Stuff I'm Up To

Technical Ramblings

step-ca and ACME — January 15, 2021

step-ca and ACME

We have a couple of hundred certs with Let’s Encrypt and it is a great service. Right now though we need to issue certs to internal systems and thought it would be great to use the same ACME method to do so.

Add to that we’d like to issue some user certificates to use for user authentication into our web services, we needed to find an Open Source solution to the problem.

Enter https://smallstep.com/certificates/

Continue reading
Auto Select Client Certificate — October 23, 2020

Auto Select Client Certificate

When you visit a site requiring a client certificate you’ll be presented with a dialog to select a certificate to use. This is awkward in a kiosk scenario where a user may not be present to select the certificate or can’t select the certificate because it is on a second screen.

To make it happen automatically you need to set a chrome or chromium policy. Policy files are held in the following locations:

BrowserLocation
Chrome/etc/opt/chrome/policies/managed
Chromium/etc/chromium/policies/managed

The json policy file we need to create contains:

{
"AutoSelectCertificateForUrls": [
"{\"pattern\":\"*\",\"filter\":{\"ISSUER\":{\"CN\":\"MyCA\"}}}"
]
}

It doesn’t look right as it’s a string of json inside json, but this is the way it works.

sudo mkdir -p /etc/chromium/policies/managed
sudo vi /etc/chromium/policies/managed/policies.json

Replace MyCA with the name of the CA Issuer that you want to automatically send.

You can verify the policies are loaded using the address chrome://policy in the browser.

Nginx SSL Certificate Error — October 14, 2020

Nginx SSL Certificate Error

We’re using client side certificates on an Nginx host to ensure the credentials of the connecting users and haven’t used the site for a while.

I tried to logon with a known good client certificate and know that nothing on the site config has changed and all I get in return is a 400 error with the message “SSL Certificate Error”, which is not at all helpful.

First I thought I’d regenerate my client certificate, no joy there. Still the same error. So I went through the process of verifying the CA cert matched my source and was still valid. Use openssl to verify my client certs, all looked good. Nothing I did allowed me to access the site unless I turned client certificate verification off.

ssl_verify_client off;

So what was my problem? I checked the nginx.conf and our logging was set to push out to a syslog server:

error_log syslog:server=logserver:515,severity=debug;

But I wasn’t seeing anything in the log about any errors. I checked the syntax of the config entry and found it to be missing the debug option – confusing I know, it looks like it should be using debug logging, but that’s just the severity setting for the syslog server, not Nginx. I added debug onto the end of the line:

error_log syslog:server=logserver:515,severity=debug debug;

Now I can see what the problem is with the certificates – there is no problem with the certificates, it’s a problem with my certificate revocation list being too old! I just need to regenerate and reissue a new one.

<190>Oct 14 20:38:22 proxy3.domain.tld nginx: 2020/10/14 20:38:22 [info] 12373#12373: *83301603 client SSL certificate verify error: (12:CRL has expired) while reading client request headers, client: 81.8.151.23, server: server.domain.tld, request: "GET /favicon.ico HTTP/1.1", host: "server.domain.tld", referrer: "https://server.domain.tld/web/database/selector"

By using openssl I can check the validity of my crl using:

$ openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = myCA
Last Update: Oct 14 19:40:03 2020 GMT
Next Update: Apr 12 19:40:03 2021 GMT

Now all I need to do is make sure I automate this process and dump a new crl onto the server at least every 6 months – I’ll probably do it monthly to be sure.

References

https://www.djouxtech.net/posts/nginx-the-ssl-certificate-error/

SMTP Ciphers — July 16, 2020
Ansible and Client Certificates — March 4, 2020

Ansible and Client Certificates

Now we know how to inject client certificates into Firefox and Chrome it’s time to automate that process with Ansible.

The goal is to take a client and CA certificate and deliver it to the .pki keystore on the client. The actual generation of the certificate happens using easyrsa and is not part of this process. Let’s assume you already have generated a series of certificates, and converted them to a .pfx (pkcs12) for each client and just need to deliver them – although I may write up that process later.

Further let’s assume you are naming the certificate files with the same inventory hostname you are going to use in Ansible. This is so we can easily identify which file goes to which host, eg.

myclient01.pfx for inventory item myclient01.

Continue reading
Firefox Certificates — February 5, 2020

Firefox Certificates

Now with added Chromium!

Fun and games with Nginx and client authentication certificates means we need to deploy certificates to the user for them to trust our CA and have a trusted personal certificate to validate with our server.

I can see why many just pop up a help page and navigate the user through importing the CA and their certificate in the browser. We need to make this a bit more automated though as the machines will be out with customers.

Continue reading
PaperCut Certificate — November 21, 2017

PaperCut Certificate

Time to replace the PaperCut web server certificate. So pleased I ran into Keystore Explorer previously as this made changing the web server certificate a breeze.

Put simply you create a new keystore file, in the Program Files\PaperCut MF\server\custom folder, and import your certificate that you obtain from your internal CA. We did this using MMC and the Certificate snap-in on the print server. Then export the certificate with private key to a .pfx file. Then just import the .pfx into the new keystore in Keystore Explorer.

Edit the server.properties file in Program Files\PaperCut MF\server and add the relevant keystore and password details.:

### SSL/HTTPS Configuration (Default: 9192) ###
server.ssl.port=9192

# Custom SSL keystore example (recommend placing in the custom directory)
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=myPassword
server.ssl.key-password=myPassword

Restart the PaperCut services, give it a minute and the user and admin portal should now be using the new certificate.

https://printserver.domain.local:9192/admin

Now every printer that has an embedded PaperCut app will need to be updated to accept the new certificate. This means you have to visit each PaperCut admin console on every device – yes, that’s the painful bit if you have a lot of printers. Then you login to the console and click apply, even though you’ve made no change. This will then ask you to accept and trust the new certificate.

Selection_002

References

https://warlord0blog.wordpress.com/2017/11/14/java-keystore-management/

https://www.papercut.com/products/ng/manual/common/topics/tools-ssl-key-generation-certificate-authority-import-new.html

OpenSSL and Subject Alternative Names — July 27, 2017

OpenSSL and Subject Alternative Names

Now that Google chrome has started bitching about certificates not having Subject Alternative Names because the practice of using Common Names in certificates has changed.

So in order to get the SAN into a CSR you need to edit the OpenSSL config file you’re using for the request. You can spend time scripting something, but for the few times I do it I’ll just copy the base openssl.cnf file to one specific to the CSR I need to create. After all you’ll already have customised the req_distinguished_name section so you don’t have to put in the country and company name all the time. eg.

$ cp /etc/ssl/openssl.cnf ~/myserver.cnf

Then I just use that new cnf file as part of the command line to create the CSR.

$ openssl req -out myserver.csr -new -newkey rsa:2048 -nodes -keyout myserver.key -config ~/myserver.cnf

Continue reading

Remmina/xfreerdp Certificate Name Mismatch — July 21, 2017

Remmina/xfreerdp Certificate Name Mismatch

When using Remmina to connect to some of our older Windows systems we’re seeing a certificate problem that prevents it from connecting. Remmina pretty much says you can’t connect, but you can see the error message if you run remmina from a terminal and try to connect.

connected to server:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           WARNING: CERTIFICATE NAME MISMATCH!           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (m3app) does not match any of the names given in the certificate:
Common Name (CN): no CN found in certificate
A valid certificate for the wrong name should NOT be trusted!
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure

Continue reading

Dell iDRAC and Certificates — March 10, 2017

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

HTTPS and SNI — March 9, 2017
SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading