Renewing oxAuth certificates

By: David van Hoose named 13 Feb 2020 at 10:35 a.m. CST

12 Responses
David van Hoose gravatar
We noticed in the *oxauth.log* that our oxAuth signing certificates have expired. There is **nothing** in oxTrust about the expiration. This has impaired our production environment, since we cannot use the introspection endpoint with expired certificates. ``` 2020-02-13 16:21:02,551 WARN [qtp804611486-15] [org.xdi.oxauth.model.crypto.AbstractCryptoProvider] (AbstractCryptoProvider.java:219) - WARNING! Expired Key with alias: 88bd81c3-eb69-428f-a0ea-1ae94728bd5b Expires On: 2020-02-12 20:19:18 Today's Date: 2020-02-13 16:21:02 ``` We looked at the [Certificate Management documentation](https://gluu.org/docs/ce/3.1.6/admin-guide/certificate/). The /etc/certs directory has both *oxauth-keys.jks* and *oxauth-keys.json* files, but the documentation only briefly references the *oxauth-keys.json* file, but it does not explain this file at all. The documentation also specifies to use the *oxauth-client.jar* tool in order to create keys. No where in the documentation does it tell how we should go about correctly renewing the oxAuth certificates. There are twelve certificates, with different algorithms. Are we supposed to modify the certificates in both the *oxauth-keys.jks* and the *oxauth-keys.json* files? What is the documented oxAuth certificate renewal process?
CentOS 7.5
closed

Answers

By Mohib Zico Account Admin 13 Feb 2020 at 11:09 a.m. CST

Copy
Mohib Zico gravatar
Hello David, Let me try to find out proper documentation for that key renewal.

By Mohib Zico Account Admin 13 Feb 2020 at 12:25 p.m. CST

Copy
Mohib Zico gravatar
Here is what you can try: https://gist.github.com/mzico/2222d9d586374881e43167ea83dddf72 We are going to publish this doc in official repo.

By David van Hoose named 13 Feb 2020 at 12:44 p.m. CST

Copy
David van Hoose gravatar
Curious about the title. Is there a *How to renew oxauth key automatically* or is it just manual?

By Mohib Zico Account Admin 13 Feb 2020 at 12:47 p.m. CST

Copy
Mohib Zico gravatar
It’s manual method.

By David van Hoose named 13 Feb 2020 at 12:59 p.m. CST

Copy
David van Hoose gravatar
Mohib, I was unable to call the KeyGenerator using your exact line, but was able to call it with the oxauth-client.jar instead. The problem is that the oxauth-keys.json that is produced is empty.

By Mohib Zico Account Admin 13 Feb 2020 at 1:08 p.m. CST

Copy
Mohib Zico gravatar
Sorry... please try this: ``` /opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp '/home/jetty/lib/*' org.xdi.oxauth.util.KeyGenerator -keystore oxauth-keys.jks -keypasswd <password> -sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 -enc_keys RSA1_5 RSA-OAEP -dnname "CN=oxAuth CA Certificates" -expiration 365 > oxauth-keys.json ```

By David van Hoose named 13 Feb 2020 at 1:12 p.m. CST

Copy
David van Hoose gravatar
That worked, but there are a lot less kids in the new JSON file. Is that expected?

By Mohib Zico Account Admin 13 Feb 2020 at 1:22 p.m. CST

Copy
Mohib Zico gravatar
I believe it's fine. Let's try it please...

By David van Hoose named 13 Feb 2020 at 2:28 p.m. CST

Copy
David van Hoose gravatar
I used ldapmodify to replace the JSON in LDAP, but it worked. This would be very nice to have in the oxTrust UI with a renew button. Thanks for your help, Mohib!

By Mohib Zico Account Admin 13 Feb 2020 at 3:32 p.m. CST

Copy
Mohib Zico gravatar
Thanks for confirmation, David. Yes.. basically this key generation is automatic from Gluu Server 4.0. Human input won't be required. Even if it's required... there will be script to do all those things together.

By David van Hoose named 13 Feb 2020 at 3:44 p.m. CST

Copy
David van Hoose gravatar
Mohib, Here is a script I wrote from my history. https://gist.github.com/davidgvh/738b13b23ad6a217e7e41259ae70d036 Perhaps this can be used by a future version of Gluu Server 3.x to make a single button click button in the UI.

By Mohib Zico Account Admin 13 Feb 2020 at 10:22 p.m. CST

Copy
Mohib Zico gravatar
That is nice, thank you Sir!

Post an answer