0

I'm looking to setup an integration between GitHub and Service Now and I can use OAuth2 using JWT Tokens, the steps to take can be found here.

There is a specific step that states:

Create a CA signed certificate using the GitHub App private key

I've followed the steps and a self-signed certificate is created based on the private key. This private key is used by Service Now to sign JWT tokens. I believe technically you could use this private key to create a CSR and use this to get a 3rd party CA signed certificate, but the question would be is there any benefit of this?

I don't believe there is any benefit as GitHub only stores the associated public key to verify that the JWT token has been signed by the respective private key.

user1876202
  • 159
  • 5

1 Answers1

2

I'm convinced there is some confusion.

Create a CA signed certificate using the GitHub App private key: openssl req -new -x509 -key <file-name>.key -out <certificate-name>.pem -days 1095

If I understand correctly, the previously generated private key is the key used to sign the certificate you're issuing (it functions as the signing CA). This is a very convoluted way of saying it’s a self-signed certificate. The command above seems to confirm my suspicion. I don't see any advantage of using a publicly signed certificate for this scenario.

In this scenario, your public key is registered. Only it will be accepted (similar to certificate pinning) so technically, there is no advantage to using the CA-signed certificate for this purpose. Your identity is already established during said registration.

On a side note, this document that you've linked really needs a rework as it was most likely written by someone barely familiar with x509. The basic terms are used very loosely and may introduce a lot of confusion. For example, there is no such thing as a JAVA keystore certificate. It is either a certificate or a java keystore. The whole thing is written in a very confusing way.

nethero
  • 482
  • 2
  • 6
  • I've followed the instructions and the certificate that is generated is self-signed and not signed by the private key from GitHub. According to GitHub documentation, only the public portion of the key is stored on GitHub, the private key is downloaded locally and subsequently uploaded onto Service Now. More information can be found here: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#generating-a-private-key – user1876202 Jul 20 '21 at 10:06
  • You generate a key for GitHub and use it as a signing CA ergo, this instruction is for self-signed cert. I’m pointing out that the documentation is confusing and mixing terms. Usually self signed cert is okay for JWT cause you’ll pin the cert anyways. You’re also in full control of the key and certificate and configuring ot for your own use. – nethero Jul 20 '21 at 21:15