Network Security Hacks by Lockhart Andrew
Author:Lockhart, Andrew [Andrew Lockhart]
Language: eng
Format: epub
Tags: COMPUTERS / Internet / Security
ISBN: 9780596551438
Publisher: O'Reilly Media
Published: 2009-02-08T16:00:00+00:00
Hack #70. Distribute Your CA to Clients
Be sure all of your clients trust your new Certificate Authority.
Once you have created a Certificate Authority (CA) [Hack #69], any program that trusts your CA will trust any certificates that are signed by your CA. To establish this trust, you need to distribute your CA’s certificate to each program that needs to trust it. This could include email programs, IP security (IPsec) installations, or web browsers.
Because SSL uses public-key cryptography, there is no need to keep the certificate a secret. You can simply install it on a web server and download it to your clients over plain old HTTP. While the instructions for installing a CA cert are different for every program, this hack will show you a quick and easy way to install your CA on web browsers.
Browsers accept two possible formats for new CA certs: pem and der. You can generate a der from your existing pem with a single openssl command:
$ openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
Then add the following line to the conf/mime.types file in your Apache installation:
application/x-x509-ca-cert der pem crt
Restart Apache for the change to take effect. You should now be able to place both the cacert.der and demoCA/cacert.pem files anywhere on your web server and have clients install the new cert by simply clicking on either link.
Early versions of Netscape expected the pem format, but recent versions accept either. Internet Explorer is just the opposite (early IE accepted only the der format, but recent versions take both). Other browsers generally accept either format.
When downloading the new Certificate Authority, your browser will ask if you’d like to continue. Accept the certificate, and that’s all there is to it. Now, SSL certs that are signed by your CA will be accepted without warning the user.
Keep in mind that Certificate Authorities aren’t to be taken lightly. If you accept a new CA in your browser, you had better trust it completely; a mischievous CA manager could sign all sorts of certs that you should never trust, but your browser would never complain (since you claimed to trust the CA when you imported it). Be very careful about whom you extend your trust to when using SSL-enabled browsers. It’s worth looking around in the CA cache that ships with your browser to see exactly who you trust by default. For example, did you know that AOL/Time Warner has its own CA? How about GTE? Or Visa? CA certs for all of these entities (and many others) ship with Netscape 7.0 for Linux, and they are all trusted authorities for web sites, email, and application add-ons by default. Keep this in mind when browsing to SSL-enabled sites: if any of the default authorities have signed online content, your browser will trust it without requiring operator acknowledgment.
If you value your browser’s security (and, by extension, the security of your client machine), make it a point to review your trusted CA relationships.
Rob Flickenger
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7424)
Grails in Action by Glen Smith Peter Ledbrook(7317)
Kotlin in Action by Dmitry Jemerov(4669)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4148)
The Age of Surveillance Capitalism by Shoshana Zuboff(3445)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3266)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3039)
Mastering Python for Networking and Security by José Manuel Ortega(2982)
Blockchain Basics by Daniel Drescher(2907)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(2790)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(2693)
TCP IP by Todd Lammle(2657)
Azure Containers Explained by Wesley Haakman & Richard Hooper(2580)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2495)
Hands-On Azure for Developers by Kamil Mrzyglod(2446)
Combating Crime on the Dark Web by Nearchos Nearchou(2354)
React Native - Building Mobile Apps with JavaScript by Novick Vladimir(2349)
The Social Psychology of Inequality by Unknown(2330)
MCSA Windows Server 2016 Study Guide: Exam 70-740 by William Panek(2322)