[stork-users] Cannot import private key in stork

Slawek Figiel slawek at isc.org
Mon Nov 25 12:16:14 UTC 2024


Hello Mik,

Replacing the GRPC certificates is a feature that is a bit hard to use. 
However, it is unnecessary in almost all deployments. We developed it 
because one of our customers had a rare use case when it was required. 
Please consider if you really need to use it.

Before I respond to your questions, I will explain some terms and 
technical details.

The communication between the Stork agent and the Stork server may be 
established in both directions.

The Stork agent initiates the connection to the server only during 
registration. The agent sends requests to the server REST API over the 
HTTPS protocol, which is secured by the server's HTTPS certificates (if 
present). The agent doesn't use any client-side certificate.

During registration, the agent obtains the TLS certificate to secure the 
GRPC channel. The generation flow works like this:

1. As a startup, the server generates the CA certificate (and CA private 
key) and then its own public and private keys signed by the generated CA 
cert. These keys are NOT used to secure the ReST API over HTTPS 
protocol; they are used only for GRPC channel purposes. They are stored 
in the server's database.
2. The agent generates its own private key and creates CSR (certificate 
signing request).
3. The agent sends CSR to the server.
4. The server sings the CSR, using its own public and private keys, 
creating the agent's public key. The CSR fingerprint is saved in the 
database as an agent token.
5. The server returns the agent's public key and the server's CA public key.
6. The agent receives the data and saves them on a disk.
7. The registration ends.

When the agent is started, it listens on the GRPC endpoint. The endpoint 
is secured by the TLS certificate obtained during registration (read 
from the disk). The server (a client of the GRPC connection) is required 
to use the client-side certificate, which must be signed with the same 
CA certificate as obtained during registration.

The Stork tool commands allow you to replace the GRPC certificates 
stored in the database with your own. I assume you are not able to 
obtain the singing-allowed CA certificate, and you must use the external 
Certificate Authority to obtain the trusted certificate files.
In this case, if you want to do it, you need to perform the following steps:

1. Set up the server and register all agents.
2. Obtain the trusted certificate (and private key) for the server.
3. Obtain the trusted certificates (and private keys) for the agents.
4. Obtain the CA certificate of the Certificate Authority used to 
generate the above certificates. The private key of CA is not available 
as it is a secret of CA.
5. Replace the server CA cert using the `cert-import` command of the 
Stork tool with the `cacert` object argument.
6. Replace the server public key - the `srvcert` object.
7. Replace the server private key - the `srvkey` object.
8. Replace the server CA certificate and agent's files in the 
`/var/lib/stork-agent/certs` directory.
9. Restart the server and then the agents.

 > I try to import my private key but I have an error message
 > FATA[2024-11-18 21:54:45]             main.go:689   problem parsing 
the server key: parsing private key: x509: failed to parse private key 
(use ParsePKCS1PrivateKey instead for this key format)

The Stork accepts only the certificates in an unencrypted PKCS #8, ASN.1 
DER form. (You used PKCS #1, ASN.1 DER form). You can convert your 
certificate by the openssl tool.

 > i) Is there a command to remove the certificates ? (cacert, srvkey, 
srvcert)

No, it isn't. You can only replace them.

 > ii) I did a manual delete in the secret table but I think there were 
entries already existing ? What are they used for ?

Stork server re-generates its secrets on a startup if they are missing.

 > iii) And I don't understand it because I'm not supposed to have the 
ca.key.

You must. It is a public key of the Certificate Authority used to 
generate the server and agent certificates. It must be common for all of 
these certificates.

 > I send it to Verisign for example, and they send me back cert.crt

There should be also CA cert provided somewhere. May be called CA chain. 
It is common for all certificates signed by the Certificate Authority, 
so it may be published on a separate page.

