Jump to content

Lets talk Certificates

JCBiggs

(these would make for a good in depth video btw)

 

I am running the unifi Controller on a local server at home. I have a vpn setup to access it securely, but I want to access it directly with the IP address of my server. (using nginx to proxy since I have multiple vm's and wan facing servers)  The problem of course, is that Im not connected to my home IP via HTTPS. Making credential transmission a bit sketchy. So this got me thinking about how to secure everything im doing, and not just my network controller. 

 

From what I gather, I would need to get a lets encrypt cert (since its free) and  install it my server.  However, since this is windows based, I have no idea how to automate the renewal process. making its a pita to renew the cert every 90 days.

 

So that brings my to what I would like to do.   Which is just make my own certs, and become my own CA.    I don't know if there is a a security flaw in doing this, so please point it out if so.  My understanding is that I would generate the root certificate, and then make all the  intermediate certificates from that.   Then I would install the root certificate on my phones and computers that I use to access the server(s) 

 

So if I control the root, then technically, it shouldn't be possible to spoof one of certs without the private key,  and since I am the only one using it, I don't really "need" to use a public root cert from a CA.  

 

is my logic correct so far or am I missing something? I would much rather just create a single trusted root certificate that's Mine,  and have it be valid forever.

 

ultimately, this would also be the private authentication mechanism for all the business machines I am putting in place to connect to my server. 

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, JCBiggs said:

anybody ?

 

 

somebody?

 

 

 

...linus?

 

?

Internally certificates signed from your own CA work fine and many businesses employ them simply by deploying the CA cert through GPOs, so I don't see why that wouldn't work on the WAN. The only real purpose of a trusted CA is so you don't have to manually install certificates before someone can access your webpage.

Never dismiss a possible solution because of a respected brand.

IT Admin perusing a bachelor's in Computer Engineering.

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, Endeavor01 said:

Internally certificates signed from your own CA work fine and many businesses employ them simply by deploying the CA cert through GPOs, so I don't see why that wouldn't work on the WAN. The only real purpose of a trusted CA is so you don't have to manually install certificates before someone can access your webpage.

that was a very informative couple of sentences.  so as long as I keep this private key safe and secure (or really even just delete it)  then I should never have to worry about someone executing a mitm. 

 

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, JCBiggs said:

(or really even just delete it)

You need it on the server, so no, you can't just delete it.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, WereCatf said:

You need it on the server, so no, you can't just delete it.

o..

 

i thought the private key was only used to generate the root and then not used anymore.

(and also to sign  the certificates  that I would generate.)  

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, JCBiggs said:

o..

 

i thought the private key was only used to generate the root and then not used anymore.

(and also to sign  the certificates  that I would generate.)  

Certificates have a public and private key, those key pairs are created by the certificate requester and the CA digitally signs the certificate and public key. Any client talking to the server encrypts the data using the public key and the server uses the private key to decrypt the data. That is why you need to protect that private key as anyone who has it can decrypt the data. 

Link to comment
Share on other sites

Link to post
Share on other sites

If you have no insider threat then the risk of your CA being compromised is negligible to be honest. Mainly because if somebody is both talented enough and determined enough to be able to get into your network, your CA doesn't really matter.

 

Bigger companies are at a higher risk, since an attacker could publish a website and issue a certificate - why deal with mitm when you could just immitate.

 

That said, for home use / lab use... having your own CA in any configuration is just dandy. I only use letsencrypt for actual web portals I want to access from say work or any other non-personal computers. Everything else I issue a cert from my CA. I'm lazy and did the really bad idea of using wildcard certs from letsencrypt (mainly if somebody gets a copy of my keypair there's no limit and super easy to impersonate) - but there's nothing at risk.

 

Normally you'd have a "master" CA that you would bootup and declare as such, then you'd create a second tier CA (I forgot all the proper names) and shutdown your primary CA. Rarely if ever booting your primary CA. Lookup best PKI practices and they can go into more details.

 

 

The simplest solution is just use a VPN, how often are you really going to need to hit the unifi controller remotely? OpenVPN has IOS/AND apps and unifi has apps as well. No need to expose a web server that probably won't be patched very often, and probably not hardened.

Link to comment
Share on other sites

Link to post
Share on other sites

**one more thing to note, you could auto-issue your reverse proxy a certificate with lets encrypt, so it would be CLIENT <==HTTPS==> PROXY <==HTTP==> Unifi. 

 

Reverse proxies can put an HTTPS front end up in front of HTTP servers.

Link to comment
Share on other sites

Link to post
Share on other sites

39 minutes ago, JCBiggs said:

Im a little bit confused. So when you visit a website, you get their certificate which has a path back to the root.  Surely the Root server doesnt verify every certificate transaction on the web?

To verify a certificate hasn't been revoked (CRL) a client may attempt to contact the CA or designated CA.

