ssl-certificates


ssl-certificates

SSL Certificates ################

We use certificates to certify some of our domain names. The certificate
is used to build trust and prove an identity.

A certificate builds trust because of the “background check” involved
during procurement.

The integrity of our identity is proven because only we have the private
key. The private key may be used to generate a CSR (Certificate Signing
Request). The CSR may be provided to a 3rd party to generate and sign us
a certificate.

The sole ownership of a private key prevents both man-in-the-middle
attacks and domain-name identity spoofing in regards to SSL.

.. contents::

Create a snakeoil cert for testing

Even the ‘minimal’ flavour of Ubuntu has ssl-cert package pre-installed.

The files are auto-generated and installed here:

-   /etc/ssl/certs/ssl-cert-snakeoil.pem
-   /etc/ssl/private/ssl-cert-snakeoil.key

Regenerate snakeoil certs, if needed, with the following command:

.. code-block:: bash

sudo make-ssl-cert generate-default-snakeoil –force-overwrite

Request an internally signed cert

1.  Generate a private key and CSR_

2.  send an email to Netadmins:

    -   attach the CSR (NOT THE PRIVATE KEY)
    -   provide the domain name desired for certification
    -   ask for an internally signed CV CA certificate

Netadmins will respond back with the certificate.

Request an externally signed cert

1.  Generate a private key and CSR_

2.  send an email to Netadmins:

    -   attach the CSR (NOT THE PRIVATE KEY)
    -   provide the domain name desired for certification
    -   ask for an externally signed GoDaddy CA certificate

Netadmins will respond back after procurement with the certificate.

Generate a private key and CSR

1.  Verify or install openssl package on host

    Is openssl in your path?

    .. code-block:: bash

    which openssl

    Install openssl if missing:

    .. code-block:: bash

    sudo apt-get install openssl

2.  Create a file using the following template.

    Only the first line in the file (siteName = ) should be altered to
    match the domain name intended for certification. The filename
    should be the domain.to.be.certified.tmpl, for example:
    secure.foxhop.net.tmpl

    .. code-block:: ini

        siteName = secure.foxhop.net
        r = .

        [ req ]
        default_bits = 2048
        default_keyfile = ${siteName}.key
        distinguished_name = req_distinguished_name
        prompt = no

        [ req_distinguished_name ]
        C = US
        ST = CT
        L = New London
        O = Foxhop.net
        OU = Foxhop.net, New London
        CN = ${siteName}

3.  Generate a private key and a CSR for the host to be certified by
    using the template that we generated above; For example
    (secure.foxhop.net):

    .. code-block:: bash

    openssl req -new -config secure.foxhop.net.tmpl -out
    secure.foxhop.net.csr

This process will prompt for a passphrase to protect the private key.

1.  Verify that the following files were created:

    -   .csr
    -   .key

2.  Store these details in a pass or keepass entry:

    -   document the private key’s passphrase in the password field
    -   on the “Advanced” attach the tmpl, csr, key, and crt files

View the CSR data

We may want to validate the data in a CSR before submission for
certification. To display a CSR’s data to standard out, run the
following command:

.. code-block:: bash

    openssl req -in secure.foxhop.net.csr -noout -text

Remove passphrase from a private key

We need to remove the passphrase from the openSSL private key for use in
deployment; Otherwise everytime the webserver is restarted it will
prompt for the keys password.

Example command:

.. code-block:: bash

    # make a copy
    cp secure.foxhop.net.key secure.foxhop.net.key.orig
    # strip passphrase
    openssl rsa -in secure.foxhop.net.key.orig -out secure.foxhop.net.key
    # clean up orig after testing
    rm secure.foxhop.net.key.orig

SSL Offloading

SSL Offloading is the practice of using a proxy or load balancer to
manage the SSL certificates, keys, and sessions for none or many
upstream nodes.

The BigIP is capable of SSL Offloading. For SSL Offloading to occur we
must load our domain’s SSL certificate AND private key into the BigIP
certificate store.

BigIP would then gain responsibility of creating an SSL tunnel or
session between the Internet user and the edge of our corporate network.
the VIP.

Optionally the traffic between the VIP and it’s upstream nodes (internal
network) may also be wrapped by SSL.

when should it be used?

If we want a central place to configure SSL for a pool of many nodes.
Netadmins create a BigIP irule to manage SSL communications. The
upstream nodes could run just plain HTTP (port 80). Less complicated
configuration on each of the webserver nodes.

example

An example closer to home deploying Pyramid behind nginx proxy. Nginx in
this case does the SSL Offloading for upstream waitress/paster nodes.
The communication between users and Nginx could be SSL wrapped while the
communication between nginx and the upstream waitress/paster nodes could
remain plain http. Many times we can get away with this because the
paster nodes are bound and listening only to localhost, thus
“firewalled” from the rest of the network.

Verify SSL chain

Run this command and paste in your signed certificate for your host.

.. code-block:: bash

openssl x509 -noout -issuer_hash

Document the resulting hash.

Then make sure that hash exist somewhere in the certificate chain, by
running this command on each cert in the chain until you find a match.
If you don’t find a match you are using the wrong chain!

.. code-block:: bash

openssl x509 -noout -hash

You can also use this command to get information about the SSL chain:

.. code-block:: bash

openssl s_client -connect :443

Definitions

Transitive Trust A trusts B, B trusts C, therefore A may trust C

Self-signed Certificate This certificate was signed by the organization
who created it.

Snakeoil Certificate A “snakeoil” self-signed cert is a great example of
a singular identity certifying itself. Outsiders may not trust a
snakeoil cert because it lacks is not attached to a domain name.
Snakeoil certs are excellent for testing! “““I Trust myself”“”

Internally Signed Certificate An “internal” certificate signed by the
Classified Ventures (CV) Certificate Authority (CA) provides trust
within the company. Employees of CV may trust an internal cert because
it has meta-data and is attached to a domain name. The Internet will not
trust an internal cert because the CV CA itself was not certified by a
trusted outside identity. From inside the organization, this is a signed
cert. From outside the organization this is a self-signed cert. Internal
certs are excellent for internal only servers and services! “““Employees
trust the CV CA, CV CA trusts my-server, therefore employees may trust
my-server.”“”

externally signed certificate An “external” certificate is signed by a
trusted identity outside of the requesting organization. There are many
trusted identities who perform this service. This is a popular choice
among Internet websites because many of the trusted external Certificate
Authorities have their keys pre-loaded into web browsers. The pre-loaded
key relieves friction on the end-users, they do not need to manually
review or install anything.
“““You trust XYZ org, XYZ org trusts my-server, therefore you may trust
my-server.”“”

private key This is the very sensitive and private portion of the
certificate that must remain a secret in order for the SSL wrapped
service to remain secure.