I'm currently working on a project where I've created a CA cert and a couple of child certs to that CA cert. The certificates are going to be used to protect inter-server communication in a SAMLV2 setup so I'm going to have a cert for the identity provider and a cert for the service provider. The user/browser isn't going to validate the certs so it's only the servers that need to trust my custom CA. My cert tree looks something like this:
我目前正在开发一个项目,我已经为该CA证书创建了CA证书和几个子证书。这些证书将用于保护SAMLV2设置中的服务器间通信,因此我将获得身份提供者的证书和服务提供者的证书。用户/浏览器不会验证证书,因此只有服务器需要信任我的自定义CA.我的证书树看起来像这样:
- CustomRootCACert
- CustomIdentityProviderCert
- CustomServiceProviderCert
CustomRootCACert CustomIdentityProviderCert CustomServiceProviderCert
Now, I've heard a lot of people saying it's bad to use a home-made certificate in production. But when I ask why, people usually just mutters something about security but never go into the details. Are there any technical reasons not to use my own certs in production? I can't think of any... Of course I realize that if I lose control of my root cert anyone could start creating all sorts of certificates. But in this case they would also have to install the certificates on my servers and configure the saml application to use them. Only then could they start to generate fake saml requests and responses to my applications.
现在,我听到很多人说在生产中使用自制证书是不好的。但是,当我问为什么时,人们通常会嘀咕一些关于安全性的事情,但从不深入细节。是否有任何技术原因不在生产中使用我自己的证书?我想不出任何......当然我意识到,如果我失去了对我的根证书的控制,任何人都可以开始创建各种证书。但在这种情况下,他们还必须在我的服务器上安装证书并配置saml应用程序以使用它们。只有这样,他们才能开始生成虚假的saml请求和对我的应用程序的响应。
If this is the only problem, this solution (using home-made certs in production) would still be better than the login setup we have today.
如果这是唯一的问题,这个解决方案(在生产中使用自制的证书)仍然会比我们今天的登录设置更好。
4 个解决方案
#1
Ask yourself what a certificate proves.
问问自己证书证明了什么。
If you get a certificate issued by a reputable CA, then it proves that the certificate holder has verified their identity to that CA, to their standards of proof.
如果您获得由信誉良好的CA颁发的证书,则证明证书持有者已根据其证明标准向该CA验证了其身份。
If you get a certificate issued by an ad-hoc CA, then it proves that someone knows how to make certificates.
如果您获得由ad-hoc CA颁发的证书,则证明有人知道如何制作证书。
If you control both ends of the conversation, I think it's fine to have your own private CA for the purpose. You would trust your own CA. You can probably make this very secure indeed (by keeping the CA private key in a safe place offline, and making signing a sneakernet exercise).
如果您控制对话的两端,我认为为此目的拥有自己的私有CA是好的。你会相信自己的CA.你可以确实这样做非常安全(通过将CA私钥保存在安全的位置离线,并签署sneakernet练习)。
The difficulty would be if you needed to persuade anyone else to trust your CA. Why should they? You would need to convince them that it was safe to do so, and they would have the admin overhead of adding your CA certificate to their clients.
如果您需要说服其他人信任您的CA,那就很困难。为什么他们呢?您需要说服他们这样做是安全的,他们会将管理费用添加到客户端。
#2
Since you are only using the certificate to protect the network traffic and not authenticate users/computers then it sounds like you have a legitimate use for using MakeCert.exe.
由于您只使用证书来保护网络流量而不对用户/计算机进行身份验证,因此您可能认为使用MakeCert.exe是合法的。
I feel there is one thing worth mentioning. After you spend some time working with the MakeCert.exe interface you might to consider using a Stand-Alone Root Certificate Server instead.
我觉得有一件事值得一提。在花费一些时间使用MakeCert.exe界面后,您可以考虑使用独立根证书服务器。
Consider these points:
考虑以下几点:
- (Almost) All versions of Windows Server include Certificate Server Services for free
- Windows Stand-Alone CA Server is extremely simple to install and configure
- Windows Stand-Alone CA Server can be installed on a Virtual Machine and turned on/off whenever you need to issue an additional certificate
- A VM based Windows Stand-Alone CA Server can be run using very little memory (ex. 256mb)
- Windows Stand-Alone CA Server includes a nice and clean web based enrollment interface to simplify requesting certificates.
- CRL checking can be used or not used, depending on your needs.
(几乎)所有版本的Windows Server都免费提供证书服务器服务
Windows独立CA服务器的安装和配置非常简单
Windows独立CA服务器可以安装在虚拟机上,并在需要颁发其他证书时打开/关闭
基于VM的Windows独立CA服务器可以使用非常少的内存运行(例如256mb)
Windows独立CA服务器包含一个漂亮而干净的基于Web的注册界面,可简化请求证书。
根据您的需要,可以使用或不使用CRL检查。
In the past I first started with selfssl.exe and eventually moved to MakeCert.exe to generate a root certificate and then issued my client certificates. But after struggling with the syntax and always having to remember where I put that Root Certificate I switched over to using a Stand-Alone Root CA in a virtual machine.
在过去,我首先使用selfssl.exe启动并最终转移到MakeCert.exe以生成根证书,然后颁发我的客户端证书。但是在努力学习语法之后,我总是要记住我把根证书放在哪里,我转而使用虚拟机中的独立根CA.
#3
IF the certificates are only passed around internally, between your own servers (and not used by the client, one way or the other) - then it is perfectly acceptable to use your own internal CA.
HOWEVER, one suggestion - dont have your Root CA issue your provider certs. Instead, use your Root CA to create an Intermediate CA - then use that to issue provider certificates. This will help you longer term, when you have to start managing certificate expiration, extending the system/infrastructure, revocation lists, etc.
如果证书仅在内部传递,在您自己的服务器之间传递(并且不被客户端使用,不管是哪种方式) - 那么使用您自己的内部CA是完全可以接受的。但是,有一个建议 - 没有您的根CA颁发您的提供商证书。而是使用您的根CA来创建中间CA - 然后使用它来颁发提供程序证书。当您必须开始管理证书过期,扩展系统/基础架构,撤销列表等时,这将对您有所帮助。
#4
There is no real issue with using a self signed certificate in private use, that is use when you control all of the systems that need to trust the homebrew root certificate.
在私人使用中使用自签名证书没有任何实际问题,即在您控制需要信任自制程序根证书的所有系统时使用。
You manually install your root cert onto each of the systems that need to trust it.
您手动将根证书安装到需要信任它的每个系统上。
You can do this in production as well for browser use - for example within an organisation where the root ca can be rolled out via software distrubution method - there is no reason to go to the expense of paying a Certificate Authority that Microsoft happens to trust.
您可以在生产中以及浏览器使用中执行此操作 - 例如,在可以通过软件分发方法推出根ca的组织内 - 没有理由支付微软碰巧信任的证书颁发机构的费用。
[edit] In terms of secruity the issue is one of containing the private key for your root certificate, as long as you can ensure that stays private then you can validate any certificate off that root.
[编辑]在安全性方面,问题是包含根证书的私钥,只要您可以确保保持私有,那么您可以验证该根证书。
#1
Ask yourself what a certificate proves.
问问自己证书证明了什么。
If you get a certificate issued by a reputable CA, then it proves that the certificate holder has verified their identity to that CA, to their standards of proof.
如果您获得由信誉良好的CA颁发的证书,则证明证书持有者已根据其证明标准向该CA验证了其身份。
If you get a certificate issued by an ad-hoc CA, then it proves that someone knows how to make certificates.
如果您获得由ad-hoc CA颁发的证书,则证明有人知道如何制作证书。
If you control both ends of the conversation, I think it's fine to have your own private CA for the purpose. You would trust your own CA. You can probably make this very secure indeed (by keeping the CA private key in a safe place offline, and making signing a sneakernet exercise).
如果您控制对话的两端,我认为为此目的拥有自己的私有CA是好的。你会相信自己的CA.你可以确实这样做非常安全(通过将CA私钥保存在安全的位置离线,并签署sneakernet练习)。
The difficulty would be if you needed to persuade anyone else to trust your CA. Why should they? You would need to convince them that it was safe to do so, and they would have the admin overhead of adding your CA certificate to their clients.
如果您需要说服其他人信任您的CA,那就很困难。为什么他们呢?您需要说服他们这样做是安全的,他们会将管理费用添加到客户端。
#2
Since you are only using the certificate to protect the network traffic and not authenticate users/computers then it sounds like you have a legitimate use for using MakeCert.exe.
由于您只使用证书来保护网络流量而不对用户/计算机进行身份验证,因此您可能认为使用MakeCert.exe是合法的。
I feel there is one thing worth mentioning. After you spend some time working with the MakeCert.exe interface you might to consider using a Stand-Alone Root Certificate Server instead.
我觉得有一件事值得一提。在花费一些时间使用MakeCert.exe界面后,您可以考虑使用独立根证书服务器。
Consider these points:
考虑以下几点:
- (Almost) All versions of Windows Server include Certificate Server Services for free
- Windows Stand-Alone CA Server is extremely simple to install and configure
- Windows Stand-Alone CA Server can be installed on a Virtual Machine and turned on/off whenever you need to issue an additional certificate
- A VM based Windows Stand-Alone CA Server can be run using very little memory (ex. 256mb)
- Windows Stand-Alone CA Server includes a nice and clean web based enrollment interface to simplify requesting certificates.
- CRL checking can be used or not used, depending on your needs.
(几乎)所有版本的Windows Server都免费提供证书服务器服务
Windows独立CA服务器的安装和配置非常简单
Windows独立CA服务器可以安装在虚拟机上,并在需要颁发其他证书时打开/关闭
基于VM的Windows独立CA服务器可以使用非常少的内存运行(例如256mb)
Windows独立CA服务器包含一个漂亮而干净的基于Web的注册界面,可简化请求证书。
根据您的需要,可以使用或不使用CRL检查。
In the past I first started with selfssl.exe and eventually moved to MakeCert.exe to generate a root certificate and then issued my client certificates. But after struggling with the syntax and always having to remember where I put that Root Certificate I switched over to using a Stand-Alone Root CA in a virtual machine.
在过去,我首先使用selfssl.exe启动并最终转移到MakeCert.exe以生成根证书,然后颁发我的客户端证书。但是在努力学习语法之后,我总是要记住我把根证书放在哪里,我转而使用虚拟机中的独立根CA.
#3
IF the certificates are only passed around internally, between your own servers (and not used by the client, one way or the other) - then it is perfectly acceptable to use your own internal CA.
HOWEVER, one suggestion - dont have your Root CA issue your provider certs. Instead, use your Root CA to create an Intermediate CA - then use that to issue provider certificates. This will help you longer term, when you have to start managing certificate expiration, extending the system/infrastructure, revocation lists, etc.
如果证书仅在内部传递,在您自己的服务器之间传递(并且不被客户端使用,不管是哪种方式) - 那么使用您自己的内部CA是完全可以接受的。但是,有一个建议 - 没有您的根CA颁发您的提供商证书。而是使用您的根CA来创建中间CA - 然后使用它来颁发提供程序证书。当您必须开始管理证书过期,扩展系统/基础架构,撤销列表等时,这将对您有所帮助。
#4
There is no real issue with using a self signed certificate in private use, that is use when you control all of the systems that need to trust the homebrew root certificate.
在私人使用中使用自签名证书没有任何实际问题,即在您控制需要信任自制程序根证书的所有系统时使用。
You manually install your root cert onto each of the systems that need to trust it.
您手动将根证书安装到需要信任它的每个系统上。
You can do this in production as well for browser use - for example within an organisation where the root ca can be rolled out via software distrubution method - there is no reason to go to the expense of paying a Certificate Authority that Microsoft happens to trust.
您可以在生产中以及浏览器使用中执行此操作 - 例如,在可以通过软件分发方法推出根ca的组织内 - 没有理由支付微软碰巧信任的证书颁发机构的费用。
[edit] In terms of secruity the issue is one of containing the private key for your root certificate, as long as you can ensure that stays private then you can validate any certificate off that root.
[编辑]在安全性方面,问题是包含根证书的私钥,只要您可以确保保持私有,那么您可以验证该根证书。