You have a problem
Ever wondered were the certificates should come from that are needed to get the RSA SecurID Access Identity Router (IDR) up and running? Or the IWA connector? Or just any SSL/TLS Server?
Sure the customer usually needs to provide this but what if not? Maybe in a test environment there is not CA at hand to do all that... or the folks that know how a CA actually works.
Fear not! Help is on the way... introducing the "CA in a Box".
This is the solution
This is a pre-configured OpenSSL package and a Windows batch file. Yes only on Windows. I suppose if you use Linux you know what you are doing and don't need batch files anyway 🙂
Installation... is optional!
Download from here, unpack to your favourite location on a Windows host (32 bit or 64 bit) that you use to configure RSA SecurID Access (or a host were you can copy the created files from...). There is not installer or similar. Just unzip the package and you are good to go. You could also put this on a USB stick and carry around with you. Having your own CA in your pocket is a great conversation starter at parties.
What's in the box?
You will find a directory "CA-in-a-Box" with two sub-directories once you unpack the file:
- "demoCA"
- "entities"
Under "demoCA" you'll find the CA keys and some other stuff. You can safely ignore all that but there is one file you do need "cacert.cer" - this is the certificate of the Demo CA.
Remember that location and that name.
Under "entities" all new keys/certs that you request will be placed.
Creating keys, issuing certs, saving the universe
How to create new keys, make a request and sign it? Maybe even create a PKCS#12 file that could easily be imported into Windows?
There is just one command you need to type in:
newSSLServer.bat
Just make sure you run in from the "CA-in-a-Box" directory. I really mean it. Don't copy it to somewhere else and expect it to work.
It runs with zero, one, two and even three parameters. Talk about flexibility!
newSSLServer <name> <password> <keylength>
<name> defaults to "newEntity". This is used to name the output files.
<password> defaults to "password" is used to encrypt the PKCS#12 file that is created
<keylength> defaults to 2048 and defined... well... the key length.
Example:
newSSLServer.bat my-idr
Magic happens and a key (RSA, 2048bit) is generated an the certificate request is initiated. You have to provide the DN components manually. You can just hit Enter and leave the defaults for Country, Organization and Organizational Unit but you have to provide the Common Name. For the IDR you probably want a wildcard certificate so type in e.g. *.sso.example.com
More magic happens and the certificate request is submitted to the demo CA and the certificate is created. The batch file also creates a PKCS#12. This is not needed for the IDR but comes in handy if you want to install the key/certs for other SSL servers (IIS in particular). For the IDR deployment you don't need the PKCS#12 file.
Here is the result for the "my-idr" request in the "entities" sub-directory:
You don't need the my-idr.csr file but in case the customer wants to use their own CA to issue the SSL cert you can use that PKCS#10 file. Just give it to them and tell them you need a SSL server cert. Again: this is only in case the demo CA is not to be used and the customer has their own (test) CA.
Stuffing the certs and the key into RSA SecurID Access
Now you just have to provide the my-idr.key, my-idr,cer and demoCA.cer (from the "demoCA" subdirectory) to the "Company Settings" screen of the RSA SecurID Access admin console.
Your browser complains that the certificate is not trusted? Don't worry... this is just a phase.
The Demo CA is totally not trusted by any browser/host because it is just that: a demo CA.
To make things look much better and prevent any warning/error messages from your browser you have to import the CA certificate into the trust store the browsers use.
Truststore configuration on MS Windows
MS IE and Google Chrome on Windows use the Windows trust store.
Here is how you install the Demo CA cert into that trust store.
Go to the "demoCA" subdirectory and right click on the cacert.cer file. Select "Install Certificate"
When prompted select "Place all certificates in the following trust stores" and hit "Browse". Pick the "Trusted Root Certification Authorities" store.
Trust me... don't trust on the "Automatic" setting.
Windows will prompt you to confirm the CA certificate import.If you don't see a screen similar to this you have serious issues following instructions.
Truststore configuration for Firefox
Firefox uses its own truststore and ignores the Windows truststore.
In the "Options" dialog go to the "Advanced" section, click the "View Certificates" button and select the "Authorities" tab. There click the "Import" button.
Select the "cacert.cer".
Select "Trust this CA to identity websites" and hit OK.
Some technical details
The CA uses 4096 bit RSA key and SHA256 and is valid until 2042.
The issued SSL server certs have the correct key usage and extended key usage extensions and are valid for 10 years. Did I mention this is all for demo purposes only? Never assume anything I do is secure. There are not passwords to protect the CA key etc.
