.0 applications.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Curtis Ruck]

Dave, 

Keys generated/signed by CA plus we need 100% automated solution.  We don't just have 1 CAS server, we have 1,000 or so, and they each need unique keys.  Our CAS use case is unique, in that we essentially run CAS w/applications at the edge of the network, with extremely poor communications back up to an centralized enterprise; so we have to automate as much as possible.

Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean handle multiple outputs from the PEMParser, but i'm working against a tight schedule, and can't wait for a CAS release at the moment.

[Curtis Ruck]

No.  The main difference I can see is that the CAS generated idp-signing.key has a -----BEGIN RSA PRIVATE KEY----- versus it seems openssl generates a -----BEGIN PRIVATE KEY----- which indicates a PKCS#1 vs PKCS#8 format.  somehow though bouncycastle is thinking it has a public key (not certificate) and private key inside the PKCS#1 format that CAS generates.

[David Curry]

1,000 CAS servers. Ow. :-)

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org.

[Curtis Ruck]

I prefer working with CAS than OpenAM, ADFS, etc...  Try automating one of those SSO solutions.

Its also why i preferred Spring XML than this @Configuration stuff.

[Curtis Ruck]

This works though: openssl rsa -in test2.pem -out test3.pem

It properly converts from PKCS#8 into PKCS#1, which then triggers BC to return a PEMKeyPair object.

On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:

[David Curry]

So while I'm eating lunch I did a bit of fiddling around...

It looks like you can do:

openssl genrsa -des3 -out tmp.key 2048

When it prompts for a password, enter "xxxx" (or whatever, just remember it). This gives you an encrypted key file. Then run:

openssl rsa -in tmp.key -out server-signing.key

and enter the password again. This gives you an unencrypted key. Then you can run:

openssl req -key server-sigining.key -new -x509 -days 3650 -subj /CN=server.domain.com -out server-signing.crt

And you'll get a certificate that seems to resemble what CAS creates.

I haven't tried actually feeding these to CAS to see if it likes them, but looking at them with openssl, they seem to have the same properties, except that the one I generated as above has this X509v3 Extension:

            X509v3 Basic Constraints:

                CA:TRUE

that the CAS-generated one doesn't have. You can make that go away with an OpenSSL config file, but the syntax of those things is (apparently) beyond me. Left as an exercise to the reader. :-)

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org.

[Curtis Ruck]

As it turns out, my version of openssl (in Redhat 6.x with FIPS mode enforced) can't generate the right PEM format for BouncyCastle to parse into a PEMKeyPair object.  BouncyCastle only parses (from my testing) a traditional PEM (or SSLeay PEM format) which is unique from PKCS#1 and PKCS#8.  The BC documentation is extremely light on this topic in PEMParser javadoc.

So i'm giving it a DER format key and it works now, as there is only one DER format supposedly.

[Curtis Ruck]

Ideally i'll try submitting a couple of PRs to make the PrivateKeyBeanFactory handle a PrivateKey object being returned along with a PEMKeyPair object, since PEMParser isn't exactly the most deterministic.