ssl-certificates

SSL Certificates ################

We use certificates to certify some of our domain names. The certificate is used to build trust and prove an identity.

A certificate builds trust because of the “background check” involved during procurement.

The integrity of our identity is proven because only we have the private key. The private key may be used to generate a CSR (Certificate Signing Request). The CSR may be provided to a 3rd party to generate and sign us a certificate.

The sole ownership of a private key prevents both man-in-the-middle attacks and domain-name identity spoofing in regards to SSL.

.. contents::

Create a snakeoil cert for testing

Even the ‘minimal’ flavour of Ubuntu has ssl-cert package pre-installed.

The files are auto-generated and installed here:

• /etc/ssl/certs/ssl-cert-snakeoil.pem
• /etc/ssl/private/ssl-cert-snakeoil.key

Regenerate snakeoil certs, if needed, with the following command:

.. code-block:: bash

sudo make-ssl-cert generate-default-snakeoil –force-overwrite

Request an internally signed cert

1. Generate a private key and CSR_

2. send an email to Netadmins:

   • attach the CSR (NOT THE PRIVATE KEY)
   • provide the domain name desired for certification
   • ask for an internally signed CV CA certificate

Netadmins will respond back with the certificate.

Request an externally signed cert

1. Generate a private key and CSR_

2. send an email to Netadmins:

   • attach the CSR (NOT THE PRIVATE KEY)
   • provide the domain name desired for certification
   • ask for an externally signed GoDaddy CA certificate

Netadmins will respond back after procurement with the certificate.

Generate a private key and CSR

1. Verify or install openssl package on host

   Is openssl in your path?

   .. code-block:: bash

   which openssl

   Install openssl if missing:

   .. code-block:: bash

   sudo apt-get install openssl

2. Create a file using the following template.

   Only the first line in the file (siteName = ) should be altered to match the domain name intended for certification. The filename should be the domain.to.be.certified.tmpl, for example: secure.foxhop.net.tmpl

   .. code-block:: ini

   siteName = secure.foxhop.net
   r = .
   
   [ req ]
   default_bits = 2048
   default_keyfile = ${siteName}.key
   distinguished_name = req_distinguished_name
   prompt = no
   
   [ req_distinguished_name ]
   C = US
   ST = CT
   L = New London
   O = Foxhop.net
   OU = Foxhop.net, New London
   CN = ${siteName}

3. Generate a private key and a CSR for the host to be certified by using the template that we generated above; For example (secure.foxhop.net):

   .. code-block:: bash

   openssl req -new -config secure.foxhop.net.tmpl -out secure.foxhop.net.csr

This process will prompt for a passphrase to protect the private key.

1. Verify that the following files were created:

   • .csr
   • .key

2. Store these details in a pass or keepass entry:

   • document the private key’s passphrase in the password field
   • on the “Advanced” attach the tmpl, csr, key, and crt files

View the CSR data

We may want to validate the data in a CSR before submission for certification. To display a CSR’s data to standard out, run the following command:

.. code-block:: bash

openssl req -in secure.foxhop.net.csr -noout -text

Remove passphrase from a private key

We need to remove the passphrase from the openSSL private key for use in deployment; Otherwise everytime the webserver is restarted it will prompt for the keys password.

Example command:

.. code-block:: bash

# make a copy
cp secure.foxhop.net.key secure.foxhop.net.key.orig
# strip passphrase
openssl rsa -in secure.foxhop.net.key.orig -out secure.foxhop.net.key
# clean up orig after testing
rm secure.foxhop.net.key.orig

SSL Offloading

SSL Offloading is the practice of using a proxy or load balancer to manage the SSL certificates, keys, and sessions for none or many upstream nodes.

The BigIP is capable of SSL Offloading. For SSL Offloading to occur we must load our domain’s SSL certificate AND private key into the BigIP certificate store.

BigIP would then gain responsibility of creating an SSL tunnel or session between the Internet user and the edge of our corporate network. the VIP.

Optionally the traffic between the VIP and it’s upstream nodes (internal network) may also be wrapped by SSL.

when should it be used?

If we want a central place to configure SSL for a pool of many nodes. Netadmins create a BigIP irule to manage SSL communications. The upstream nodes could run just plain HTTP (port 80). Less complicated configuration on each of the webserver nodes.

example

An example closer to home deploying Pyramid behind nginx proxy. Nginx in this case does the SSL Offloading for upstream waitress/paster nodes. The communication between users and Nginx could be SSL wrapped while the communication between nginx and the upstream waitress/paster nodes could remain plain http. Many times we can get away with this because the paster nodes are bound and listening only to localhost, thus “firewalled” from the rest of the network.

Verify SSL chain

Run this command and paste in your signed certificate for your host.

.. code-block:: bash

openssl x509 -noout -issuer_hash

Document the resulting hash.

Then make sure that hash exist somewhere in the certificate chain, by running this command on each cert in the chain until you find a match. If you don’t find a match you are using the wrong chain!

.. code-block:: bash

openssl x509 -noout -hash

You can also use this command to get information about the SSL chain:

.. code-block:: bash

openssl s_client -connect :443

Definitions

Transitive Trust A trusts B, B trusts C, therefore A may trust C

Self-signed Certificate This certificate was signed by the organization who created it.

Snakeoil Certificate A “snakeoil” self-signed cert is a great example of a singular identity certifying itself. Outsiders may not trust a snakeoil cert because it lacks is not attached to a domain name. Snakeoil certs are excellent for testing! “““I Trust myself”“”

Internally Signed Certificate An “internal” certificate signed by the Classified Ventures (CV) Certificate Authority (CA) provides trust within the company. Employees of CV may trust an internal cert because it has meta-data and is attached to a domain name. The Internet will not trust an internal cert because the CV CA itself was not certified by a trusted outside identity. From inside the organization, this is a signed cert. From outside the organization this is a self-signed cert. Internal certs are excellent for internal only servers and services! “““Employees trust the CV CA, CV CA trusts my-server, therefore employees may trust my-server.”“”

externally signed certificate An “external” certificate is signed by a trusted identity outside of the requesting organization. There are many trusted identities who perform this service. This is a popular choice among Internet websites because many of the trusted external Certificate Authorities have their keys pre-loaded into web browsers. The pre-loaded key relieves friction on the end-users, they do not need to manually review or install anything.
“““You trust XYZ org, XYZ org trusts my-server, therefore you may trust my-server.”“”

private key This is the very sensitive and private portion of the certificate that must remain a secret in order for the SSL wrapped service to remain secure.