i want to create Keypairs either directly in vault, if possible. If not, i need e.g. a script to transfer securely the keypair to vault.
Any idea?
Thank you!
Related
When you use Open ID connect with Azure AD, the JWT issued token (id token) is signed with an asymmetric key. I saw the public key to verify that signature is available in the metadata file, https://login.microsoftonline.com/common/discovery/keys. However, I couldn't find any documentation about how those keys are generated. How can you change the keys that are available there or how can I specify a different key to sign the JWTs for my tenant ?
All sources and information suggests that this certificate roll over is done by Azure AD them self. Consumers are not able to do a manual roll over or put a certificate of their preference. This claim is supported by this answer. Also, please check this press release which mention a roll over happened in 2016
From your end you must be be ready to accept a rollover any time. Best practice is to fetch key information through discovery document. This is explained in the openid connect documentation
According to this piece of documentation, only way how to have your own signing key for your application, is custom claims mapping. Although description is very vague and instructions how to do it are scarce.
I have a public key of customer that I need to use to encrypt credentials and send to the customer to obtain an auth token that I will be using for all further communication with the customer services.
For testing purpose, I saved the public key into a file and I am able to successfully obtain the auth token.
Now, the question is, where do I need to store this key safely. Options that I can think of are web.config as it is not browsable, or keep it in a file. Both seems to be unsafe.
If I keep it in a file, can I save it into windows trusted store? If yes, how can I save it and since in the trusted store, I will have multiple such keys, how I will retrieve this particular key to encrypt the credentials next time when I need to encrypt.
I am using windows machine for production server and .NET to encrypt, just in case it makes difference.
I think you can encrypt this certificate with another rsa key pair. Save key and encrypted data in different platform. For example save encrypted data in db and save rsa key in file system in protected folder. Protected folder can be user directory which has application user. Encrypt certificate out of the platform with separate tool. Don't save your rsa private key in application system.
how do I create a Key-pair in the Secure Enclave, which I can access from the System Keychain?
For a internal project, I need a AD Certificate, where the private key should be stored in the SE. For this I write a Swift Application which generates a key pair in the SE and build a CSR from this.
Now I have created a AD Certificate out of the CSR. Because of the Keychain access groups I can't access private key.
Is there another way to create a key pair in the secure enclave where I can access the private key from the keychain? Or does anyone know how to connect with the Certificate to a company Wi-Fi / VPN?
I read some JWT tutorials, but they didn't talk about how to generate a random secret.
So I generate the JWT with a secret then I generate another JWT with the same secret? What if somebody already knew what my secret is?
Isn't that means that he can fake, or modify the information and sign the JWT on his own then send it to my server?
To deal with the problem, I want to encrypt the JWT with a random, unique secret (and store the random secret to my database, left an index of the secret behind of the encrypted string), but should I? Is there anything I overthinking of?
No, you should not sign each JWT with a unique secret and store the secrets in your database. If you are afraid that your secret will leak and want to solve that issue with a database lookup for each incoming call, you should use regular random generated tokens and then lookup the "claims" for that token for each request in your database, (or use a regular season pattern).
So instead of using a databases to verify the information in the JWT for each call, store the information that you planed to store in the JWT in the database instead.
I know that usernames and passwords shouldn't be stored in the database in a reversible form, but I need these credentials for accessing a REST-API over HTTP Basic Auth. Would it be secure enough to store an encryption key on the servers hard drive and use it to en-/decrypt the stored passwords or is there any other method to securely store passwords for REST-API's in a database.
Thanks in advance