endepointe
commented
7 months ago Considering creating our own Certificate Authority to sign the client and server TLS certificates.
The idea begins with:
- Create a CA service in the server (or new Signing repository) that can create, revoke, and renew certificates it has signed.
- The Server would sign its certificate using the CA
- Any Client would create an account using the Frontend repo, receive the necessary CA credentials, and have their cert signed with the CA credentials.
- The Client and Server would use their certs to establish a communication channel between not only approved IPs, but also inside a TLS encrypted connection.
The CA would manage all certificates issued to clients and servers.
The CA Service
Create a certificate that will be used to sign other certificates:
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -new -key ca.key -out ca.crt
The Server
Sign its certificate using the CA Service-supplied certificate:
openssl genpkey -algorithm RSA -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
New Clients
Create and verify an account using the Frontend service.
Create and sign its certificate using the CA Service-supplied certificate:
openssl genpkey -algorithm RSA -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Certificates can be verified using:
openssl verify -CAfile ca.crt server.crt client.crt
khuynh2002
Related tasks: https://github.com/SecurityLogMiner/log-collection-client/issues/23