Deploying SSL certificates

2012-05-17

SSL certificates are kind of a pain in the ass.

You have to create a PKI, which is really frustrating when you do it for the first time. You can use OpenSSL or GnuTLS for this. I ended up making minipki, a python3 wrapper around the OpenSSL binary, specifically so I wouldn’t have to put up with OpenSSL’s shit interface any more.

But after that, how do you actually get your certificate out to your users? Each browser on each OS may have its own way of storing trusted CA certificates.

Installing certificates on Debian/Ubuntu

Almost all applications on Debian/Ubuntu will use this store, including curl and wget, but not including Mozilla applications or Google Chrome.

  • aptitude install ca-certificates
  • install --mode 644 ca.crt /usr/local/share/ca-certificates/ca.crt
  • update-ca-certificates

Note that the ca-certificates package installs the Debian/Ubuntu certificate authorities, and also (at least as of now) the bundle from Mozilla. It puts these in /usr/share/ca-certificates, and uses the /etc/ca-certificates.conf file to determine whether files in that directory are trusted. However, all certificates in /usr/local/share/ca-certificates are trusted implicitly.

Installing certificates on a Mac

Native Mac applications (such as Safari and Mail) use this store. Google Chrome uses it as well.

Command line

You may be able to add CA certs to /Library/Preferences/cacert.pem but I’m not sure how robust that is / what happens if that file gets updated by something else (such as Keychain.app).

Using Keychain.app (either per-user or for the whole computer)

  • Open a .crt file with Keychain (this is the default double-click action for a .crt file)
  • Select the keychain you want to add the cert to
    • To trust for all users, add it to the System keychain (requires admin password)
    • I believe you can add it to the login keychain instead if you want only your current user to trust the CA, but I’m not sure about that.
  • Select the trust settings for the CA - choose “Always Trust” for everything.

Installing certificates on Windows

Native Windows applications (such as Internet Exploerer and Outlook) use this store. Google Chrome uses it as well.

Via Active Directory

  • This procedure is correct at least on Windows Server 2008 R2
  • http://technet.microsoft.com/en-us/library/cc738131%28WS.10%29.aspx
  • gpmc.msc -> Create and link a new GPO
  • Right click-> Edit that GPO
  • Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities -> right-click -> import

Manually on the commandline

Manually via the GUI

  • Open the .cer file and click the “Install” button
  • On Windows XP, you can just click next through all the options until you’re done.
  • However, on Vista and 7, you have to specifically select the root certificate store. When the wizard opens, select the “Place all certificates in the following store” radio button, and browse to the “Trusted Root Certification Authorities” store. Then click OK -> Next -> Finish, etc, until you’re all done.

Installing certificates to a Mozilla profile

Mozilla products have a separate store in each user profile.

Exciting fact: This means that you’ll have to do this seperately for your Firefox and Thunderbird profiles!

Manually in the GUI

Options -> Advance -> Encryption -> View Certificates -> Authorities tab -> Import

Using NSS certutil

See Mozilla, SSL, and NSS for information on using Mozilla’s (not Microsoft’s) certutil.exe to directly modify the certificate store in Firefox and Thunderbird.

Installing certificates in Chrome

Chrome is an exciting blend of the Mozilla Way and the OS Way.

  • Chrome reads certificates from the OS store on Windows and Mac OS X. If these are your platforms, you’re done.
  • However, Chrome has an NSS certificate store on Linux inside ~/.pki/nssdb. As far as I know, there is not a global certificate store for Chrome on Linux. There’s a Chromium wiki page for cert management. There’s also a blog post which is a bit more concise and also has some information about self-signed certs.

A quick note about NSIS

NSIS is the NullSoft Installer System. There’s an NSIS script to import root certificates. It works with the Windows default store and the Firefox one. It’s useful for employees who work from home and don’t have company-provided equipment on the domain. Unfortunately it doesn’t do Thunderbird, although it looks like it’d be pretty easy to add support for it. Also unlike my batch files, this only installs it to the default FF profile, not all profiles in %APPDATA%\Mozilla\Firefox\Profiles

This script works for me but the NSIS language is really ugly and I don’t wanna wade through it again right now, so I’m just going to link to the official page.

Tangents

This post is about the pragmatics of managing a small SSL PKI, but keep in mind that TLS/SSL in general is a total clusterfuck.

SSL actually kind of sucks

  • Trust is permanent. Our current system has no way to un-trust a CA that has gone bad without breaking SSL for many, many sites.
  • CAs already go bad.
  • I actually wrote a project whose whole goal is just wrapping OpenSSL because the interface is clearly not designed to be run as a PKI tool directly, and documentation is a fucking joke.
  • GNU TLS is actually not quite as terrible as SSL, UI wise. However, I have had problems moving from OpenSSL -> GNU TLS before involving at least Apache (in the past) and curl (recently).

You can do cool stuff with it anyway

  • OCSP stapling can be enabled for a given site, with the caveat that it introduces significant (though not necessarily show-stopping) latency to TLS connections.
  • EFF has a project called the SSL Observatory which collects statistics about SSL use on the Internet
  • sslh is an SSL/SSH multiplexer that lets you run multiple services (https, ssh, openvpn, more) behind one ssl port (such as 443). This might be useful if your network blocks port 22 outbound, and you want to ssh to a server you control anyway.
  • Moxie Marlinspike’s Convergence project is an attempt to solve the irrevocability and accountability problems that current SSL certificate authorities have.
  • Moxie’s sslsniff lets you MITM SSL connections (seemlessly, if you have the private key which generated the SSL certificate and/or CA certificate), which is useful for troubleshooting SSL problems.