OSCM 2024 | Ignite: Monitoring and maintaining self-signed certificates is dangerous by Mattias Schlenker.pdf
0 likes49 views
The document outlines how to quickly set up a proper internal Certificate Authority (CA) in five minutes, emphasizing the need for security over self-signed certificates. It provides step-by-step instructions for creating root and intermediate certificates, and issuing server certificates, while also cautioning against the use of a certificate revocation list for simplicity. The overall goal is to enable secure SSL services with monitoring capabilities while avoiding the vulnerabilities of self-signed certificates.
![13
Do not forget the extension file!
/home/alice/checkmk.starkindustries.test.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = checkmk.starkindustries.test
DNS.2 = monitoring.starkindustries.test](https://image.slidesharecdn.com/ignite-slidesmattiasschlenker2024-241205145549-962d1aa5/85/OSCM-2024-Ignite-Monitoring-and-maintaining-self-signed-certificates-is-dangerous-by-Mattias-Schlenker-pdf-13-320.jpg)
OSCM 2024 | Ignite: Monitoring and maintaining self-signed certificates is dangerous by Mattias Schlenker.pdf
- 1. Forget self-signed: A proper internal CA infrastructure in five minutes OSMC 2024 Mattias Schlenker Technical Writer - Team Knowledge
- 2. 2 The starting point ⬢ People™ want the easiest way to provide SSL enabled services ⬢ They want security ⬢ They need to monitor certificates for validity This does not go together well. Solution: In five minutes from zero to CA! Users are accustomed to self-signed
- 3. 3 This does not go together! ⬢ How can we trust an SSL certificate if there is no second channel to verify? ⬢ How can that be secure? ⬢ Why should we monitor such certificates at all? ⬢ In the end, we monitor certificates of an attacker!
- 4. 4 Sometimes we turn back customers wishes… ⬢ When implementing check_cert, we refused to add the option “allow self-signed certificatesˮ ⬢ Either use old check_http to monitor services where you need it… ⬢ Or skip monitoring those services…
- 5. The better solution: Create an internal CA. 5
- 6. This can be done in 5 minutes By following this slideset. 6
- 7. A basic CA infrastructure consists of… 1. A root certificate safely stored away 2. One or more intermediate certificates for signing server certificates 3. The plethora of certificates that get deployed 7
- 8. 8 Warning! For simplicity, we do not use a certificate revocation list.
- 9. 9 Carlaʼs root certificate: # Some folders: carla@nb:~$ for d in certs newcerts crl private ; do mkdir -p ~/ca/$d ; done # Empty files carla@nb:~$ for f in index.txt serial ; do touch ~/ca/$f ; done carla@nb:~$ cd ca # The private key. Use a proper password! carla@nb:~/ca$ openssl genrsa -aes256 -out private/ca.key.pem 4096 # And finally the root cert carla@nb:~/ca$ openssl req -config ca.cnf -new -key private/ca.key.pem -x509 -days 4398 -sha256 -extensions v3_ca -out certs/ca.cert.pem Enter pass phrase for private/ca.key.pem:
- 10. 10 Bobʼs intermediate certificate: bob@pc:~$ for d in certs newcerts crl private ; do mkdir -p ~/im/$d ; done bob@pc:~$ for f in index.txt serial ; do touch ~/im/$f ; done bob@pc:~$ cd im bob@pc:~/im$ openssl genrsa -aes256 -out private/im.key.pem 4096 The next step is to create the Certificate Signing Request CSR for this key, the .csr file name suffix is commonly used here: bob@pc:~/im$ openssl req -config im.cnf -new -sha256 -key private/im.key.pem -out certs/imbob.csr The Common Name here must be different from that of the root certificate. And here, too, you should use an accessible e-mail address.
- 11. 11 Carla signs Bobʼs IM certificate: carla@nb:~$ cd ca carla@nb:~/ca$ openssl ca -config ca.cnf -extensions v3_intermediate_ca -days 1476 -rand_serial -notext -md sha256 -in certs/imbob.csr -out certs/imbob.pem Now the passphrase for the key will be requested, the contents of the Certificate Signing Request are displayed and the Intermediate Certificate is created following confirmation. Carla now gives Bob the two PEM files ca.cert.pem (the PEM-encoded certificate of the Certificate Authority) and imbob.pem (the Intermediate certificate)
- 12. 12 Creating a server key and CSR Alice is the administrator of the internal Checkmk servers at Stark Industries Ltd. To secure a new Checkmk server, she first creates the server key. alice@pc:~$ openssl genrsa -out checkmk.starkindustries.test.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) This is followed by the creation of the CSR. Again the questions as to the organization and department must be answered. Important here is the Common Name, which should correspond to the server's primary host name. alice@pc:~$ openssl req -new -key checkmk.starkindustries.test.key -out checkmk.starkindustries.test.csr
- 13. 13 Do not forget the extension file! /home/alice/checkmk.starkindustries.test.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = checkmk.starkindustries.test DNS.2 = monitoring.starkindustries.test
- 14. 14 Final step: Bob signs Aliceʼ CSR bob@pc:~$ cd im bob@pc:~/im$ openssl x509 -CAcreateserial -req -in certs/checkmk.starkindustries.test.csr -CA certs/imbob.pem -CAkey private/im.key.pem -out certs/checkmk.starkindustries.test.crt -days 365 -sha256 -extfile certs/checkmk.starkindustries.test.ext Alice can now roll out these three files on the server: /etc/apache2/sites-enabled/default-ssl.conf SSLEngine on SSLCertificateKeyFile /etc/certs/checkmk.starkindustries.test.key SSLCertificateChainFile /etc/certs/imbob.pem SSLCertificateFile /etc/certs/checkmk.starkindustries.test.crt
- 15. 15 Roll out the CA The ways to import a CA certificate as trusted differ from browser to browser. Usually it is sufficient to add the ca.cert.pem certificate under Settings > Privacy and Security > Certificates > Import. You can integrate the root certificate into the host's local CA database: To do this, copy the ca.cert.pem file to /usr/local/share/ca-certificates/starkindustries.crt. Then regenerate the cache: root@linux# update-ca-certificates
- 16. Checkmk GmbH Kellerstraße 27 81667 München Germany Web — checkmk.com mattias.schlenker@checkmk.com feedback@checkmk.com Questions? Get in touch Thank you! Background & explanations in CMK blog: https://checkmk.io/cert-authority