GCP 中用于存储客户端 tls 证书的私钥的密钥管理
[英]Key management in GCP for storing private key for client tls certificate
问题描述
We've recently decided to try to use KMS (Key management) in GCP for storing private keys that the organization has.
我们最近决定尝试在 GCP 中使用 KMS(密钥管理)来存储组织拥有的私钥。
I stumbled upon an issue when I tried to move the private key and password to key management where they are a part of a.p12 that we use in a key store to communicate with an external third provider.当我试图将私钥和密码移动到密钥管理中时,我偶然发现了一个问题,它们是我们在密钥存储中用于与外部第三方提供商通信的 a.p12 的一部分。
val pkcs12KeyStore = KeyStore.getInstance("PKCS12")
.apply { load(ByteArrayInputStream(certificateContent), certPassword.toCharArray()) }
val pkcs12KeyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
.apply { init(pkcs12KeyStore, certPassword.toCharArray()) }
val sslContext = SslContextBuilder
.forClient()
.keyManager(pkcs12KeyManager)
.build()
Is what we do when we have access to the private key and password in the application.当我们可以访问应用程序中的私钥和密码时,我们会做什么。 Is there a way to achieve this when the private key is in Key management in GCP?当私钥在 GCP 的密钥管理中时,有没有办法实现这一点?
1 个解决方案
解决方案1
0 2021-12-01 01:38:56
First of all let me tell you that unless they are necessary for backwards compatibility, GCP does not recommend “P12” service account keys.In the other hand, what you need to do is:首先让我告诉您,除非它们是向后兼容所必需的,否则 GCP 不推荐“P12”服务帐户密钥。另一方面,您需要做的是:
1.- Download “.p12” key (a) and convert to “pem”. 1.- 下载“.p12”密钥(a)并转换为“pem”。
a)一个)
$ gcloud iam service-accounts keys create svc_account.p12 \
--iam-account=$SERVICE_ACCOUNT_EMAIL \
--key-file-type=p12
b) b)
$ openssl pkcs12 -in svc_account.p12 \
-nocerts -nodes \
-passin pass:notasecret | openssl rsa -out privkey.pem`
2.- Create ImportJob. 2.- 创建 ImportJob。
export IMPORT_JOB=saimporter
export VERSION=1
$ gcloud beta kms import-jobs create $IMPORT_JOB \
--location $LOCATION \
--keyring $KEYRING_NAME \
--import-method rsa-oaep-3072-sha1-aes-256 \
--protection-level hsm
$ gcloud kms import-jobs describe $IMPORT_JOB \
--location $LOCATION \
--keyring $KEYRING_NAME
3.- Format “.pem” key for import. 3.- 格式化“.pem”密钥以进行导入。
$ openssl pkcs8 -topk8 -nocrypt -inform PEM \
-outform DER -in privkey.pem \
-out formatted.pem
4.- Via importJob, import the formatted key to KMS. 4.- 通过 importJob,将格式化的密钥导入 KMS。
$ gcloud kms keys create $KEY_NAME \
--keyring=$KEYRING_NAME --purpose=asymmetric-signing \
--default-algorithm=rsa-sign-pkcs1-2048-sha256 \
--skip-initial-version-creation --location=$LOCATION \
--protection-level=hsm
$ gcloud kms keys versions import \
--import-job $IMPORT_JOB --location $LOCATION \
--keyring $KEYRING_NAME --key $KEY_NAME \
--algorithm rsa-sign-pkcs1-2048-sha256 \
--target-key-file formatted.pem
5.- Then “.p12” and “.pem” files should be deleted files from disk. 5.- 然后“.p12”和“.pem”文件应该从磁盘中删除文件。
As a reference, you can use the following information regarding your specific situation Import Service Account Private Key to KMS (SA -> KMS) .作为参考,您可以使用以下有关您的具体情况的信息Import Service Account Private Key to KMS (SA -> KMS) 。 Plus, this official GCP's information can be useful for you now and in the future Creating service account keys .另外,这个官方 GCP 的信息现在和将来都会对您有用。 Finally, for the Google Auth library, the Google Auth options that GCP got and how to handle them Interface GoogleAuthOptions .最后,对于 Google Auth 库,GCP 获得的 Google Auth 选项以及如何处理它们Interface GoogleAuthOptions 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.