1

The time has come for us to renew and update our wildcard certificate. I've been tasked with researching the ways we can protect the private key without compromising the security of the certificate. (With the key and cert together, anyone could impersonate us.)

I understand the pros and cons of using wildcard certs, and this is the direction the IT Director has decided to go.

We're a 99% Windows shop; no configuration management setup. We're likely going to have to touch each machine that uses the wildcard cert.

I know some configuration management tools (like Puppet) have modules that you can use to pass a secured variable instead of a clear text password. Is there a way to install the cert on machines without having to distribute the private key to other team members?

Any thoughts/ideas/best practices would be greatly appreciated.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
bsant
  • 11
  • 4
  • Really depends on how you manage the machines. You might be using Microsoft System Centre for example or you might simply allow WinRM (remote management) on each machine and use remote PowerShell. – Julian Knight Jan 05 '17 at 20:14
  • 2
    use an HSM / Smart Card – Neil McGuigan Jan 05 '17 at 20:17
  • Can remote PowerShell obscure the private key? The end goal is for the cert to be installed, via/with key, without having to share the private key (actual string) with the whole team. But we want the team members to be able to help with the install so that one person doesn't have to go through the whole process on each machine. – bsant Jan 05 '17 at 20:20
  • 2
    Agree with @NeilMcGuigan, nothing else but HSM/Smart Card will help you. Software-based key storages do not provide enough security and can't guarantee key privacy. For example, if you backup your systems, certificate and associated private key may be included there and attacks against backups will compromise the key. – Crypt32 Jan 05 '17 at 20:25
  • @bsant: What are you trying to do? Distribute the privkey/pubkey to a bunch of servers, all of which need the privkey? – StackzOfZtuff Jan 06 '17 at 05:34
  • @StackzOfZtuff Our Wildcard cert is expiring the end of the month, and we have a bunch of servers that use it for identity. We purchased a new one and need to get it replaced on all those servers. We've got a good number of servers using it, and would like to have the whole team help with the importing, without necessarily sharing the private key with all of them. Whatever method we use has to be self contained. – bsant Jan 06 '17 at 16:18

1 Answers1

1

I'd configure a reverse proxy with SSL decryption capabilities. Therefore the cert is put in a single server and it terminates the SSL/TLS connection.

Your private key will only be on one server and you'll also have the ability to inspect HTTP traffic using a IDS/IPS.

DDS
  • 21
  • 2
  • How does this work if we need to import the cert onto several servers? – bsant Jan 06 '17 at 16:36
  • You just import the certificate into one server - the reverse proxy – DDS Jan 09 '17 at 02:46
  • So your SSL connection terminates at the reverse proxy. Thereafter it's HTTP. Or if you are worried about the connection between the reverse proxy and the web server, you can use a different SSL connection between them. The good thing is that those SSL connections can use your internally generated certs and does not have to be a public CA assigned certs. I'm not aware of any windows product, but nginx should be able to do this for you. Or you can use a commercial product like f5. – DDS Jan 09 '17 at 03:02