My company has external web api service and I want to make it secure using SSL certificate. This service is called by internal application only. Is it secure to use self-signed certiifcate in IIS on production?
Yes it is secure to use a self-signed certificate even.though it is not best practice for Production environment.
Indeed the Root CA will be unknown and the client cannot validate the issuer. Your client will have to accept such a certificate (this means you will have to handle the certification check yourself)
How to ignore the certificate check when ssl
If the API is used only internally, it is not a big deal. If you have some external consumers, you should really just go and buy a certificate.
Related
When using Azure API Management Gateway its possible to implement client certification authentication to secure access to APIs. You can validate incoming request certs using policy expressions such as thumb checks etc.
When using client cert authentication method, what's the recommended process for certificate generation/management?
Cert responsibility?
Should I/gateway owner be generating the .pfx file (either self signed or by trusted CA), importing it to the gateway service and providing external clients with the .cer to install locally and auth with?
Should I/gateway owner be generating the .pfx file (either self signed or by trusted CA), importing the .pfx to the API Management gateway service (normally I'd imagine importing the .cer on a server/gateway but doesn't seem possible in Azure) and providing external clients with the .pfx to install locally and auth with?
Should the external client be responsible for generating their public/private key pair in their Org, signing it with a CA, installing it locally and providing me/gateway owner with a .cer file to import to the gateway (as above, not sure its possible to import .cer, I read only .pfx accepted in import process) or provide thumb for me to store/validate in policy?
Does anyone have any advice whether to issue clients requiring access to the same API the same (shared) cert or generate a new cert per client? They would all be using the cert to access the same API (+ additional auth methods, cert is just an extra step).
I've ready online tutorials describing all above bullets and where client-specific or single cert-per-API have been implemented so a little confused which is recommended approach?
The easiest way would be to have a single issuing CA certificate, you'd only need to upload its public key to APIM as that is all that's needed for APIM to validate incoming certificate. Then you'll be responsible to generate client certificates and distribute them to clients. In APIM you can setup a policy that would require certificate, check its issuer and validate, that should be enough to ensure that certificate is valid and issued by you.
Relying on self-signed certificates will be a hassle as you'd have to somehow let APIM know of each new certificate, having common issuing CA frees you of that worry.
Same goes for allowing remote clients to generate certificate - they would have to let you know of certificate and you'd need to list it in APIM one way or another.
You're free to decide how exactly to distribute certificates, a few things to consider:
Likely certificate will be your main way to tell clients apart. If that is important you may want to have different clients have different certificates.
If you want to deny access to a particular client you'll "revoke" that certificate, you need to make sure that other legitimate clients won't be affected.
I am developing a mobile app with certificate pinning. I will have a box in the DMZ that will proxy my requests. Should this server have a cert from a trusted CA or can I use the one I generated from my own CA?
What would be the benefits of using a trusted CA from a mobile client?
Also, I will hit several different servers afterward that will be using my own CA generated cert. Should I pin those as well? I am assuming yes, that pinning both will be best even within the network. But is the necessary?
Thanks!
If you use your own CA you gave to manage the revocation process yourself, which is hard.
If you use a custom CA, it means you will have to either:
Provision all the mobile devices that will use your App with your custom CA. If you don't control the mobile devices, this will be impossible to do and pushing a CA to a device's trust store is a liability anyway.
Disable the system's default certificate validation so that the custom CA is accepted by your App, and then re-validate the server's chain and do pinning. It is close to impossible to get this right so you will most likely end up with an insecure HTTPS connection.
Do buy a certificate from a trusted CA.
For the connections between the proxy and the internal servers, you could implement SSL pinning but it is less of a priority as the attack surface is reduced, compared to the mobile clients.
I have website hosted on IIS. My main issue is that I want only users with a specific certificate installed to be able to access the site. I tried to follow some tutorials but I can't find anyone covering both server and client side, since I can't get it to work.
