Certificate Authority (CA)
Posted: Tue May 03, 2016 3:27 pm
I set up the CA for Minimed use back in 2008.
I spent some time and set up another CA on http://ca.hsiao.net (can be https if needed).
It uses openssl to create CSR and CRT. It can certainly take CSRs generated by other software (IIS, iPlanet, ...).
I have also set up a database to store CSRs and CRTs. I also created a view to check certificates' expiration in case there's a need to send notification email to certificate owners in the future. This will be phase 2 then.
The CA site has 4 functions and 1 documentation:
1. Generate CSR (Certificate Signing Request)
2. Generate SSL Certificate
3. CSR Decoder
4. Certificate Decoder
5. CA Certificate Installation Guide
NOTICE: The installation guide shows users how to import the CA root certificate into common browsers. From my experience, both IE and Chrome work as expected but Firefox is still complaining about the connection is not secure. This is just something Firefox does that is not trusting non-well-known CAs. I will keep trying to find solutions to it. In the meantime, just don't use Firefox.
I tried the SSLCipherSuite with more specific ciphers in Apache 2.4 config and FireFox started to work!
Before (default values from Apache 2.4 build):
After:
Question now is what ciphers are considered as modern (not outdated).
Not working:
Working:
Not sure why it doesn't like "!SSLv3" or "-SSLv3" but that's the result I got from testing.
To keep it simple, the SSLCipherSuite could be set as:
I spent some time and set up another CA on http://ca.hsiao.net (can be https if needed).
It uses openssl to create CSR and CRT. It can certainly take CSRs generated by other software (IIS, iPlanet, ...).
I have also set up a database to store CSRs and CRTs. I also created a view to check certificates' expiration in case there's a need to send notification email to certificate owners in the future. This will be phase 2 then.
The CA site has 4 functions and 1 documentation:
1. Generate CSR (Certificate Signing Request)
2. Generate SSL Certificate
3. CSR Decoder
Code: Select all
openssl req -in <CSR file> -noout -text
Code: Select all
openssl x509 -in <CRT file> -text -noout
NOTICE: The installation guide shows users how to import the CA root certificate into common browsers. From my experience, both IE and Chrome work as expected but Firefox is still complaining about the connection is not secure. This is just something Firefox does that is not trusting non-well-known CAs. I will keep trying to find solutions to it. In the meantime, just don't use Firefox.
I tried the SSLCipherSuite with more specific ciphers in Apache 2.4 config and FireFox started to work!
Before (default values from Apache 2.4 build):
Code: Select all
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
Code: Select all
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
I tried a few more combinations and found FireFox doesn't like to see SSLv3 in SSLCipherSuite no matter what prefixes.excerpted from Apache mod_ssl module (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite) wrote: Available prefixes are:
none: add cipher to list
+: move matching ciphers to the current location in list
-: remove cipher from list (can be added later again)
!: kill cipher from list completely (can not be added later again)
Not working:
Code: Select all
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLCipherSuite HIGH:MEDIUM:-SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:-SSLv3:!kRSA
Code: Select all
SSLCipherSuite HIGH:MEDIUM:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!kRSA
SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM
To keep it simple, the SSLCipherSuite could be set as:
Code: Select all
SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM