Not much blogging from my side the last 2 years, but now it´s finally time for a new post.
One of my last posts was about YubiHSM2 and the “ultra-small” form factor that provides a very useful HSM for a reasonable price. And I´ve used a number of thoose at customers that needed to increase the protection of their CA´s private keys. But all of those customers had their CA´s on dedicated hardware. And all customers with CA´s on virtual servers (VmWare and Hyper-V) have just placed their CA private keys in the file system.
But recently I´ve been in a couple of projects that needed HSM´s but were on VmWare. And network HSM´s were out of budget so to say. But according to Yubico the YubiHSM should work fine in a virtual environment. So we installed a CA with a YubiHSM2 and it simply did not work. The connector service hung every now and then when accessing the HSM. We managed to install a CA but when enrolling certificates the service hung. And talking to to Yubico´s excellent, but sometimes a little slow support (it´s free so no complaints, the paid support is quick as..), they told me it was a knows issue. And they asked me to open a support case with Vmware and promised to help out. But that was not an option in that project due to security reasons. So I decided to try another approach. I looked into network-2-USB-devices.
And I found the Silex DS-510. They stated the following on their homepage: “The Silex DS-510 is designed to easily connect and share USB devices over a network. Printers, Scanners, Disk Drives, Card Readers, or virtually any other USB device can be now be enabled with network capability.” I asked Yubico support and they came back and said: “Unfortunately this kind of device will not work for what you are trying to accomplish”. But since I had already ordered one (they are about 150$) I decided to have a go. And it worked perfectly!
And the thing is: It is really easy to use! Basically connect the Silex DS-510 to the network, install the driver on the dedicated server, connect your YubiHSM to the DS-510 and it will show up in the system like any other USB-device. I´ve tried it both on Vmware and Hyper-V and it works perfect! Of course more testing is needed and you have to consider the security in this device. It is on my to do list. But so far so good! And the key-material is stored on the YubiHSM2 and communication between the HSM and CA over the network is protected.
I think I have convinced Yubico to test the device as well so they can recommend from their side as well. I´ll update this post when I got more info.
At the end of the day I really have to recommend this solution. The YubiHsm2 is excellent and in combination with the Silex DS-510 we got a winnerfor Certificate Authorities in virtual enviroments!
Have you ever managed a Microsoft CA? Then you probably know about all the limitations in the tools for administration. For example, the problem with browsing and searching in the CA database? Or keeping track of certificates about to expire? Or just a simple thing as statistics over issued, revoked failed/denied certs? And don´t get me started about the manual enrollment options.
Well a couple of weeks ago I was contacted by a company which develops an add-on software for MS CA. The asked if I could do a review of their product and provide feedback. And since I spend a lot of time in a hotel room I decided to help out.
The product is called CertHat and provided a web-service for MS CA. It consists of a Web application, a SQL database and a small agent installed on your CA servers.
My first impression is great! It provides a really nice web interface with a lot of nice features. For example, database search, statistics, notification of expiration for certs and a lot of other really nice stuff.
More information can be found on their web site; https://certhat.com/ There is a lot of info about the product. It also contains a full featured demo-site to test the product. And of course, contact info. Otherwise let me know and I´ll do my best to help out with contacts.
And just for info: I don´t get any form of payment for this blog post. I got a nice Certhat T-shirt for my testing and feedback, and that is all! I just really like the product and got a really good impression of the guys behind it. So please mention this blogpost if you decide to contact them. 🙂
Is it possible to provide certificates to industrial equipment that doesn’t have any enrollment capabilities?
That´s the challenge one of our customers gave us a couple of weeks ago. The certificates should be used for network access on an 802.1x network and authentication to a database. Me and my fantastic colleague Tomas accepted the challenge and went to work.
So we had to create a completely automatic enrollment process with as little user interaction as possible. Our goal was to provide the manufacturer with password protected pfx-files in a bulk with a password file, mapping the pfx-files to a randomly generated password for each pfx. First we started by doing a manual enrollment process.
Enrollment process – step by step
The first step was to create an inf-file (request.inf) as input to the request file.
Subject = CN=Test123.trustmyroot.com
Exportable = True
KeyLength = 4096
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
SMIME = False
After that we used the inf-file together with certreq.exe to create a certificate request file.
Thought I´d write a short blog post about public certificates for test environments. By public certificates I mean certificates issued by an external CA and trusted by most platforms.
If you got a test or lab environment and want to publish an external service with SSL, for example ADFS, you need a certificate. This certificate must be trusted by all devices used by consumers of the service. OK, it´s a test environment so you can use you own CA to issue the certificates and import the RootCA certificate on all devices you are testing with. But I guess a lot of you out there isn´t that into certificate that you find that especially interesting. 🙂
So what are your options? You can of course buy a SSL cert from Digicert, Verisign or any other public CA. But I guess you don´t want to spend too much money on your testing. And there is another alternative.
Try StartSSL.com (no, I´m not getting paid for this!). They are using the StarCom Class 1 CA and issues free SSL certificates. And the best part is that the CA is trusted by almost every platform no the market.
All you need to do is to create an account and you´re on! There are of course some restrictions. For example you can´t issue SAN (Subject Alt Name) certs for free, the validity period is only 1 year, no EV certs for free for example. But If you just are using it for test/lab your fine! (And I rebuild my test environment a couple of times a years so I don´t see any real drawbacks!
So what is it then? It´s a function to automaticlly replace an SSL certificate bound to a web site. If the certificate is renewed then the old one will be replace with the new one. Great isn´t it?
How does this work?
When you enable Certificate Rebind a task will be added to the Task Scheduler which is triggered by the event ID for certificate renewal (event ID 1001). And when a certificate is renewed a function called “Certificate Services Lifecycle Notifications”, which keeps track of certificate releated stuff, writes the renewal event to the event log and the rebind process starts. It simply provides appcmd.exe with the thumbprint of the expired and new certificate.
Then appcmd locates all websites on that server which uses the old cert. It unbinds the old cert and binds the new certs to the affected websites. And this works for both manually and autoenrolled certificates.
If you are really interested this is the command line:
• Manually replacing on cert with another using Replace-Certificate PowerShell CmdLet (action=replace)
Note: If you want to use autoenrollment and the cert got a DNS name och SAN-attribute you have to enable “Use subject information from existing certificates for autoenrollment renewal requests” on the template.
Can this be done any other way and on other systems then IIS?
Sure! By using Powershell you can create custom tasks which is triggered by events created by “Certificate Services Lifecycle Notifications”
An excellent article on certificate rebind can be found here: