Update docs with details of signing key pairs

icebreakerone · May 1, 2024 · ecbbb25 · ecbbb25
1 parent f652345
commit ecbbb25
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,17 @@ You will need to create a "certs" directory in the root of the project, and move
 
 Most of the endpoints require a client certificate to be presented. As the directory service is not yet available, the contents of the certificate will not be checked with an external, so any valid certificate will be acceptable. The certificate **is** used to confirm identity, so the same one must be presented in all requests.
 
+## Creating signing certificates
+
+A separate set of certificates are required for signing JWTs. These can be generated using the `signingcerts.sh` script in the `scripts` directory.
+
+```bash
+cd scripts
+./signingcerts.sh
+```
+
+The default configuration will expect these certificate to be in authentication/api/certs. The location can be changed by setting the DIRECTORY_CERTIFICATE and DIRECTORY_PRIVATE_KEY environment variables.
+
 ## Running the local docker environment
 
 The included docker compose file will bring up both APIs. It uses nginx to proxy requests to uvicorn, with nginx configuration to pass through client certificates to the backend, using the same header as used by AWS ALB (`x-amzn-mtls-clientcert`).

diff --git a/scripts/signingcerts.sh b/scripts/signingcerts.sh
@@ -0,0 +1,5 @@
+# Create a key pair suitable for signing jwts and creating a jwks endpoint
+
+openssl ecparam -name prime256v1 -genkey -noout -out server-signing-private-key.pem 
+openssl ec -in server-signing-private-key.pem -pubout -out server-signing-public-key.pem
+