[stork-users] Cannot import private key in stork
Slawek Figiel
slawek at isc.org
Mon Nov 25 12:16:14 UTC 2024
Hello Mik,
Replacing the GRPC certificates is a feature that is a bit hard to use.
However, it is unnecessary in almost all deployments. We developed it
because one of our customers had a rare use case when it was required.
Please consider if you really need to use it.
Before I respond to your questions, I will explain some terms and
technical details.
The communication between the Stork agent and the Stork server may be
established in both directions.
The Stork agent initiates the connection to the server only during
registration. The agent sends requests to the server REST API over the
HTTPS protocol, which is secured by the server's HTTPS certificates (if
present). The agent doesn't use any client-side certificate.
During registration, the agent obtains the TLS certificate to secure the
GRPC channel. The generation flow works like this:
1. As a startup, the server generates the CA certificate (and CA private
key) and then its own public and private keys signed by the generated CA
cert. These keys are NOT used to secure the ReST API over HTTPS
protocol; they are used only for GRPC channel purposes. They are stored
in the server's database.
2. The agent generates its own private key and creates CSR (certificate
signing request).
3. The agent sends CSR to the server.
4. The server sings the CSR, using its own public and private keys,
creating the agent's public key. The CSR fingerprint is saved in the
database as an agent token.
5. The server returns the agent's public key and the server's CA public key.
6. The agent receives the data and saves them on a disk.
7. The registration ends.
When the agent is started, it listens on the GRPC endpoint. The endpoint
is secured by the TLS certificate obtained during registration (read
from the disk). The server (a client of the GRPC connection) is required
to use the client-side certificate, which must be signed with the same
CA certificate as obtained during registration.
The Stork tool commands allow you to replace the GRPC certificates
stored in the database with your own. I assume you are not able to
obtain the singing-allowed CA certificate, and you must use the external
Certificate Authority to obtain the trusted certificate files.
In this case, if you want to do it, you need to perform the following steps:
1. Set up the server and register all agents.
2. Obtain the trusted certificate (and private key) for the server.
3. Obtain the trusted certificates (and private keys) for the agents.
4. Obtain the CA certificate of the Certificate Authority used to
generate the above certificates. The private key of CA is not available
as it is a secret of CA.
5. Replace the server CA cert using the `cert-import` command of the
Stork tool with the `cacert` object argument.
6. Replace the server public key - the `srvcert` object.
7. Replace the server private key - the `srvkey` object.
8. Replace the server CA certificate and agent's files in the
`/var/lib/stork-agent/certs` directory.
9. Restart the server and then the agents.
> I try to import my private key but I have an error message
> FATA[2024-11-18 21:54:45] main.go:689 problem parsing
the server key: parsing private key: x509: failed to parse private key
(use ParsePKCS1PrivateKey instead for this key format)
The Stork accepts only the certificates in an unencrypted PKCS #8, ASN.1
DER form. (You used PKCS #1, ASN.1 DER form). You can convert your
certificate by the openssl tool.
> i) Is there a command to remove the certificates ? (cacert, srvkey,
srvcert)
No, it isn't. You can only replace them.
> ii) I did a manual delete in the secret table but I think there were
entries already existing ? What are they used for ?
Stork server re-generates its secrets on a startup if they are missing.
> iii) And I don't understand it because I'm not supposed to have the
ca.key.
You must. It is a public key of the Certificate Authority used to
generate the server and agent certificates. It must be common for all of
these certificates.
> I send it to Verisign for example, and they send me back cert.crt
There should be also CA cert provided somewhere. May be called CA chain.
It is common for all certificates signed by the Certificate Authority,
so it may be published on a separate page.
> iv) First, I wanted to implement a certificate to connect to stork
through https and not http.
> There should be two roles for certificates and TLS connections:
> - Provide https for the stork user
> - provide https / tls encryption for communication between the server
and the agent.
> I'm a bit confused here.
> I expect a set of certificate/private key/CA for the https connection
from a stork user AND ANOTHER set of certificate/private key/CA for the
communication between the server and the agent.
The HTTPS certificate may be provided by the `--rest-tls-key`,
`--rest-tls-ca`, and `--rest-tls-certificate` CLI flags (or
corresponding environment variables). This certificate secures the UI
and REST API for the Stork users and the connection between the agent
(TLS client role) and server (TLS server role) during the registration.
The communication between the server (TLS client role) and the agent
(TLS server role) is secured by the certificates obtained in the above
described flow and they are self-managed.
Regards,
Slawek
On 18/11/2024 23:14, Mik J wrote:
> Hello,
>
> Following my previous message I broke stork server.
>
> i) I use this command
> ./stork-tool cert-import -f srvcert -i file1.crt
> Is there a command to remove the certificates ? (cacert, srvkey, srvcert)
>
> ii) I did a manual delete in the secret table but I think there were entries already existing ? What are they used for ?
>
> iii) According to this page
> https://kb.isc.org/docs/importing-external-certificates-to-stork
> It's written
> $ stork-tool cert-import -f cakey -i ca.key
> And I don't understand it because I'm not supposed to have the ca.key.
>
> Let's say I generate a private key for my server private.key and create my certificate request.
> I send it to Verisign for example, and they send me back cert.crt
>
> What I should import into stork would be private.key, cert.crt and verisign.crt (the CA certificate)
> But I don't understand how it it possible to import the private key of Verisign.
>
> iv) First, I wanted to implement a certificate to connect to stork through https and not http.
> There should be two roles for certificates and TLS connections:
> - Provide https for the stork user
> - provide https / tls encryption for communication between the server and the agent.
> I'm a bit confused here.
> I expect a set of certificate/private key/CA for the https connection from a stork user AND ANOTHER set of certificate/private key/CA for the communication between the server and the agent.
