Ingo Schubert

CA in a Box - your little helper for IDR deployments and other things.

Discussion created by Ingo Schubert Employee on Aug 5, 2015

You have a problem

Ever wondered were the certificates should come from that are needed to get the IDR up and running? Or the IWA connector?

Sure the customer usually needs to provide this but what if not? Maybe in a test environment there is not CA at hand to do all that... or the folks that know how a CA actually works.

Fear not! Help is on the way... introducing the "CA in a Box".

This is the solution

This is a pre-configured OpenSSL package and a Windows batch file. Yes only on Windows. I suppose if you use Linux you know what you are doing and don't need batch files anyway :-)

Installation... is optional!

Download from here, unpack to your favourite location on a Windows host (32 bit or 64 bit) that you use to configure Via Access (or a host were you can copy the created files from...). There is not installer or similar. Just unzip the package and you are good to go. You could also put this on a USB stick and carry around with you. Having your own CA in your pocket is a great conversation starter at parties.

 

What's in the box?

snapshot9.png

 

You will find a directory "CA-in-a-Box" with two sub-directories once you unpack the file:

  • "demoCA"
  • "entities"

Under "demoCA" you'll find the CA keys and some other stuff. You can safely ignore all that but there is one file you do need "cacert.cer" - this is the certificate of the Demo CA.

Remember that location and that name.

 

Under "entities" all new keys/certs that you request will be placed.

Creating keys, issuing certs, saving the universe

How to create new keys, make a request and sign it? Maybe even create a PKCS#12 file that could easily be imported into Windows?

 

There is just one command you need to type in:

newSSLServer.bat

 

Just make sure you run in from the "CA-in-a-Box" directory. I really mean it. Don't copy it to somewhere else and expect it to work.

It runs with zero, one, two and even three parameters. Talk about flexibility!

 

newSSLServer <name> <password> <keylength>

 

<name> defaults to "newEntity". This is used to name the output files.

<password> defaults to "password" is used to encrypt the PKCS#12 file that is created

<keylength> defaults to 2048 and defined... well... the key length.

 

Example:

 

newSSLServer.bat my-idr

 

Magic happens and a key (RSA, 2048bit) is generated an the certificate request is initiated. You have to provide the DN components manually. You can just hit Enter and leave the defaults for Country, Organization and Organizational Unit but you have to provide the Common Name. For the IDR you probably want a wildcard certificate so type in e.g. *.sso.example.com

snapshot4.png

More magic happens and the certificate request is submitted to the demo CA and the certificate is created. The batch file also creates a PKCS#12. This is not needed for the IDR but comes in handy if you want to install the key/certs for other SSL servers (IIS in particular). For the IDR deployment you don't need the PKCS#12 file.

snapshot5.png

 

Here is the result for the "my-idr" request in the "entities" sub-directory:

snapshot7.png

You don't need the my-idr.req file but in case the customer wants to use their own CA to issue the IDR cert you can use that PKCS#10 file. Just give it to them and tell them you need a SSL server cert. Again: this is only in case the demo CA is not to be used and the customer has their own (test) CA.

Stuffing the certs and the key into Via Access

Now you just have to provide the my-idr.key, my-idr,cer and demoCA.cer (from the "demoCA" subdirectory) to the "Company Settings" screen of the Via Access admin GUI.

snapshot8.png

 

Your browser complains that the certificate is not trusted? Don't worry... this is just a phase.

The Demo CA is totally not trusted by any browser/host because it is just that: a demo CA.

To make things look much better and prevent any warning/error messages from your browser you have to import the CA certificate into the trust store the browsers use.

Truststore configuration on MS Windows

MS IE and Google Chrome on Windows use the Windows trust store.

Here is how you install the Demo CA cert into that trust store.

 

Go to the "demoCA" subdirectory and right click on the cacert.cer file. Select "Install Certificate"

snapshot12.png

 

When prompted select "Place all certificates in the following trust stores" and hit "Browse". Pick the "Trusted Root Certification Authorities" store.

Trust me... don't trust on the "Automatic" setting.

 

snapshot2.png

Windows will prompt you to confirm the CA certificate import.If you don't see a screen similar to this you have serious issues following instructions.

snapshot3.png

Truststore configuration for Firefox

Firefox uses its own truststore and ignores the Windows truststore.

In the "Options" dialog go to the "Advanced" section, click the "View Certificates" button and select the "Authorities" tab. There click the "Import" button.

Select the "cacert.cer".

snapshot10.png

 

Select "Trust this CA to identity websites" and hit OK.

 

snapshot11.png

 

Some technical details

The CA uses 4096 bit RSA key and SHA256 and is valid until 2042.

The issued SSL server certs have the correct key usage and extended key usage extensions and are valid for 10 years. Did I mention this is all for demo purposes only? Never assume anything I do is secure. There are not passwords to protect the CA key etc.

Attachments

Outcomes