Custom PKI and ERA

[PF4Public 1]

Hi there.

Trying to install ERA in Linux with custom PKI.

I have read this topic already, but sadly it has no staff answers.

I see two options here:

1. I totally manage PKI and import generated certificates into ERA. Looks like in this case (according to this kb article) it is suggested to run server installer in repair mode replacing existing certificates. If certificates are manged by ERA however it is as simple as selecting another certificate in web console. So why can't I just import needed certificate via web console (it has no such option of importing peer certificates atm) and apply it? Is there any bugtracker for ERA where I can report this? Is it possible to implement this?

2. I create a SubCA and thus delegate certificate management to ERA. I have tried this also. But I cannot import SubCA certificate (and its key ofcourse) neither via installer, nor via web console. Is it possible to implement this? Though I could easily import SubCA via sql queries, still this gave no satisfactory result. Problem is that in this case ERA is very happy with provided SubCA certificate, but for some reason it tries to sign peer certificates using issuer's credentials instead of subject ones. This results in these certificates being signed by SubCA but having all the fields from TopCA, which is really weird and as a result they are all invalid. Is it possible to correct this behaviour? On the other hand I have created dummy self-signed CA, which I've put into ERA. This time ERA successfully created valid certificates with valid issuer field. So this is a problem only when issuer and subject are different. Fix this please.

 

There is also one more thing.

Is it possible to implement "--odbc-socket" (or call it whatever you like) option in server setup script, which would allow passing the needed socket path for ODBC driver as well as saving it to StartupConfiguration.ini?

 

TIA

 

EDIT: sorry, bad wording. In fact it is possible to upload new server certificate via web console, but it is not possible to import any other peer certificate via web console for later distibution via policies for example.

Edited November 19, 2016 by PF4Public

[MartinK 378]

ERA documentation was recently extended with topic Custom certificates with ERA which provides steps how to use externally created certificates in ERA - it targets mostly certificate services provides by Microsoft, but maybe it will be helpful for you.

 

Regarding importing of certificates - as you have found out already, importing private keys is not possible, therefore it is not possible to manage external certificates in ERA. Even if managing is not possible, you should be able to use external certificates in configuration policies, server settings and AGENT installers wizards as interfaces enables you to "upload" certificate with private key when it is required. I am not sure why it is no possible, but most probably due to security and implementation limitations -> as you already found out, internal certificate management in ERA is not able to handle non-standard scenarios (as possible bug with SubCA you mentioned).

[PF4Public 1]

>ERA documentation was recently extended with topic Custom certificates with ERA which provides steps how to use externally created certificates in ERA - it targets mostly certificate services provides by Microsoft, but maybe it will be helpful for you.

Thanks for the link, but it is similar to the link from my post, the only difference being the fact that mine is for installation, yours is for administration. Even though it is targeted to windows platform it was indeed useful for me.

 

>Regarding importing of certificates - as you have found out already, importing private keys is not possible

Are there any possibilities of implementing this?

 

>you should be able to use external certificates in configuration policies

Thanks for pointing this out. Somehow I was missing this information. Having the ability to upload custom certificate via policies does solve difficulties with my 1 approach.

 

BTW, having the ability to import peer certificates with private keys allows for server-assisted installation as well as creation of packages with needed certificates in them. As I have already mentioned, sadly it is not possible to import peer certificates at the moment. 

 

>internal certificate management in ERA is not able to handle non-standard scenarios (as possible bug with SubCA you mentioned)

Again, are there any possibilities of improving this? If this is improved, there would be the possibility for anyone who wants to delegate SubCA to ERA to do so, though in a kind of cheaty way, but still doable.

 

I'm also very concerned about socket path specifying.

 

Thanks.

Edited November 19, 2016 by PF4Public

[MartinK 378]

I'm also very concerned about socket path specifying.

 

I don't think there will be any changes in connection string building as scope of upcoming release is closed.

Could you please specify why do you need it to be there? You are using database without TCP, accepting only connections through local socket?

[PF4Public 1]

Could you please specify why do you need it to be there? You are using database without TCP, accepting only connections through local socket?

 

I had hard time establishing connection to MySQL database through ODBC from ERA and ERA installer. There were issues with MySQL ODBC connector available in Debian repositories, so I had to use the ones available from MySQL website. Which for the reason not  known to me tried to connect through the socket completely ignoring hostname and port specified in connection string. But this way everything got connected and operating properly. Thus I didn't do any further researching on this issue.

Edited November 20, 2016 by PF4Public

[MartinK 378]

 

Could you please specify why do you need it to be there? You are using database without TCP, accepting only connections through local socket?

