Mosquitto with SSL, Why do I generate .csr? - ssl

I am not familiar with SSL/TLS, I am trying to setup my moquitto broker with SSL. For testing purpose, I am not using a real rootCA, I create my own rootCA. Here is how I think what SSL is, correct me if I was wrong, I am a noob.
rootCA could issue second layer ca, cert, keys, and client/server exchange these information, when it needs to verify the identity of the others, it will bring these information to the rootCA and ask if that is correct.
so, I follow the documentation of Mosquitto, use OpenSSL to generate rootCA.crt, server.crt, server.key. I've also generated client.crt and client.key, so that when my client application connect to Mosquitto broker, the broker could identify that connection.
I added the ca file, key file, cert file configuration to my local.conf. Restart Mosquitto, it works.
Then I use mosquitto_sub with ca.crt, client.crt and client.key to connect to broker, that works out too.
What I don't understand is that, why does the documentation teaches me how to generate server.csr and client.csr?
I am guessing if I am not the rootCA, I need to send these csr to the real rootCA for those certificate to become legit, is that what csr is for?

.csr is a certificate sign request to be signed with your CA.crt and CA.key you won't need to use it on your mosquitto broker only CA.crt and client.crt/key are required. If you want to test it out Download MQTT.fx client to check your MQTT connection with these certifications. http://mqttfx.jensd.de/
The openssl command would be for example:
x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 365

Related

Why does NOT my certificate chain contain the CA root certificate?

I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie

RSA 2048 self signed certificate not being accepeted by NLB TCP listener

i am trying to create a self signed certificate using openssl following the docs https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
i tried to add the generated private and public pem files to my NLB TCP listener as a self signed certificate and it is failing with the below exception.
Error creating listener The imported certificate's configuration is not compatible and will not appear in the list of available certificates for your listeners. Select or upload a different certificate and try again.
I saw that NLB allows RSA 2048 certs. Not sure why the console is showing the error display.
You need to generate a RSA 1024 or 2028 certificate. check the valid certificates that ACM supports. i used the below commands to generate the self signed certificate
openssl genrsa -out private-key.pem 1024
openssl rsa -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 3600
mention the country, state and domain name. I initially missed the domain name because of which NLB listener wasn't accepting the certificate.

Must server and client certificate be signed by same CA in SSL

I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?
(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
server {
listen 443;
ssl on;
server_name example.com;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
The short answer is No. These are two separate aspects.
Here:
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
You are configuring the server certificates which need to be trusted by the client.
And here:
ssl_client_certificate /etc/nginx/certs/ca.crt;
You configure the certification authority to verify your clients' certificates against.
"Must server and client certificate be signed by same CA in SSL"
Short answer is, it can be but not necessary.
To see why, let's break down the steps but without too much technical.
From your point of view when setting up the nginx server.
You want to achieve 2 goals.
Prove the identity of your server.
For this you get a CA to sign your server certificate and
present it to a client that connects to your server
Verify the identity of the client connecting to the server
For this, you set define the list of CA that you trust that signs the client's certificate.
When a client connects to your server, you check if the client certificate presented is signed by your list of CA
That's not the end. Let's look at the client's end.
The client also wants to achieve 2 goals.
Prove the client's identity when connecting to your server
For this, the client get a CA to sign its client certificate and
present it to your server when connecting.
Here is the catch, the CA that signs the client certificate must be in your server's list of CA.
Verify the identity of your server
For this, the client has to trust the CA that signs your server's certificate.
How is this done?
Typically this list is predefine on the system or browser so it happens transparently.
But if you are writing a client, then you may have to define this list of trusted CA or just let the client know the CA that signs your server certificate.
So, it can happen that the CA signing the server and the client is the same but it is not necessary. It all depends on the list of CA defined on both the server and the client.
Server certs and Client certs are used in completely different ways.
The only similarities are:
They both contain the word certificate
They both use public & private keys for encryption

Jenkins use client certificate when calling other endpoints

I have a Jenkins instance from which I need to call other services/endpoints which reside behind a load balancer. This load balancer requires and does SSL client certificate validation.
Is it possible to make Jenkins use an SSL client certificate for the calls it makes towards those endpoints residing behind that load balancer?
Something like below:
Jenkins call ---present_SSL_client_cert---> LB(verify client cert) ---> endpoint
Thank you in advance!
To get Jenkins to use a client cert for other endpoints start Jenkins with
JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/cert/jenkins.p12"
I used a normal client cert:
openssl req -nodes -newkey rsa:4096 -days 365 -keyout cert/jenkins.key -out cert/jenkins.csr -subj "/C=DE/ST=somewhere/L=inCity/O=someOrg/OU=someBla/CN=jenkins"
signed it:
openssl x509 -req -days 365 -in ../jenkins/cert/jenkins.csr -CA ca/ca.crt -CAkey ca/ca.key -out ../jenkins/cert/jenkins.crt -passin env:CA_KEY
and converted it to PKCS12:
openssl pkcs12 -nodes -export -in cert/jenkins.crt -inkey cert/jenkins.key -out cert/jenkins.p12 -certfile ../nginx/ca/ca.crt -passout pass:changeme
It was important use a non empty keyStorePassword, otherwise Jenkins threw an Exception java.security.UnrecoverableKeyException: Get Key failed: null
Furthermore I added the server cert to the Java keystore:
keytool -import -alias server.domain.de -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file /root/server.crt -noprompt -storepass changeit
I've tested this setup with jenkins:lts docker container and keycloak, both behind an nginx reverse proxy using client cert auth.
Using env-variables like JENKINS_HTTPS_KEYSTORE which one can sometime see for configuring Jenkins to use https itself did NOT work for client auth. I did not investigate further, but I assume the plugin OpenId Connect Authentication Plugin which I used did not honor this variable and uses basic java functionality.

MySQL over SSL with self signed certificate

I'm setting up a mysql server and am trying to have a mysql client connect to it over SSL. I'm going to be using a self signed certificate for the same. Reading the MySQL documentation on setting up SSL I see that I have to specify the path to the following files :-
the SSL root CA
the SSL certificate
the SSL private key
In this particular case, should I be setting both the root CA and the certificate to my self signed certificate?
Example of how to create properly a Self-Signed SSL Certificate.
Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates
Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.
Once you're done, you'll have the following files:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key, does not require a password when starting Apache
Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)