Link to comment
Share on other sites

Link to post
Share on other sites

16 hours ago, JCBiggs said:

Im a little bit confused. So when you visit a website, you get their certificate which has a path back to the root.  Surely the Root server doesnt verify every certificate transaction on the web?

Every computer/electronic device that can use the internet has all the public trusted CA certs loaded on to them, without the private key. Your device checks the certificate key chain it's given to see if the certificate that signed it, the digital signature, matches any certificates in your pre-loaded CA list.

 

You can't use any of these pre-loaded certs to sign any other certs because you don't have the private key.

 

If any of the really big 3 public CAs got compromised the entire internet would, security wise, fall completely apart. We all put explicit trust in to these CAs, they have the final top tier say on what is and is not trusted on the internet, it's all a big reputation game. We trust anything they trust but we have no actual verifiable way to confirm that.

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, leadeater said:

Every computer/electronic device that can use the internet has all the public trusted CA certs loaded on to them, without the private key. Your device checks the certificate key chain it's given to see if the certificate that signed it, the digital signature, matches any certificates in your pre-loaded CA list.

 

You can't use any of these pre-loaded certs to sign any other certs because you don't have the private key.

 

If any of the really big 3 public CAs got compromised the entire internet would, security wise, fall completely apart. We all put explicit trust in to these CAs, they have the final top tier say on what is and is not trusted on the internet, it's all a big reputation game. We trust anything they trust but we have no actual verifiable way to confirm that.

But if Im using my Own certs, that I make, then I inherently know they are safe to trust.   I dont have to work about some angry Ex CA employ running some scheme or something.  I like the idea of issue Certs as a group policy object. thats the direction Im heading in.  

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, JCBiggs said:

But if Im using my Own certs, that I make, then I inherently know they are safe to trust.   I dont have to work about some angry Ex CA employ running some scheme or something.  I like the idea of issue Certs as a group policy object. thats the direction Im heading in.  

Yep that's fine, you also have to push out your CA cert to all your computers so they will trust certs that you sign and use internally. It's the same thing as public certs but I wouldn't load your CA cert on to any of my devices or you could sign a cert for any public website domain, fake the website, and my computer would trust it.

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/16/2019 at 3:30 PM, leadeater said:

Yep that's fine, you also have to push out your CA cert to all your computers so they will trust certs that you sign and use internally. It's the same thing as public certs but I wouldn't load your CA cert on to any of my devices or you could sign a cert for any public website domain, fake the website, and my computer would trust it.

Yep. Im following this a little better now.  I Purchased a R Pi this weekend to test with.  Im going to set up a simple web page and add the certs to my devices. hopefully it works.   These are the kinds of topics I would like to see LTT dive into. There is a large user base that likes the more advanced stuff (vs gaming and phone reviews) I believe it would be just as popular as you mainline videos. 

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, JCBiggs said:

These are the kinds of topics I would like to see LTT dive into. There is a large user base that likes the more advanced stuff (vs gaming and phone reviews) I believe it would be just as popular as you mainline videos.

The forum and moderators are just community members, you'd have to raise suggestions like that to Linus and the LMG team. I doubt they would do such videos though as to do them well enough and for them to have the level of confidence to release those videos would require them to have the knowledge and capability to do it. Not knocking anyone at LMG but Linus does say he is not a server expert or systems administrator/engineer so there would be a lot of up skilling required by multiple people or hiring in someone with the required experience which would be rather costly considering the job and pay such a person could get elsewhere.

Link to comment
Share on other sites

Link to post
Share on other sites

@JCBiggs More technical channels exist but as you narrow down specific technologies the audience also narrows. Level 3 with Windell gets a little technical but his channel isn't nearly as large as Linus'. Video format isn't really good for deep-dives, I can read a book faster than it could be read to me for example. So you'll find more detailed guides / questions / discussions on places like Reddit (/r/sysadmin /r/homelab to name a couple).

Link to comment
Share on other sites

Link to post
Share on other sites

33 minutes ago, Mikensan said:

@JCBiggs More technical channels exist but as you narrow down specific technologies the audience also narrows. Level 3 with Windell gets a little technical but his channel isn't nearly as large as Linus'. Video format isn't really good for deep-dives, I can read a book faster than it could be read to me for example. So you'll find more detailed guides / questions / discussions on places like Reddit (/r/sysadmin /r/homelab to name a couple).

Encryption technologies are becoming much more main stream. Im not talking about full in depth videos showing every step, just the basics. Exposing the general steps, why, and only a bit of how.  Hak5 goes much more in depth on stuff, so the material is out there if you really want to find stuff thats deep. 