 

I had hard time establishing connection to MySQL database through ODBC from ERA and ERA installer. There were issues with MySQL ODBC connector available in Debian repositories, so I had to use the ones available from MySQL website. Which for the reason not  known to me tried to connect through the socket completely ignoring hostname and port specified in connection string. But this way everything got connected and operating properly. Thus I didn't do any further researching on this issue.

 

 

We actually had this the same problem in ERA appliance (CentOS 6/7 based). MySQL ODBC connector attempts to use socket file in case specified DB hostname is localhost instead of expected TCP connection. We are currently using (and also recommending)  DB hostname 127.0.0.1 which should be equivalent to localhost, except that MySQL uses TCP connection as is expected by ERA.

[PF4Public 1]

 

 

Could you please specify why do you need it to be there? You are using database without TCP, accepting only connections through local socket?

 

I had hard time establishing connection to MySQL database through ODBC from ERA and ERA installer. There were issues with MySQL ODBC connector available in Debian repositories, so I had to use the ones available from MySQL website. Which for the reason not  known to me tried to connect through the socket completely ignoring hostname and port specified in connection string. But this way everything got connected and operating properly. Thus I didn't do any further researching on this issue.

 

 

We actually had this the same problem in ERA appliance (CentOS 6/7 based). MySQL ODBC connector attempts to use socket file in case specified DB hostname is localhost instead of expected TCP connection. We are currently using (and also recommending)  DB hostname 127.0.0.1 which should be equivalent to localhost, except that MySQL uses TCP connection as is expected by ERA.

 

I've just removed socket specification from StartupConfiguration.ini and also replaced localhost with 127.0.0.1 and indeed after service restart it looks like ERA could successfully connect to MySQL database.

Thanks for the hint.

[MartinK 378]

2. I create a SubCA and thus delegate certificate management to ERA. I have tried this also. But I cannot import SubCA certificate (and its key ofcourse) neither via installer, nor via web console. Is it possible to implement this? Though I could easily import SubCA via sql queries, still this gave no satisfactory result. Problem is that in this case ERA is very happy with provided SubCA certificate, but for some reason it tries to sign peer certificates using issuer's credentials instead of subject ones. This results in these certificates being signed by SubCA but having all the fields from TopCA, which is really weird and as a result they are all invalid. Is it possible to correct this behaviour? On the other hand I have created dummy self-signed CA, which I've put into ERA. This time ERA successfully created valid certificates with valid issuer field. So this is a problem only when issuer and subject are different. Fix this please.

 

Just to let you know: this wrong-issuer behavior when signing by intermediate CA certificate will be fixed in upcoming release (this issue affects only linux). Once fixed, it will be possible to sign with external CA certificate using Custom PFX file in signing wizard which enables you to use external CA without need of importing it into ERA.

[PF4Public 1]

>this wrong-issuer behavior when signing by intermediate CA certificate will be fixed in upcoming release

Thanks for the information. Much appreciated.

 

>it will be possible to sign with external CA certificate using Custom PFX file in signing wizard

This is an important thing, I didn't pay attention to this selection in "create certificates" dialog, thus didn't notice the possibility.

 

>without need of importing it into ERA

I think I start to realize how bad is it to store private key in MySQL database security-wise. So it is possibly quite justified not to import private keys in ERA at the first place.

 

So, just to sum it all up.

1. If one wants to manage PKI oneself, ERA has the possibility to temporarily upload server/agent/etc (that is - end-entity) certificate and its corresponding private key to immediately use them as server certificate or distribute via policy without preserving in database. Also it has the possibility to import CA's certificate (without its private key) to be able to verify peer certificates, issued by that particular CA.

2. If one wants to manage PKI oneself, but delegate some of the certification tasks to ERA, this is also achievable. One should have the CA certificate and it's private key at hand to temporarily upload them to ERA to facilitate certificate creation and signing. Certificate and key used in this process are not saved to ERA database. Only the resulting end-entity certificate is saved to ERA database for later use. However due to wrong-issuer bug in ERA on Linux this will be only possible after the next release (current release being 6.4 - for the record). This does not apply to self-signed CA, which is handled properly by ERA.

Am I correct?

 

Also, please make sure these possibilities documented in your guides: both online and pdf/printed.

As well as your advice to use 127.0.0.1 instead of localhost (with a little note on why this is necessary) and the fact that mysql odbc driver available in current Debian repository does not function, suggesting to use one from MySQL website.

Edited November 21, 2016 by PF4Public