Its possible to create certificate and sign it on puppetserver then delivery to client?
Related
I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method.
I have tried the following steps:
I have created self signed root CA certificate and then created a
client certificate and key file.
Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I
converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify().
Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.
I faced the similar issues, Investigation Summary / Cause are below:
Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails
2 options to fix the issue
Purchase a certificate from a Public trusted CA
Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify
Note:
If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA
o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well
For client certificate validation in Azure API management generally following steps are required.
Generate a root CA , intermediate CA along with the client certificates.
Upload the intermediate certificate which validate client certificates sent by the user.
You van utilize this guide to set up the CA.
I have to take my Root CA from Azure key vault inside the Azure APIM inbound policy and verify my requested client certificate inside the policy.
For this I have followed the link and able to get the certificate
https://github.com/galiniliev/api-management-policy-snippets/blob/galin/AkvCert/examples/Look%20up%20Key%20Vault%20certificate%20using%20Managed%20Service%20Identity%20and%20call%20backend.policy.xml
But I am not able to validate the client certificate by using My Root CA that I have fetched from Azure key vault
Following is the values of Root CA that I am getting from Azure key vault
{"id":"https://newdev-keyvault.vault.azure.net/certificates/MyRootCA/bf34888e**********","kid":"https://newdev-keyvault.vault.azure.net/keys/MyRootCA/bf34888e*************","sid":"https://newdev-keyvault.vault.azure.net/secrets/MyRootCA/bf34888**************","x5t":"gYbnPUooh4D5_ogrmWCEvfDjYXo","cer":"MIIDFTCCAf2gAwIBAgIUJYAgKiqYPh+Iq1DFULomUlhzNTAwDQYJKoZIhvcNAQELBQAwGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMB4XDTIwMDQxNjA4MTgyOFoXDTMwMDQxNDA4MTgyOFowGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2EOpy+GxPFCidiW5hGPVlPXuZFfgJdZWITLkUQ2SvcuBfLSsKmPkSpYO7TAFESpBWD0z8y3BYat0hGA2iBhMWzXN0dhbB+bZ6uDdrg0kuGaFmb4fmQ9mydM7cy3NtZA6lf5uTp9RZV4wiUVyKrRgGRzKUxecnFmtCOyk+jeW/Jf38laN1l84eM47UaMJjWD9vg/3QsW3yH+8zst2gWfXN7giQFRCMnzYTRD0VOd3N+C3k2mx72d4DobwbsngIclDHK0BFUckdK8MaOVIixRRQjFTZ/XjRqhPOCZRbgHHldXfx352eYqzOfYOi/utv8s6Xwl/0TI3uj2RTth7CwJkQIDAQABo1MwUTAdBgNVHQ4EFgQUZZMEGpRcswKq23a52gqebZcnloAwHwYDVR0jBBgwFoAUZZMEGpRcswKq23a52gqebZcnloAwDwYDVR0TAQH/BAUwAwEB","attributes":{"enabled":true,"nbf":1587025108,"exp":1902385108,"created":1587036499,"updated":1587036499,"recoveryLevel":"Recoverable+Purgeable"}}
Can anyone help me to verify the client certificates inside the Inbound policy?
Certificate you obtain dynamically from AKV cannot be used at the moment to validate client certificate from request. The only way is to upload CA certificate to APIM and then call .Validate on request certificate. That will require you to export certificate from AKV and refresh it in APIM every time it changes.
How can I create a certificate chain (Self Signed) for Azure Web App? I turned on the settings in the code and Incoming client certificates.
But in the logs I see an error:
OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline
Certificate was not authenticated. Failure message: Client certificate failed validation.
You may use the New-SelfSignedCertificate command from Powershell to create a new self-signed certificate for testing purposes. For example:
PS C:\> New-SelfSignedCertificate -DnsName "www.fabrikam.com", "www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"
This creates a self-signed SSL server certificate in the computer MY store with the subject alternative name set to www.fabrikam.com, www.contoso.com and Subject and Issuer name set to www.fabrikam.com.
Once you have the cert, you may upload it to your App service. Check this post on MSDN for more details on the working solution. However, do note that you might still see some certificate validation errors if the cert is self-signed. Consider using a free App Service Managed Certificate or the App Service certificate as they already satisfy the prerequisites of App Service.
Hope this helps.
References:
Add an SSL certificate in Azure App Service
Secure a custom domain
I am trying to create wildcard let's encrypt SSL certificate in Kubernetes. I tried the the ACME-DNS DNS01 challenge and it not creating the SSL certificates.
Error preparing issuer for certificate default/wildcard-test-tk: ACME server does not allow selected challenge type or no provider is configured for domain "domtest.tk"
I have referred this link and used this acme-dns for creating credentials to verify the domain authority.
How can we setup an SSL for azure service fabrics website domain, since the server is going to run on 10 nodes. When i buying the certificate it is asking for CSR file. Where can i generate the CSR file since website is running on 10 nodes. How can i generate the CSR file regarding azure service fabrics website
I know about azure key vault where we will upload the the certificate and install on the nodes, but before doing that how can we generate CSR and get the Certificate from the providers like Symantec/Geotrust/godaddy
Can any one guide me for process of generating the CSR regarding azure service fabrics since it going to run on 10 nodes?
TLS certificates help create an encrypted channel between a browser and a web server while also authenticating the identity of the website that owns the cert. Your certificate is issued for one or more domain names, not nodes. You can use it on any number of nodes as long as the domain name the cert is issued for matches the site you are serving.
Most cert vendors provide tools to generate Certificate Signing Requests. An OpenSSL approach to the problem looks like this:
openssl req -new -sha256 -key domain.com.key -out domain.com.csr