Link to comment
Share on other sites

Link to post
Share on other sites

17 minutes ago, JCBiggs said:

Encryption technologies are becoming much more main stream. Im not talking about full in depth videos showing every step, just the basics. Exposing the general steps, why, and only a bit of how.  Hak5 goes much more in depth on stuff, so the material is out there if you really want to find stuff thats deep. 

I could see a TechQuickie episode on a basic overview of CA's and certs and how the system works in a non-specific manner.

 

But I fear if they try and do a "You can create your own certs" type video, they'll run into the problem where if they try and explain ANY of the steps, but not all of them, it'll just be confusing to anyone who actually wants to do it.

 

They either need to keep it super simple basic overview with NO instructions, or they need to go all the way and do a proper guide. Making an in-between video (especially since we know they're extreme noobs in this area) would just do more harm than good.

 

I agree that it would "be nice" for LTT to do more server and security based videos - I'm a server admin/IT Tech myself - but they really have no idea what they are doing.

 

If they want to do these kinds of videos, they need to hire a proper (with field experience) Server Admin - one at least versed in Windows Server, but ideally one also versed in Linux Server admin. And that won't be cheap. A good server admin can easily command double what they likely already pay their editors, writers, hosts, etc. It would have to be a person who really loves the job (since they could get paid much better in the private sector), or LMG would have to throw a lot of money at them.

 

Personally it would be worth it simply so they can fix all the hack crap they're doing in the back end, but on the flip side, content wise, I doubt they'd be able to push out enough server focused content to make the investment worth it.

 

Kind of hard to say which way it would go.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

6 minutes ago, dalekphalm said:

I could see a TechQuickie episode on a basic overview of CA's and certs and how the system works in a non-specific manner.

 

But I fear if they try and do a "You can create your own certs" type video, they'll run into the problem where if they try and explain ANY of the steps, but not all of them, it'll just be confusing to anyone who actually wants to do it.

 

They either need to keep it super simple basic overview with NO instructions, or they need to go all the way and do a proper guide. Making an in-between video (especially since we know they're extreme noobs in this area) would just do more harm than good.

  

I agree that it would "be nice" for LTT to do more server and security based videos - I'm a server admin/IT Tech myself - but they really have no idea what they are doing.

 

If they want to do these kinds of videos, they need to hire a proper (with field experience) Server Admin - one at least versed in Windows Server, but ideally one also versed in Linux Server admin. And that won't be cheap. A good server admin can easily command double what they likely already pay their editors, writers, hosts, etc. It would have to be a person who really loves the job (since they could get paid much better in the private sector), or LMG would have to throw a lot of money at them.

 

Personally it would be worth it simply so they can fix all the hack crap they're doing in the back end, but on the flip side, content wise, I doubt they'd be able to push out enough server focused content to make the investment worth it.

 

Kind of hard to say which way it would go.

Seems like they could find some younger person out of college that isnt at that level yet that could get it done.  Plus, we all know linus needs a real Server admin. LOL

Link to comment
Share on other sites

Link to post
Share on other sites

43 minutes ago, JCBiggs said:

Seems like they could find some younger person out of college that isnt at that level yet that could get it done.  Plus, we all know linus needs a real Server admin. LOL

The young person out of College - despite what he thinks - pretty much also doesn't know what he's doing - though granted, he'd still be far ahead of Linus and team.

 

Although then you'd run the risk of the new guy getting poached once he's got enough on-job experience to qualify for a better job elsewhere.

 

It's definitely possible - and I would certainly like a Server Admin focused YouTube channel with the production quality (and budget) of LMG. I just don't see it happening. I hope I'm wrong!

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, dalekphalm said:

The young person out of College - despite what he thinks - pretty much also doesn't know what he's doing - though granted, he'd still be far ahead of Linus and team.

 

Although then you'd run the risk of the new guy getting poached once he's got enough on-job experience to qualify for a better job elsewhere.

 

It's definitely possible - and I would certainly like a Server Admin focused YouTube channel with the production quality (and budget) of LMG. I just don't see it happening. I hope I'm wrong!

Best buy would be a sys admin wanting some side-change and consulting for LMG. Who doesn't love making money from the couch at home. I've seen a few suggest LMG pair up with Lawrence Systems on a few videos - I think would be neat for both channels. Lawrence might not have enterprise experience but certainly has the capacity to understand a lot of what I believe we (sys admins) would love to see.

Link to comment
Share on other sites

Link to post
Share on other sites

well as it stands now, I have managed to create a CA and intermediate certificate on an air-gapped laptop.  So in the next few days I will be figuring out how to get them over to my servers and hardware.  I've got everything locked down fairly well, so now the only thing I'm worried about is secure connections over the net.  I personally feel like using the certificates over the web for encryption might be more secure than my VPN.  I mean I don't have any way to KNOW my vpn isnt being mitm'd  other than trusting ubiquiti when they say its secure. with the certificates, its pretty clear who I'm connected to and whats happening. 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×