>
> Is there two sets of certificates ?
>
> When I do these commands
> $ stork-tool cert-import -f cakey -i ca.key
> $ stork-tool cert-import -f cacert -i ca.crt
> $ stork-tool cert-import -f srvkey -i server.key
> $ stork-tool cert-import -f srvcert -i server.crt
> Is it for the HTTPS connexion or the server/client connexion ?
>
> Thank you
>
>
> Le lundi 18 novembre 2024 à 21:58:10 UTC+1, Mik J <mikydevel at yahoo.fr> a écrit :
>
>
>
>
>
> Hello,
>
> I try to import my private key but I have an error message
>
> # ./stork-tool cert-import --db-host=/tmp -u storkuser -d storkdatabase -f srvkey -i stork.key
> INFO[2024-11-18 21:50:26] connection.go:90 Checking connection to database
> INFO[2024-11-18 21:50:26] connection.go:155 Connected to database /tmp/.s.PGSQL.5432
> INFO[2024-11-18 21:50:26] certs.go:372 server key loaded from stork.key file, length 3243
> FATA[2024-11-18 21:50:26] main.go:689 problem parsing the server key: parsing private key: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)
>
> My key is 4096 bits long
>
> I also tested it with a test key of 2048 and I have the same message
> INFO[2024-11-18 21:54:45] connection.go:90 Checking connection to database
> INFO[2024-11-18 21:54:45] connection.go:155 Connected to database /tmp/.s.PGSQL.5432
> INFO[2024-11-18 21:54:45] certs.go:372 server key loaded from stork.key file, length 1679
> FATA[2024-11-18 21:54:45] main.go:689 problem parsing the server key: parsing private key: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)
>
>
> My test key looks like this (not confidential just for test puproses)
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQIBAAKCAQEAskZDIEapskg0izq7HfjHkrLeLa7uZCZ+PBI1rYc+Y2ZsKvM7
> NBvOHNczvSLmjprXWuyMxkcUcnhGnx4MmNJ1vWQ8YV8Bmnlu2wn0yY3Gbi3sYcgE
> 8J+aJGPu8g32vzyQrCaHpAVrQQ+BiY7YOB5eaNdTKqIubwNyeWrQVY4/GokPv8Z+
> YbprREucbpEwLlOScHliLXAlhKfLdWpOJlxnca7baSh8DW7qvN/nTP4f9Gl/l8WZ
> cPTjHJIEIkeF4Yj86KPD9ghTDluNcve7nE/alMDtfhneXRdSpksGFdwZgcvSi4Up
> hxX7UfQ37ntgYg25mECBB9DdHKZp4AoXUyaOJQIDAQABAoIBAF0paprLUpLgONUp
> c+9Nur1my8SDzgB4PS+XNIXiTzASriQjx6SLg0J/E4KbYnDTagcR5t8W9hB72iv8
> wAh8sxqt7v/TbjsTimLc6RcLB888IHNY23wDa8Hol03XDkMRm2jbGbcVPd9aAw+n
> nkZ1WFDhdYyqBCnvWzsoHocXNtLePbueYv+IFvPLVibJNyBAUAFsxPsf7xuOhvf7
> MrBiodgYg7AXZnRk4TorpFQrIB5AedP+pE/UlsibIvew2nTY1pFel3DNCQtapiuY
> GF9lVBrKbQ8nFeXgUPtqy5KbtKQtHPCeupg7c6TD2PfJdum9EloA29HKD3XJ48pi
> TooXBQECgYEA4ni76qZPN8939iN4Pm/2L+rjEjqfxVtxbsFbfkAlwu7/e/nzlnIp
> 9cotPs4yZawN1MoH0x1HKN3zcIaPQMOVx4YwlBdGzIGv3+Rxmfizle9pFyFsI+hH
> TLhaK2CSOhiWmOPKPNyyg/Ok+f5fmo4DBVIVVnBvvLi+qDFIHuNMXHkCgYEAyYTI
> cxjr5mfz7TMAzRNnP/HoTw1jSQ1sZtIPkc0O3AshBcp/LaLWw8zeUqAMVqWj52gU
> TT6+ANQaVYQCw31dYuAMoB4cDDKV5lG4ocrbF0HofhY0TGOLQ0FkZM3Adb8vmIN2
> 6Kqzv11qlks5Yg82kPCSdKmiTFf+xHYVFZYFvA0CgYEA2G+8X/gLU3JC2ohxfXJx
> HMBlvOEsGmhXExtVvmW98PuKTUjG5Gw877sF3LUhcwuouElQixG7FTJxWoQu2h1R
> wrrbKFzKe94hYF8ptpX5w3xnugRmHjb6FTdGbZhAh6dCHeHtQJdHQFYUwBq78bBw
> 8J/O5qpUD0+cXo+itmpSazkCgYEAsj0dxp+uVxZu68gG11xoIGjonrMqs/yJetAl
> MUJ7+ChnxuV6Y3T6HCjiI5aoEyNiu1SVUFVEXRs9R5IBl8MUjFW7FQxMpoU/jH2P
> npr7+bAz4QHmtAH/tTbrgzVxGzRE9tKgo94IKiSIF/LlCFSIYN5Hy6QWhwv1rPL8
> ZyFQZSkCgYEA0c9OLj3Cp9KSzBdjCLBF4eof88ebyeao3Sm/Q6/y1V6Zb8PHkEJq
> 27LlE8N+3vnUtXA/bEtiTmXX0UhZTvAYtFL37VymIPGSBp8bRWFu+Z5lSpu9vCv0
> RE+lFWCwm72EAeJeEbwI7P4cPQexXol6RPePyVNj6RndMglu1qAs2jg=
> -----END RSA PRIVATE KEY-----
>
>
>
More information about the Stork-users
mailing list