Skip to content
/ certificate_generation Public

This project contains shell scripts I am using to construct keys and (chains of) certificates for trying to sign OCI images with cosign.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

levigo/certificate_generation

BranchesTags

Repository files navigation

Introduction

The documentation for cosign claims that one can sign a container and attach an existing certificate and certificate chain to an image. This project contains shell scripts I use to create keys and certificates in order to explore and evaluate this claim.

References

The create_ecdsa_key_pair Script

Usage

The command

create_ecdsa_key_pair [«size»]

tries to quietly write to the standard output in PEM format an ECDSA key pair. The key pair has

  • a NIST prime-curve elliptic function with field size «size» (default: 521),

  • no encryption, and

  • no password.

The valid field sizes are 192, 224, 256, 384 and 521.

The command

create_ecdsa_key_pair … -? …

writes a help message to the standard output.

Notes

cosign version 2.5.0 cannot import these keys.

cosign version 3.0.3 can only import these keys with the field sizes 256, 384 and 521.

The create_ed25519_key_pair Script

Usage

The command

create_ed25519_key_pair

tries to quietly write to the standard output in PEM format an ED25519 key pair. The key pair has

  • no encryption, and

  • no password.

The command

create_ed25519_key_pair … -? …

writes a help message to the standard output.

Notes

cosign version 2.5.0 can import these keys.

cosign version 3.0.3 can import these keys.

The create_rsa_pkcs1_key_pair Script

Usage

The command

create_rsa_pkcs1_key_pair [«bits»]

tries to quietly write to the standard output in PEM format an RSA PKCS#1 key pair. The key pair has

  • «bits» (default: 4096) bits,

  • 2 primes,

  • public exponent 65537,

  • no encryption, and

  • no password.

The command

create_rsa_pkcs1_key_pair … -? …

writes a help message to the standard output.

Notes

cosign version 2.5.0 cannot import these keys.

cosign version 3.0.3 can only import these keys with 2048 or more bits.

The create_rsa_pkcs8_key_pair Script

Usage

The command

create_rsa_pkcs8_key_pair [«bits»]

tries to quietly write to the standard output in PEM format an RSA PKCS#8 key pair. The key pair has

  • «bits» (default: 4096) bits,

  • 2 primes,

  • public exponent 65537,

  • no encryption, and

  • no password.

The command

create_rsa_pkcs8_key_pair … -? …

writes a help message to the standard output.

Notes

cosign version 2.5.0 cannot import these keys.

cosign version 3.0.3 can only import these keys with 2048 or more bits.

The create_certificate_for_key_pair Script

Usage

The command

create_certificate_for_key_pair [-s «type»:«value»] [-x «days»] «key» «length»

tries to quietly write to the standard output in PEM format a root certificate for the key pair at the path «key». The certificate has

The owner of the key pair thus certifies the private key of the key pair to sign keys and certificate revocation lists, and the maximum number of signing certificates that can appear in a chain beneath this certificate is «length».

The command

create_certificate_for_key_pair [-s «type»:«value»] [-x «days»] «key» «length» «ca_key» «ca_cert»

tries to quietly write to the standard ouput in PEM format an intermediate certificate for the key pair at the path «key» issued by the certificate authority with the key pair and certificate at the respective paths «ca_key» and «ca_cert». The certificate has

The certificate authority thus certifies the private key of the key pair to sign keys and certificate revocation lists, and the maximum number of signing certificates that can appear in a chain beneath this certificate is «length».

The command

create_certificate_for_key_pair [-s «type»:«value»] [-x «days»] «key» «ca_key» «ca_cert»

tries to quietly write to the standard ouput in PEM format a leaf (or end-entity) certificate for the key pair at the path «path» issued by the certificate authority with the key pair and certificate at the respective paths «ca_key» and «ca_cert». The certificate has

The certificate thus certifies the private key of the pair to make digital signatures, and the public key of the pair to sign code.

The command

create_certificate_for_key_pair … -? …

writes a help message to the standard output.

Options

  • -s «type»:«value»

    Give the certificate the x509v3 Subject Alternative Name extension «type»:«value», where the valid types for the type:value pair are dirName, DNS, email, IP, otherName, RID and URI.

    create_certificate_for_key_pair currently accepts at most one Subject Alternative Name.

  • -x «days»

    Expire the certificate «days» (default: 30) days after the day of creation.

References

Warning

The script readme.sh in the project's root generates this document from the project's sources. In order to change this document, edit the sources and call readme.sh.

About

This project contains shell scripts I am using to construct keys and (chains of) certificates for trying to sign OCI images with cosign.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages