Skip to content

Commit

Permalink
doc: add openssl generated certificate (#100)
Browse files Browse the repository at this point in the history
Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
  • Loading branch information
JeyJeyGao committed May 5, 2023
1 parent c05b479 commit 5178df8
Showing 1 changed file with 30 additions and 11 deletions.
41 changes: 30 additions & 11 deletions docs/ca-signed-workflow.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,19 +55,37 @@
az keyvault certificate create -n $certName --vault-name $keyVault -p @leafCert.json
# get the CSR
CSR=$(az keyvault certificate pending show --vault-name $keyVault --name $certName --query 'csr' -o tsv)
CSR_PATH=${certName}.csr
printf -- "-----BEGIN CERTIFICATE REQUEST-----\n%s\n-----END CERTIFICATE REQUEST-----\n" $CSR > ${CSR_PATH}
csr=$(az keyvault certificate pending show --vault-name $keyVault --name $certName --query 'csr' -o tsv)
csrPath=${certName}.csr
printf -- "-----BEGIN CERTIFICATE REQUEST-----\n%s\n-----END CERTIFICATE REQUEST-----\n" $csr > ${csrPath}
```
5. Please take `${certName}.csr` file to a trusted CA to sign and issue your certificate, or you can use `openssl` tool to sign it locally for testing.
6. After you get the leaf certificate, you can merge the leaf certificate (`$leafCert`) to your Azure Key Vault:
5. Please take `${certName}.csr` file to a trusted CA to sign and issue your certificate, or you can use `openssl` tool to sign it locally for testing. Here is an example by using `openssl`:
Create a private key and certificate for a root CA with `openssl`:
```sh
az keyvault certificate pending merge --vault-name $keyVault --name $certName --file $leafCert
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout ca.key -out ca.crt -days 365 -subj "/CN=Test CA" -addext "keyUsage=critical,keyCertSign"
```
Create a configuration file. It will be used for `openssl` to sign the leaf certificate:
```sh
cat <<EOF > ./ext.cnf
[ v3_ca ]
keyUsage = critical,digitalSignature
extendedKeyUsage = codeSigning
EOF
```
Sign the certificate:
```sh
signedCertPath=${certName}.crt
openssl x509 -CA ca.crt -CAkey ca.key -days 365 -req -in ${csrPath} -set_serial 02 -out ${signedCertPath} -extensions v3_ca -extfile ./ext.cnf
```
6. After you get the leaf certificate, you can merge the signed leaf certificate (`$signedCertPath`) or certificate chain to your Azure Key Vault:
```sh
az keyvault certificate pending merge --vault-name $keyVault --name $certName --file $signedCertPath
# get the key identifier
keyID=$(az keyvault certificate show -n $certName --vault-name $keyVault --query 'kid' -o tsv)
```
7. [Create an Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli). The remaining steps use the example login server `<registry-name>.azurecr.io`, but you must substitute your own login server value.
7. [Create an Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli). The remaining steps use the example login server `<registry-name>.azurecr.io`, but you must substitute your own login server value.
8. Log in to container registry and push an image for signing:
```sh
registryName="<registry-name>"
Expand All @@ -81,14 +99,15 @@
docker tag hello-world:latest $server/hello-world:v1
docker push $server/hello-world:v1
```
9. Sign the image with an external certificate bundle (`$certBundlePath`) including the intermediate certificates and a root certificate in PEM format. You may fetch the certificate bundle from your CA official website.
9. Sign the image with an external certificate bundle (`$certBundlePath`) including the intermediate certificates and a root certificate in PEM format. You may fetch the certificate bundle from your CA official site.
> **Note** If you have generated the certificate with `openssl` according to the above steps, the certificate bundle is the root certificate `ca.crt`.
```sh
notation key add --plugin azure-kv --id $keyID akv-key --default
notation sign $server/hello-world:v1 --plugin-config=ca_certs=$certBundlePath
```
The following example output shows the artifact is successfully signed.
```
```sh
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Successfully signed notation.azurecr.io/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
```
Expand Down Expand Up @@ -123,11 +142,11 @@
chmod 600 $notationConfigDir/trustpolicy.json
```
11. Verify the signature associated with the image:
```
```sh
notation verify $server/hello-world:v1
```
The following output shows the artifact is successfully verified.
```
```sh
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
Successfully verified signature for notation.azurecr.io/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
```

0 comments on commit 5178df8

Please sign in to comment.