I recently migrated to Google CAS and cert-manager and it is working great. I have an interesting need for which I can't find answer for, so here I am seeking the communities wisdom.
I wanted to validate a cert presented to me is coming from the CA, for this my service needs the CA's pub key. Is it possible to get only the CA public key through cert-manager?
Thanks in advance
Related
I'm debating and need to know the implications of not using the SCEP protocol for the mdm enrolment, more precisely the Identity certificate (the certificate credential used for authentication). I'm talking about the certificate in the Identity section on IPCU, as shown in the image below, with the red arrow.
I wont be pushing down profiles with sensitive informations (like vpn, email, etc configurations and/or passwords).
My use case will be 99%:
Block/unblock apps by rating
Lock/unlock device
Block/unlock web domains
From reading around StackOverflow (here and here) the following scenarios can happen.
If someone get access to the certificate he will be able to impersonate an enrolled device, but he will only be able to receive commands/profiles and not initiate commands/profiles. Am I right?
A man in the middle attack can get access to the certificate
The advantage of using the PKCS12 embedded within the profile is that it is faster to implement and no external dependencies (SCEP server) but I'm not so sure about the disadvantages. So my questions and doubts is:
What can a malicious person do with the private key from the Identity certificate?
Can it be a security breach going with the PKCS12 embedded approach?
This is mostly a question of SCEP vs PKCS12 embedded within the profile, pros and cons.
Here my thought on that:
1) If you are building a prototype or a small not critical service then go with PKCS12.
2) If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Frankly, If I was on the dark side (trying to hack it) I don't think that I would attack PKCS12 vs SCEP (it's not the weakest link)
However, let say, I say I decided to try to hack it
I would try to do man in the middle. I will try to capture communicarion, save PKCS12 and password for it
I will use it to authenticate to MDM server.
You are right, I can't trigger any commands, but I can start probing your code to find where you skipped some security checks. Maybe you don't check that a certificate matches a device UUID and so on.
Hopefully, I will find enough security holes to do something (let say trigger actions for other users). Maybe I will send them Wipe command or may be I will try to install a root CA + HTTP proxy configuration to see all their traffic.
Anyhow. I don't think that it's that weakest link and it requires a lot of additional step to get to some interesting stuff. However, if you get there, you can do A LOT.
As a result for a serious product, it will make sense to invest several additional weeks in SCEP.
I have a scenario where I need to implement a digital signature scenario in iPhone and web. Simply I will first generate the RSA signature in iPhone end and share the public key with the server. Also server public key will be there using the x509 certificate generated from server. I can copy that over to the iPhone folder structure. The idea of this is to use this as digital signature where server will send a message by encrypting by the servers private key and again by iPhone public key. From iPhone end it can decrypt using iPphone private key and verity that again by decrypting using server public key.
I went through the sample code provided by Apple but they are not easy to understand. And it didn't cover my requirements as well. Here are my questions.
1) Can my objective achieved?
2) Will iPhone and my server back end (Java) work together cos many forums said that it had issues cos it has DER encoding.
3) Many samples focus on installing the own certificate in iPhone key chain. Can I install the server x509 as well?
4) Any link or material which will focus on my requirement or any guidance is appreciated.
I'm not very learned on ssl and certs in general as I have only recently started "really" working with them and understanding them. I have an issue.
I'm shipping a library for android which connects to a specific domain "derp.com". Each of my customers get a subdomain to access with the library. EG "customer.derpy.com"
So working with https on android can be a pain but its not the end of the world. I'm having issues where my cert isnt being trusted by all of the devices using the https of the server.
I suspect this is why:
heroku certs --app my-app
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
cdepy412532.herokussl.com *.derp.com, derp.com 2013-04-05 22:36 UTC False
The certificate is being marked as untrusted. I suspect this is the cause of the issue as the devices are complaining that they cant verify the certificate. Why would this be?
The certificate is issued by a ca. I think its either rapidssl or geotrust.
I do hate answering my own question and would rather delete it but this may help someone else.
The issue in my case is that I had forgotten to combine the intermediate cert with the root cert.
This tutorial by Ryan McGeary was a great help.
My only advice is make sure you have the intermediary certs (pem or crt), root certs(pem or crt) and private key(key) from your boss or whoever received them. If you do not have all of these then you will get an untrusted cert on heroku.
I am working on an Apple MDM server, and actually it is working fine. I have a signature problem, that makes the client complain about the certificate, so now I am interested in how others sign their configuration profiles.
I use java, but any kind of help is welcome, since this is not a particular question on how to implement the code in java, but more on how to correctly sign the configuration profile.
This is how we do it currently:
byte[] data = ...
X509Certificate cert = ...
KeyPair keyPair = ...
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSigner(keyPair.getPrivate(), cert, CMSSignedGenerator.DIGEST_SHA1, new AttributeTable(new Hashtable<DERObjectIdentifier, Attribute>()), null);
CMSSignedData signedData = gen.generate(new CMSProcessableByteArray(data), true, "BC");
response.setContentType("application/x-apple-aspen-config");
response.getOutputStream().write(signedData.getEncoded());
We are using a self signed certificate created with the algorithm SHA1withRSA and the key is with RSA and the size is 2048.
Does anyone see a problem with this way of doing it, or are you just doing it differently which maes it work?
And please feel free to post code in other languages than java - it might still help.
I did two things to fix this.
First I changed the certificate to x509 v3 - it was v1. Then I added KeyUsage and BasicConstraints to make iOS accept it as trusted.
The second I did was to add the certificate itself as a CertStore.
These two steps makes the certificate similar to the certificate iPhone Configuration Utility uses.
If you auto-enroll an account for an X.509 certificate in a Windows PKI environment, do you get the same certificate (and, by extension, private key) on every computer in the domain that you log into, or does a different certificate get issued for each computer you log into?
I would expect there would be a single certificate that would appear in the CurrentUser certificate store on each computer you logged into. But this is a matter of dispute and I don't have an environment where I can test it.
Are there any subtleties of configuring the certificate template that affect this? Does not using roaming profiles affect this?
If it matters, I am most interested in how this works for service accounts, but I expect it would be the same as for interactive user accounts.
Our PKI is currently Server 2003. It should be migrated to Server 2008 within a year.
Win2K3 does support something called "credential roaming". I haven't investigated it myself, but did come across a document explaining it: http://technet.microsoft.com/en-us/library/cc700848.aspx