SSL Certificates and Operations
-
Upload
nisheed-km -
Category
Internet
-
view
52 -
download
3
Transcript of SSL Certificates and Operations
SSLCertificates&OperationsNisheedMeethal
7Nov’16
Chapters
• PurposeofSSLcertificates• Request,sign,installandverify
• CASignedvs.Selfsigned
• SSLCertificatetypes• DV(basic),OV(enhanced)&EV(complete)
• OpenSSL• CertificateStructure• Chainoftrust• TrustStores• Certificatepinning• Freecertificates
PurposeofSSLcertificates• Server[/Client]authenticationforsource[/dest]validationandtrust.
• Securedatatransferusingencryption
SSLCommunicationProcess1. Serverauthentication(Handshake)2. KeyExchange3. Encrypteddatatransfer(Record)
Highest SSL Version, Ciphers Supported, Data Compression Methods, Session Id = 0, Random Data
Selected SSL Version, Selected Cipher,Selected Data Compression Method, Assigned Session Id, Random Data, Server Certificate
(Client Certificate Request)Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check
Request,sign,installandverify
3.GetitsignedbyCA,saymysite.crt
Certverificationbybrowser
▶ openssl genrsa -out mysite.key 4096▶ openssl req -new -key mysite.key -out mysite.csr
2.Sendmysite.csr totheCAofyourchoice.
1.Generatetheprivatekeyandcertificatesigningrequestforyoursite.
4.Installthecertificate
▶ openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
CASigned
SelfSigned
1.Generatetheprivatekeyandselfsigned certificatefor365days.
2.Installthecertificate
SSLCertificatetypes(DV,OV,EV)
• DV– DomainValidated(Basic)• Smallormedium levelwebsiteownerswhoonlywishtoencrypttheirdomaincanissueDVSSLcertificate.(https://www.ycombinator.com/,https://www.nisheed.com)
• Features• Greenpadlock• Lowerprice• Quickissuancewithinminutes• Nopaperworkordocumentationrequiredforvalidation.Validatedagainestthe
domain. Itdoesnotguaranteetheidentityofthewebsite'sownernortheactualexistenceoftheorganization
• 99.9%mobileandwebbrowsercompatibility• ComesupwithWildcardandMultiDomainfeatures• Reissueasmanytimesasneededduringthevalidityperiod
• Validationprocess(email,file,registrar)• https://aboutssl.org/domain-validated-ssl-validation-process
SSLCertificatetypes(DV,OV,EV)
• OV– OrganizationValidated(Enhanced)• Businessidentityleveltrust.Organizationnameprinted inthecertificate.
(https://www.intuit.com/,https://www.icicbank.com,https://www.reddit.com/ )
• Features• Greenpadlock• 1-3daysforissuance• MoretrustedthanDV• Organizationnameisvalidatedandpartofthecertificate.(IssuetoOrganizationand
Subjectarefilledup)
• https://aboutssl.org/document-require-for-ov-ssl-code-signing-certificate
SSLCertificatetypes(DV,OV,EV)
• EV– ExtendedValidated(Complete)• Fortrustedandhighsecuritysites(https://www.godaddy.com,https://www.actalis.it/,
https://www.geotrust.com/,https://www.online.citibank.co.in/ )• Features
• GreenAddress Bar+OrganizationName+TrustSeal
• Upto10business daysforissuance&VeryStrictValidation Process• OVbydefault+High256-bitencryptionwith2048-bitKeyLength• MultidomainwithSANonly.
• https://aboutssl.org/document-require-for-ev-ssl-certificate
OpenSSLReadcert(online)openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/nullopenssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null
Readthecert- x509decoded (online)openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text
Checkexpiry[startdate,fingerpring,…]openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]
Verifythekeyandcert(offline)openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasumopenssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum
PublickeyextractionfromPrivatekeyopenssl rsa -in mysite.key -pubout > mysite.pub.key openssl req -noout -in mysite.csr –pubkey > mysite.pub.key
Removepassphrasefromprivaekeyopenssl rsa -in mysite.key -out nopassphrase_mysite.key
CertificateStructure
x509- PKIX(PublicKeyInfrastructure) certificate- rfc6818
Encoding
DER=>BinaryDERencoded certs.(appearas.cer/.crtfiles)
PEM=>ASCII(Base64)armoreddataprefixedwitha“—– BEGIN…”line.(appearsas.cer/.crt/.pemfiles)
Fileextensions
.crt=>*nixconventionofbinaryDERorBase64PEM
.cer=>MicrosoftcoventionofbinaryDERorBase64PEM
.key=>public/private PKCS#8 keys.DERorPEM.
#Viewcertcontent▶ openssl x509 -in ServerCertificate.pem -text -noout▶ openssl x509 -in ServerCertificate.der -inform der -text -noout
#Encodingconversion▶ openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der▶ openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem
CertificateStructure▶ openssl s_client-connectqbo.intuit.com:443</dev/null 2>/dev/null |openssl x509-in/dev/stdin –text
▶ openssl s_client–connectgoogle.com:443 -showcerts</dev/null2>/dev/null
Google.com(EE/Leaf)
GIA(ICA)
Geotrust(ICA)
Equifax(rootCA)
ChainofTrust
TrustStores
• Application truststores• Browser
• Public keysofallmajorCAscomewithrelease• Java (tomcat,coldfusionetc.)
• Mostlytherebutlessfrequently updated.• Youneedtotakecareifcustomized.
▶ /usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts -storepass changeit –noprompt
▶ /usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts -storepass changeit –noprompt
▶ /usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
▶ /usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
Whenshouldyouupdatetheapplicationtruststore?
CertificatepinningHTTPPublicKeyPinning,orHPKP (rfc7469).
ThisstandardallowswebsitestosendanHTTPheaderinstructingthebrowsertoremember(or"pin")partsofitsSSLcertificatechain.Thebrowserwillthenrefusesubsequent connectionsthatdon'tmatchthepinsthatithaspreviouslyreceived.Here'sanexampleofanHPKPheader:
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; max-age=259200
Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
report-uri="https://example.net/pkp-report"
#Generateprivatekeyandcsr.▶ openssl genrsa -out mysite.key 4096▶ openssl req -new -key mysite.key -out mysite.csr
#GetthecrtfromCA▶ openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out mysite.pub.key▶ openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64
#Formtheheaderandaddtowebserver(eg:- apache).Header add Public-Key-Pins "max-age=500; includeSubDomains;
pin-sha256=\"wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=\";
Free&Opencertificates
• Let’sEncrypt• https://letsencrypt.org/getting-started/
Usefulresources:
https://www.ssllabs.com/ssltest/https://aboutssl.org/ssl-tools/ssl-checker.phphttps://tools.ietf.org/html/rfc6818https://certbot.eff.org/