 > iv) First, I wanted to implement a certificate to connect to stork 
through https and not http.
 > There should be two roles for certificates and TLS connections:
 > - Provide https for the stork user
 > - provide https / tls encryption for communication between the server 
and the agent.
 > I'm a bit confused here.
 > I expect a set of certificate/private key/CA for the https connection 
from a stork user AND ANOTHER set of certificate/private key/CA for the 
communication between the server and the agent.

The HTTPS certificate may be provided by the `--rest-tls-key`, 
`--rest-tls-ca`, and `--rest-tls-certificate` CLI flags (or 
corresponding environment variables). This certificate secures the UI 
and REST API for the Stork users and the connection between the agent 
(TLS client role) and server (TLS server role) during the registration.

The communication between the server (TLS client role) and the agent 
(TLS server role) is secured by the certificates obtained in the above 
described flow and they are self-managed.

Regards,
Slawek

On 18/11/2024 23:14, Mik J wrote:
> Hello,
> 
> Following my previous message I broke stork server.
> 
> i) I use this command
>   ./stork-tool cert-import  -f srvcert -i file1.crt
> Is there a command to remove the certificates ? (cacert, srvkey, srvcert)
> 
> ii) I did a manual delete in the secret table but I think there were entries already existing ? What are they used for ?
> 
> iii) According to this page
> https://kb.isc.org/docs/importing-external-certificates-to-stork
> It's written
> $ stork-tool cert-import -f cakey -i ca.key
> And I don't understand it because I'm not supposed to have the ca.key.
> 
> Let's say I generate a private key for my server private.key and create my certificate request.
> I send it to Verisign for example, and they send me back cert.crt
> 
> What I should import into stork would be private.key, cert.crt and verisign.crt (the CA certificate)
> But I don't understand how it it possible to import the private key of Verisign.
> 
> iv) First, I wanted to implement a certificate to connect to stork through https and not http.
> There should be two roles for certificates and TLS connections:
> - Provide https for the stork user
> - provide https / tls encryption for communication between the server and the agent.
> I'm a bit confused here.
> I expect a set of certificate/private key/CA for the https connection from a stork user AND ANOTHER set of certificate/private key/CA for the communication between the server and the agent.
> 
> Is there two sets of certificates ?
> 
> When I do these commands
> $ stork-tool cert-import -f cakey -i ca.key
> $ stork-tool cert-import -f cacert -i ca.crt
> $ stork-tool cert-import -f srvkey -i server.key
> $ stork-tool cert-import -f srvcert -i server.crt
> Is it for the HTTPS connexion or the server/client connexion ?
> 
> Thank you
> 
> 
> Le lundi 18 novembre 2024 à 21:58:10 UTC+1, Mik J <mikydevel at yahoo.fr> a écrit :
> 
> 
> 
> 
> 
> Hello,
> 
