I am submitting CMC requests to Microsoft AD Certificate Services in order to enroll certificates.
These requests are signed by an enrollment agent certificate, and DN and SAN information is overloaded in the CMC.
This works well, however i have the following issue: if a SAN is specified in the underlying PKCS#10 and not overloaded in the CMC, ADCS signs it anyway.
For instance, let's say i have a PKCS#10 that contains a requested SubjectAlternativeName IP Address: 10.0.0.1, and there's no overload in the CMC for the SubjectAlternativeName IP Address, the issued certificate will contain SubjectAlternativeName IP Address: 10.0.0.1.
So, is there a way to tell to ADCS to ignore data contained in the PKCS#10 ?
either to consider only the public key part of it
or, on a per field basis, ignore its PKCS#10 content
The idea would be either to add the appropriate information to the CMC to do so, or to add an appropriate flag in the certification request (or any other appropriate way).
Related
I'm using Angular 14 and the ngx-mqtt front-end lib.
Here's my connection string which works fine:
getEmqxCloudConnection(): IMqttServiceOptions {
return {
hostname: 'xx.xx.xx.182',
port: 8083,
path: '/mqtt',
clean: true, // retain
connectTimeout: 4000,
reconnectPeriod: 4000,
clientId: 'HarBrowserTest1',
username: 'myUser',
password: 'myPass',
protocol: 'ws',
connectOnCreate: false,
};
}
As per their Broker dashboard the available ports are:
Ports: 1883(mqtt), 8883(mqtts), 8083(ws), 8084(wss)
I have already imported our SSL Certificate into the EMQX Dashboard, yet when I change my conn string to port: 8084 and protocol: 'wss' - IT DOESN'T CONNECT !
They have some screenshots here showing their Client Tool, but for reason every one shows port=1883 (a mistake maybe). https://docs.emqx.com/en/cloud/latest/connect_to_deployments/mqttx.html#connection-configuration
In my Chrome browser network tab, here's what I see for the std insecure ws - A successful ws conn to the Mqtt Broker.
Here is the certificate UI which I used to imported the PEM-Encoded cert body and key:
This will most likely be down to the certificate you have used for the broker.
First unless you have created the certificate just right (using the correct SAN entries) that include the IP address as the principal for the certificate, then the connection will get rejected because the certificate doesn't match the hostname/IP address the broker is using to connect.
Second, if it is a self signed certificate then the browser will just reject it, unless you have manually imported the CA (or if it really is self signed the cert it's self) into the browsers trust store and marked it as trusted. The browser will NOT show you a warning and ask to accept for a WebSocket connection like it does with a webpage, it will just fail with an error in the console and nothing else.
P.S. - You should not hard code the client id in web apps, this is because client ids must be unique across ALL clients, so hardcoding it means that everybody that visits the page will use the same client id and each new connection will kick off the last one (and probably end up in a reconnect fight)
If you check the logs of EMQX, maybe you can get more helpful information.
The following are possible reasons for common TLS connection failures.
First of all, as mentioned in the previous answer, your certificate may have a domain name or IP address set as CN or SAN when it is issued, but the address you specified when connecting does not match the values of the CN and SAN fields.
In this case, the TLS client will think that the server you are connecting to may not be what you really expect, so it will refuse the connection.
We have three ways to solve it:
Turn off the verification of the peer certificate, if your client has this option. However, we do not recommend this as it increases the security risk.
Reissue a certificate that matches your server address
Set the SNI field (full name Server Name Indication) when the client connects, so that TLS will check whether the SNI matches the CN and SAN fields of the certificate, instead of your actual connection address.
The second possible reason is that your certificate path is incomplete, such as the lack of intermediate certificates, or the client does not specify a trusted root certificate, its keyword in the EMQX log is unknown_ca.
For more TLS error reasons, you can refer to SSL Connection Error.
In a browser environment, you should use a server certificate issued by a CA Signed than a self-signed certificate.
Self-Signed SSL Vs Trusted CA Signed SSL Certificate, see the https://cheapsslsecurity.com/blog/self-signed-ssl-versus-trusted-ca-signed-ssl-certificate/
In application gateway "Backend certificate is invalid", Do really require by app gateway to monitored the validity of backend server certificate?
As because we have seen due to this human error can be encounter, whereas application owner and Azure administrator should be aware of the working flow of the application. But although the certificate is invalid to-and-fro communication would be secure, hence its worthless of mentioning "HTTPS connection won't be secure unless the server's TLS/SSL certificate is valid" in Azure portal.
However now a days every organization looking for cost saving, whereas Administrators are working in shared model and if any production application missed to update certificate in-between, can cause the business loss.
Rather MS has to introduce server certificate profile in http setting, which accepts the default certificate no matter valid or invalid and monitoring only the secure connection for end-to-end encryption.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
Currently, for the TLS connection to work in Application gateway, you need to ensure that the TLS/SSL certificate meets the following conditions:
That the current date and time is within the "Valid from" and "Valid
to" date range on the certificate.
