Questions[x509](server)

(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code).

I'm currently responsible for maintaining a system which connects to a third-party webservice. This webservice requires client authentication certificates, which is fair enough, but the webservice itself is secured with a self-signed certificate created by a self-created root certification authority certificate - the same root that creates the client auth certificates.

It would be enough to merely add the current service certificate to the known-trusted list and to ignore the self-created authority certificate, unfortunately the service certificate changes regularly so the authority certificate must be trusted to ensure the application doesn't break when the service cert is renewed.

However I don't (personally) trust the CA cert based on my experience with the company running the webservice - it would not surprise me if it would be leaked to the web - and worryingly the CA cert has no key-usage restrictions placed on it (while external MITM attacks are a possibility, though remote, I'm more concerned about a leaked certificate used for code-signing, for example).

Is it possible for me to tell my computer (currently a server box, but in future ordinary desktop client boxes) to trust a CA but only for a given set of key-usages and a small set of possible subject-names (domain-names)?

The server is currently Windows Server 2012 R2, but it could be running on a Linux box - though the desktop machines are all Windows boxes.

Note : This is not really a question because I already found the answer but since I didn't find it easily here I will post it so that it can benefit others.

Question : How to read a concatenated PEM file as the one used by apache/mod_ssl directive SSLCACertificateFile ?

Answer (original) (source) :

cat $file|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'

This can leave an empty file if there's a blank line at the end, such as with openssl pkcs7 -outform PEM -in my-chain-file -print_certs. To prevent that, check the length of the line before printing:

cat $file|awk 'split_after==1{n++;split_after=0}
   /-----END CERTIFICATE-----/ {split_after=1}
   {if(length($0) > 0) print > "cert" n ".pem"}' 

Answer 29/03/2016 :

Following @slugchewer answer, csplit might be a clearer option with :

csplit -f cert- $file '/-----BEGIN CERTIFICATE-----/' '{*}'

Is a Self Signed SSL certificate a false sense of security?

If you are being eavesdropped, the user will simply accept the certificate like he/she always does.

Can you think of any linux command-line method for saving the certificate presented by a HTTPS server? Something along the lines of having curl/wget/openssl make a SSL connection and save the cert rather than the HTTP response content.

The gui equivalent to what I'm looking for would be to browse to the HTTPS site, double-click on the browser "secure site" icon, and export the cert. Except the goal here is to do it non-interactively.

Thanks, Jim

Can I get a certificate from a root CA that I can then use to sign my own web server certificates? I would, if possible, use a signed certificate as an intermediate to sign other certs.

I know that I would have to configure my systems in a certain way with "my" intermediate certificate in order to supply information about the chain of trust to my clients.

Is this possible? Are root CAs willing to sign a certificate like this? Is it expensive?

BACKGROUND

I'm familiar with the basics of SSL as it pertains to securing web traffic over HTTP. I also have a basic understanding of the way the chain of trust works, in that web traffic is secured "by default" if you encrypt with a certificate that has a valid chain all the way back to a root CA, as determined by the browser/OS vendor.

I am also aware that many of the root CAs have begun signing certificates for end users (like me) with intermediate certificates. That may require a bit more setup on my end, but otherwise, those certificates will work fine. I guess this has to do with protecting their all-valuable private key for the CA and the disaster that it would be if i were ever compromised.

EXAMPLES

1. https://www.microsoft.com
2. https://www.sun.com
3. https://ecomm.dell.com/myaccount/ga/login.aspx?c=us&cs=19&l=en&s=dhs

Now, we are definitely not the size of any of those organizations, but they seem to be doing something like this. It would definitely make the management of these certificates a lot more palatable, especially considering one way we are expanding the reach of our e-commerce platform.