> I try to import my private key but I have an error message
> 
> # ./stork-tool cert-import --db-host=/tmp -u storkuser -d storkdatabase -f srvkey -i stork.key
> INFO[2024-11-18 21:50:26]       connection.go:90    Checking connection to database
> INFO[2024-11-18 21:50:26]       connection.go:155   Connected to database /tmp/.s.PGSQL.5432
> INFO[2024-11-18 21:50:26]            certs.go:372   server key loaded from stork.key file, length 3243
> FATA[2024-11-18 21:50:26]             main.go:689   problem parsing the server key: parsing private key: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)
> 
> My key is 4096 bits long
> 
> I also tested it with a test key of 2048 and I have the same message
> INFO[2024-11-18 21:54:45]       connection.go:90    Checking connection to database
> INFO[2024-11-18 21:54:45]       connection.go:155   Connected to database /tmp/.s.PGSQL.5432
> INFO[2024-11-18 21:54:45]            certs.go:372   server key loaded from stork.key file, length 1679
> FATA[2024-11-18 21:54:45]             main.go:689   problem parsing the server key: parsing private key: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)
> 
> 
> My test key looks like this (not confidential just for test puproses)
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQIBAAKCAQEAskZDIEapskg0izq7HfjHkrLeLa7uZCZ+PBI1rYc+Y2ZsKvM7
> NBvOHNczvSLmjprXWuyMxkcUcnhGnx4MmNJ1vWQ8YV8Bmnlu2wn0yY3Gbi3sYcgE
> 8J+aJGPu8g32vzyQrCaHpAVrQQ+BiY7YOB5eaNdTKqIubwNyeWrQVY4/GokPv8Z+
> YbprREucbpEwLlOScHliLXAlhKfLdWpOJlxnca7baSh8DW7qvN/nTP4f9Gl/l8WZ
> cPTjHJIEIkeF4Yj86KPD9ghTDluNcve7nE/alMDtfhneXRdSpksGFdwZgcvSi4Up
> hxX7UfQ37ntgYg25mECBB9DdHKZp4AoXUyaOJQIDAQABAoIBAF0paprLUpLgONUp
> c+9Nur1my8SDzgB4PS+XNIXiTzASriQjx6SLg0J/E4KbYnDTagcR5t8W9hB72iv8
> wAh8sxqt7v/TbjsTimLc6RcLB888IHNY23wDa8Hol03XDkMRm2jbGbcVPd9aAw+n
> nkZ1WFDhdYyqBCnvWzsoHocXNtLePbueYv+IFvPLVibJNyBAUAFsxPsf7xuOhvf7
> MrBiodgYg7AXZnRk4TorpFQrIB5AedP+pE/UlsibIvew2nTY1pFel3DNCQtapiuY
> GF9lVBrKbQ8nFeXgUPtqy5KbtKQtHPCeupg7c6TD2PfJdum9EloA29HKD3XJ48pi
> TooXBQECgYEA4ni76qZPN8939iN4Pm/2L+rjEjqfxVtxbsFbfkAlwu7/e/nzlnIp
> 9cotPs4yZawN1MoH0x1HKN3zcIaPQMOVx4YwlBdGzIGv3+Rxmfizle9pFyFsI+hH
> TLhaK2CSOhiWmOPKPNyyg/Ok+f5fmo4DBVIVVnBvvLi+qDFIHuNMXHkCgYEAyYTI
> cxjr5mfz7TMAzRNnP/HoTw1jSQ1sZtIPkc0O3AshBcp/LaLWw8zeUqAMVqWj52gU
> TT6+ANQaVYQCw31dYuAMoB4cDDKV5lG4ocrbF0HofhY0TGOLQ0FkZM3Adb8vmIN2
> 6Kqzv11qlks5Yg82kPCSdKmiTFf+xHYVFZYFvA0CgYEA2G+8X/gLU3JC2ohxfXJx
> HMBlvOEsGmhXExtVvmW98PuKTUjG5Gw877sF3LUhcwuouElQixG7FTJxWoQu2h1R
> wrrbKFzKe94hYF8ptpX5w3xnugRmHjb6FTdGbZhAh6dCHeHtQJdHQFYUwBq78bBw
> 8J/O5qpUD0+cXo+itmpSazkCgYEAsj0dxp+uVxZu68gG11xoIGjonrMqs/yJetAl
> MUJ7+ChnxuV6Y3T6HCjiI5aoEyNiu1SVUFVEXRs9R5IBl8MUjFW7FQxMpoU/jH2P
> npr7+bAz4QHmtAH/tTbrgzVxGzRE9tKgo94IKiSIF/LlCFSIYN5Hy6QWhwv1rPL8
> ZyFQZSkCgYEA0c9OLj3Cp9KSzBdjCLBF4eof88ebyeao3Sm/Q6/y1V6Zb8PHkEJq
> 27LlE8N+3vnUtXA/bEtiTmXX0UhZTvAYtFL37VymIPGSBp8bRWFu+Z5lSpu9vCv0
> RE+lFWCwm72EAeJeEbwI7P4cPQexXol6RPePyVNj6RndMglu1qAs2jg=
> -----END RSA PRIVATE KEY-----
> 
> 
> 



More information about the Stork-users mailing list