I have some questions to the main issue:
What kind of certificate should I use (domain/selfed signed in IIS 7.5)? I do have access to a Active Directory Certificate Services where I can create other types of certificates (CA), but the problem is when trying to import them to my IIS ("certificate cannot be used as an ssl server certificate")
I would like to use a CA certificate, but is that possible when using IIS? Or do I need to write all the code the check if the user has the right certificate?
When created a certificate for the website (e.g. though IIS)..How do I create user certificates that are trusted by the server certificate?
As you may noticed by now I'm not sure how to do all of this, and would really like some help..
Server should use SSL server certificate. This certificate has to have Server Authentication extension in Extended key usage. Server certificate should have SAN extension (Subject alternative name) with domain name of server as DNS name (i.e. somesite.com)
CA certificate has to be imported to Trusted root store (preferably Local Machine) on both server and client machines.
Client certificate should contain Client Authentication extension in Extended key usage.
All EndEntity (client and server) certificates should have CRL distribution point in them where there is URL to CRL that is issued by CA. CRL has to be accessible by both client and server and should be always valid.
You can use XCA for training purposes. It has a nice GUI and it has templates for CA, SSL server and SSL client certificates by default. Then you can mimic these certificates in your Active Directory Certificate Services. Documentation and some guides can be found here.
We have an website which is used to administrate users. There is one payment section on this website which we use to make payments for our clients with their CC. I would like to secure this section by using HTTPS. So the goal is to make the connection secure.
What type of certificate should we use? Is https://www.openssl.org/ a good solution for this? Any other option?
Do we need an dedicated IP for this domain?
Creating all of the certificates on your own will not instill confidence. If credit cards are involved, you should probably work with a well-known Certificate Authority in order to provide a trustworthy, signed certificate.
Otherwise, your customers will get warnings and errors telling them not to trust your service!
Most Certificate Authorities have tutorials on how to purchase their SSL products and use them to get a certificate for your site. Here is an example product from Symantec.
SSL (the 'S' in HTTPS) does not generally place any restrictions on how your IPs work. The SSL certificates are often issued to domains and/or hostnames. If the certificate is issued to "payments.mysite.com" it will theoretically work for any server that the DNS server resolves for "payments.mysite.com"
Self-signed SSL certificates are just as good/safe/secure as SSL certificates from trusted suppliers. But they have a down-side in that unless they are installed on the users machine the browser will give warnings, and/or not go to the page with the certificate without explicit approval from the user (Chrome does this).
So IF you are able to distribute the SSL to the users, or they are able to install it them selves, or they are willing to ignore warnings, then a self-signed certificate is a good choice. If these are not options you have then you need a trusted SSL certificate.
EDIT: If you need a dedicated IP is dependent on how you resolve the address to the site (dns?).
We have a backend server that services a multi-platform app that will be launched on iOS, Windows 8, Windows Phone 8 and Android. We'd like to use in production as few certificates as possible (preferably just one) to attain the following purposes:
secure communication (HTTPS) with the client application
authentication to the Windows Phone Push Notifications Service
authentication to the Apple Push Notifications Service
Besides taking care that the certificate is issued by a common trusted root authority, are there any other impediments that could prevent a single certificate from being used simultaneously for all these? Is it a viable possibility or is it instead necessary to resort to one certificate for each of the above purposes?
Gabriel I guess there is a problem. Main one is that HTTPS certificate private key cannot be coded by a secret this kind of certificate contain *.crt and *.key file which are not secured. When You want authenticate yourself or server in some Service for example Windows phone push like you have listed there is need to create hash for your private key with secret aka pin or password. What make You use at least two different certificates.
Second thing is that purpose of using certificates is to validate the issuer and to authenticate user/service provider. HTTPS ssl certificate issued by a trusted CA show to the user Hey this is trusted website You should not be afraid passing sensitive data through the service, and the certificates which are used to authenticate are just saying Hey its me I am authorized to use this application Purpose of those certificates and different so certificates them self should be different. Using the same cert for actions like You have listed cause necessaries vulnerabilities and is highly NOT RECOMMENDED