User Tools

Site Tools


pki:creating_a_ca

Creating a Certificate Authority

You should create a certificate authority when setting up or if the original CA certificate is due for renewal. The IoT_pki will always use the NEWEST certificate authority to sign certificates.

  • Go to
    http://pki.zibawa.com/IoT_pki/new_ca/
  • Fill in the form with requested details.
  • It is recommended to use at least 5 years from now for “not valid after”, since renewing a certificate authority certificate can be a complex process.
  • When you press submit, you will download the PUBLIC key to your browser. Save this file, since you will need to install it in any of the applications you need to secure.
  • The server stores both public and private keys of your certificate in the location defined in settings.py

Downloading Certificate Authority Public Key

You can download the certificate authority public key at any time from:

https://pki.<myhost>/IoT_pki/download_ca/

Install the public key in your proxy server

For the PKI to work, you need to configure the proxy server that is serving the PKI web pages to validate client certificates using the ca_cert.pem public key you just generated.

Below is a configuration for NGINX

server {

    listen 443;#always use ssl
    server_name pki.myserver.com;

    ssl on;
    ssl_certificate /etc/ssl/myserver.pem;#this is for SSL,not for verifying your clients!
    ssl_certificate_key /etc/ssl/private/myserver.key;#this is for SSL              

    ssl_client_certificate /home/jmm/myCA/certs/ca_cert.pem;#this must be the ca_cert(s) which has signed your clients
    #ssl_crl /home/jmm/myCA/private/ca.crl;#location of revocation list
    ssl_verify_client optional;#we use optional and the application then checks on your status
    ssl_verify_depth 2;
    ssl_session_timeout 5m;
    #disallow insecure ssl protocols and cyphers
    ssl_protocols  SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;      
    server_name secret.myserver.com;
    # Maximum file upload size is 4MB - change accordingly if needed
    client_max_body_size 4M;
    client_body_buffer_size 128k;


    root /var/www/html;
    index  index.php index.html index.htm;


    location /{

        proxy_pass http://localhost:8000/;#point this to your django server
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_connect_timeout 60;
        proxy_read_timeout 90;
        proxy_set_header X-SSL-User-DN $ssl_client_s_dn;
        proxy_set_header X-SSL-Authenticated $ssl_client_verify;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Rest-API 0; # Change to 1 to bypass
        proxy_set_header X-SSL-Client-Serial $ssl_client_serial;


    }

}

Install the public key in your applications

How you do this depends upon the application, but most applications will have configuration files that request a ca file in a similar way to the NGINX configuration. This should point to a copy of the ca_cert.pem file you just downloaded.

How to Renew a Certificate Authority

Normally you will create a CA file with a long validity to avoid the need for renewal. If you do need to renew, because the certificate expiry date is approaching, then the process is as follows:

Create a new certificate authority as before. At this point automatic renewal requests using client certificates signed by the OLD authority will continue to work, because NGINX is still configured to accept certificates with the old CA.

However, once you renew a client certificate then it will no longer validate unless we configure the applications to accept BOTH the old authority AND the new authority.

The first application we configure is NGINX. To configure NGINX to accept client certificates from two (or more) authorities, all we need to do is to copy the public keys into the same file. Open old_ca.pem and copy paste the text at the bottom of new_ca.pem, and save as old_and_new_ca_cert.pem. The new file will look like this:

-----BEGIN CERTIFICATE-----
MIIFkjCCA3qgAwIBAgIUV....
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID9jCCAt6gAwIBAgIUJ3bDMHyg5YjKTuuHLXhqKAfYbfkwDQYJKoZIhvcNAQEL
BQAwgZYxDD...
...
-----END CERTIFICATE-----

Then modify the nginx configuration line:

ssl_client_certificate /home/jmm/myCA/certs/old_and_new_ca_cert.pem;

Don't forget to Restart NGINX.

Add the New certificate authority file to your server applications

Once this is complete, you will need to add your new CA file to all of your server applications. Again you will need to configure the apps to accept BOTH the old and new certificates until all of the clients have renewed with the new authority. Whether this is easy to achieve will depend upon your applications, because it is possible that not all will accept working with two CAs. For this reason, it is advisable to configure your clients to renew certificates daily. (this means that in the worst case, your application will be inaccessible for one day, until the client has renewed its certificate.)

LockDown File Permissions

You must lock down file permissions on the folder where you keep your CA private keys (defined in settings.py when you set up)

You should set the “path_to_key” folder to permission 700 on the containing folder and 400 on the key itself once created so that noone can access the key.

pki/creating_a_ca.txt · Last modified: 2017/07/21 14:25 by matt