That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview
If the Trusted Root Certificate uploaded is expired or backend server certificate’s Common Name (CN) does not match with the Hostname entered in HTTP Settings, the probe (default or custom) will start marking the backend servers as Unhealthy so that the requests won’t be routed to them.
There is no other way available to get this working at the moment. If you wish you may leave your feedback in the below forum requesting the desired feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789
I have configured mutual authentication on an Azure Application Gateway. Currently all client certificates issued by the intermediate CA (as configured on SSL profile) are accepted, but I only want a specific certificate to be granted access, ideally based on the subject of the client certificate. Making changes to the CA that issues the client certificate is not feasible in my case.
Options explored:
Use leaf certificate when configuring SSL profile: app gateway seems to ignore the leaf certificate; all client certificates issued by the intermediate CA are accepted.
Configure a rewrite rule action to pass a server variable (e.g. client_certificate_subject) to backend in a custom request header. This would require changing the backend to interpret the request header, which I’m trying to avoid.
Configure a rewrite rule condition to check server variable (e.g. client_certificate_subject) and conditionally take some action. Ideally the action should set the HTTP response code (without forwarding the request to backend) or rewrite to an error page generated by the app gateway (e.g. HTTP 401 unauthorized / 403 forbidden). Can this be done somehow?
WAF rules don’t seem like a viable option as they don’t have access to server variables
Hoping to find a way of configuring this requirement on the app gateway. Thanks.
I understand that you want to be able to allow specific certificates only based on their subject names etc., to be granted access by the Application Gateway.
You can't use a rewrite rule because in order to "get to" a rule in the first place you have to get through the listener and you can't get through the listener if you can't authenticate with mutual authentication.
At this point, the best way to avoid people from accessing App GW would be to not give the Leaf certificate so they cannot access the same.
Also please note that Application Gateway Mutual Authentication is in preview right now and therefore, it is intended for "Evaluation" and testing, and not production currently. Once it is GA, there will be options to have revocation lists and checks.
Hope this helps. Please do let us know if you have further questions. Thank you!
PKI Question
I am trying to learn about Public Key Infrastructure (PKI). I read the following example from a book for how two users can participate in a PKI. The only part I do not understand is step #10 "When Diane receives John’s certificate, her browser looks to see if it trusts the CA that digitally signed this certificate. Diane’s browser trusts this CA and, after she verifies the certificate, both John and Diane can communicate using encryption.". What is a real world example of how Diane's browser looks to see if it trusts the CA? I thought Diane would only be accessing a web server through her browser not an end user like John.
PKI Example from Book
Now that the fundamentals of PKI are understood, let’s walk through an example. Suppose John needs to obtain a digital certificate for himself so he can participate in a PKI. The following are the steps to do so:
John makes a request to the RA.
The RA requests certain identification information from John, such as a copy of his driver’s license, his phone number, his address, and other identifying information.
Once the RA receives the required information from John and verifies it, the RA sends his certificate request to the CA.
The CA creates a certificate with John’s public key and identity information embedded. (The private/public key pair is generated either by the CA or on John’s machine, which depends on the systems’ configurations. If it is created at the CA, his private key needs to be sent to him by secure means. In most cases, the user generates this pair and sends in his public key during the registration process.
Now John is registered and can participate in a PKI.
John and Diane decide they want to communicate, so they take the following steps.
John requests Diane’s public key from a public directory.
The directory, sometimes called a repository, sends Diane’s digital certificate.
John verifies the digital certificate and extracts his public key. John uses this public key to encrypt a session key that will be used to encrypt their messages. John sends the encrypted session key to Diane. John also sends his certificate, containing his public key, to Diane.
When Diane receives John’s certificate, her browser looks to see if it trusts the CA that digitally signed this certificate. Diane’s browser trusts this CA and, after she verifies the certificate, both John and Diane can communicate using encryption.
Is certificate Subject the content of certificate?
such as:
Subject DN = Subject Distinguished Name = the unique identifier for what this thing is. Includes information about the thing being certified, including common name, organization, organization unit, country codes, etc.
Subject Key = part (or all) of the certificate's private/public key pair. If it's coming from the certificate, it's the public key. If it's coming from a key store in a secure location, it's probably the private key. Either part of the key is the cryptographic data used by the thing that received the certificate.
Subject certificate - the end point for the transaction - this is the thing requesting some secure capability - like integrity checking, authentication, privacy, etc.
And what content of Subject is used for IKE V2?
A certificate binds an identity to a public key. The binding is performed by the issuing authority (VeriSign, Cybertrust, etc.) digitally signing the contents of the certificate.
The Subject of a certificate indicates the entity for which the certificate was generated. If it's an SSL certificate, it may correspond to a server and include the server's DNS name, for example. If it's an e-mail digital signature certificate it may correspond to a person's e-mail address. You are correct that it includes the organizational unit, etc.
The Subject Key is the public key in the equation. While there is a private key corresponding to the certificate, the certificate itself only contains the public key.