If I am importing CA certificates to java key store, is it possible to import the duplicate certificate to java key store?
What happens if am importing a certificate which is already existing in JKS. Is it possible?
Related
I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
The CA certificate .crt file doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store the ca.crt in a Kubernetes Secret, it only required the private key for the server certificate.
For the username and APIKey that connects the container back to azure, is there a way to store that in a local Azure Key Vault? How is this not exposed in code for the docker container?
If you mean to retrieve the key vault in the local or the docker, you could implement it with the rest API or the SDK.
Firstly about rest API, you could refer to this tutorial, it uses the python to do the rest request: Use Azure Key Vault with a Windows virtual machine in Python.
It describes how to assign an identity to the VM and assign permissions to the VM identity
And about the SDK, here is a sample about python SDK to access Key Vault: Azure Key Vault libraries for Python.
Using Openssl, I generated my own CertificateAuthority (CA) and using this CA I generated self signed server certificate and key. This server certificate and key was used to configure Apache HTTPD proxy and Tomcat server which starts successfully and I am able to load application UI and work as expected (All functionality is fine)
Now since it is a self signed server certificate, the browser URL pane shows Certificate error / Not secure everytime. I try to import this certificate into my windows Trusted Root Certification Authorities store using chrome or IE. The certificate import is successful.
Looking at certificate in the Windows Certificate Manager (certmgr.msc) Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found" and checking the certificate name I find that instead of the CA certificate the server certificate is imported. While I can see the certificate on certmgr.msc , but on the browser the imported certificate does not even show under Trusted Root Certification Authorities. The Common Name (CN), SubjectAlternativeName (SAN) etc are all present as expected as I know they are important.
After I manually import the CA certificate (which I already have) separately from the browser, the UI loads with green padlock as expected.
I checked online for suggestions and I can see many threads exists like this0, this1, this2 this3, this4, this5 without much help. None of them have solved this import issue without any manual CA cert import.
What am I missing? With browser certificate import why is server certificate imported and not CA certificate?
What should I do to import the CA certificate directly reading from the server certificate? Should we install the CA certificate manually? If yes, then how to import this CA certificate on a remote machine when I try to access my application from outside the system (remote system browser)? kindly help.
Finally I was able to figure out how to solve this issue. Answering my own question here so that it might help anyone else facing the same issue.
Initially you generate your own CA and and server private key and then using that CA you sign the server certificate. We were using Apache Httpd proxy server and in the configuration along with SSLCertificateFile, SSLCACertificateFile needs to be set to the CA certificate. Upon loading the URL in the browser, "Certificate error" or "Not Secure" will be shown. While clicking on to importing the certificate, under Certificate details you will see CA certificate followed by server certificate. Click to save the CA certificate locally to Trusted Root Certification Authorities (save CA and NOT server certificate) so that you can install this CA (what we created) and once the CA certificate is imported successfully, the connection will be shown as secure with green padlock in the URL bar. This can be done from local or any remote machine accessing the URL.
All certificates that we newly generate and signed by this same CA will be inherently trusted thereafter.
I've found that if you connect to a Cloud SQL instance over SSL the CommonName provided in the server's certificate is my-project-123456:myinstance which renders the certificate un-validatable, as the client expects that the CN to be either the hostname or IP.
Every solution to this problem seems to amount to "just disable validation", which is not acceptable to me because:
Why has GCP decided to do everything else correctly, providing a CA cert and client certificates, only to drop the ball on identity validation? By disabling validation you're basically saying "I'm OK with being MITMed at some point".
What about projects where we can't play fast and loose with validation because of PIPA/HIPAA?
What about mySQL clients that don't support turning validation off? eg: All PHP 5.6 mysql libs using mysqlnd prior to the upcoming 5.6.16 release.
Is there any way to make SSL work correctly on Cloud SQL?
One of the reasons for not having the IP address of the instance in the common name of the server certificate is because these IPs can change. What is the IP address of instance A today can be the IP address of instance B tomorrow, because A was deleted, or A decided that it doesn't want the IP address anymore. So, the instance name was decided as being a more unique identification of the instance.
Also, the mysql client libraries by default have hostname verification disabled. http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html
With regards to MITM attacks, it is not possible to MITM attack a Cloud SQL instance because the server certificate and the each of the client certificates are signed by unique self-signed CAs which are never used to sign more than one cert. The server only ever trusts certificates signed by one of these CAs. The reason for using unique CAs per client cert was because MySQL 5.5 did not support certificate revocation lists, and we also did not want to deal CRLs, but wanted to support deletion of client certs.
We will look into ways of supporting SSL for clients which cannot turn off hostname validation. But I cannot promise an ETA on this.
Cloud SQL Team.
I have a windows service that reads from app.config
I want some settings to be encrypted, however, I don't want to use the ProtectedConfigurationProvider classes provided in .NET because they encrypt files based on the machine they are running on using DPAPI.
What I wanted was a way for our administrator to deploy the config file already encrypted to many machines and have each machine decrypt them when needed.
I don't want to hardcode a password into the assembly either so I'm not sure how I can go about this.
Perhaps your central server can maintains a database of the private keys for all the end points, then it could use the specific machine key for that.
A shared private key for all the machines is not going to be that secure.
You can use user-level RSA keys and export them to each machine. then the config file can be encrypted ahead of time, and the target machines already have the key.