0

I am developing an internal web application. I think it would be a good idea to secure the local web server with an https certificate. I read several postings recommending certificates on local servers. This is a large company with its own Certificate Authority, i.e., the Networking group creates the certificates. This group told me to create the CSR so that they can create the certificate.

Now I found numerous tutorials for creating a CSR. The IIS web server has a CSR/Cert tool, and there is also a tool in the Windows MMC. The open source tool OpenSSL seems also useful.

My question now is if it is correct to let a software developer create the CSR in the first place. Of course I will be able to figure out how to create a CSR, but is this the best way to keep the network secure? Should, in a large company environment with numerous servers and developers, security not be handled centrally by the networking group or by the system manager(s)?

This is a company environment where I, as a developer, am not trusted to be admin for my own development pc. But the system manager lets me decide to operate a server with http or https, lets me create and manage private key, and signs my CSR to create a certificate.

How can I be trusted, as a humble developer, to keep the primary key secret, to fill the CSR with true information, to install the certificate where it should be, and to renew the certificate in time?

Is this really secure, and how the CSR is meant to be handled?

Or should system mgmt enforce the use of https, and create the CSR itself, take care of the primary key, install the certificate, and take care of renewal?

I believe this is a general question, as many tutorials exist on how to create the CSR, but without discussing WHO should create the CSR and the implications on the overall security of the company network.

Roland
  • 137
  • 3
  • 2
    This is bound to be completely subjective. It's up to your organization to establish processes and infrastructure for certificate issuance and private key storage. – Marc Sep 18 '20 at 15:01
  • @Marc Thanks, that seems to be the attitude here. But does it not have much lower overall security if the certificate is left to a random developer instead of a dedicated security person? – Roland Sep 18 '20 at 15:41
  • 2
    Ideally your organization would have a process and infrastructure in place to deal with secrets (including private keys for certificates) so that developers don't have to reinvent the wheel every time. Sadly, many orgs don't put that much effort into it. – Marc Sep 18 '20 at 15:43
  • 3
    I think you're missing one exceptionally important point: there is no such thing as a random developer, and "security" is not some esoteric concept that only "professionals" can understand. Every developer needs to be aware of and actively involved in protecting against security concerns relevant to their work. If the only people who give thought to security are a specialized "security team" that only show up after development is done, then your applications will be a security disaster. Understanding basic security is good for you personally and your organization as well. – Conor Mancone Sep 18 '20 at 18:33
  • @Marc That's my point too. Why delegate the server certificate to the developers if the central network group, that installed and maintains the server, can do it better? After all, that cert belongs to the server, not to the apps. – Roland Sep 24 '20 at 09:26
  • @ConorMancone Indeed, as a developer I know some things about security, and requested a server certificate. Imagine, if I did not request that cert, nobody would stop me from allowing http access to my web app, as if the networking group didn't care – Roland Sep 24 '20 at 09:28

1 Answers1

1

This depends on who is responsible to keep the application running. If the developer itself is fully responsible to install the application on the server, monitor its health etc then it can make sense that the developer has also control over the certificate and its private key, since this is needed to keep the application running. The network group might only provide resources like the hardware or VM and setup DNS once in this case.

If instead the network group is responsible to keep everything running then certificate management including the creation of the CSR is likely their duty too. There can also be a mix of responsibilities, for example if the network group just sets up a reverse proxy which translates HTTPS to HTTP and the developer keeps the HTTP-only application behind the reverse proxy running. In this case certificate management is still at the network group.

What is the right way to do depends a lot on the established internal processes and available resources. It might also vary for different internal apps, depending on how sensitive and critical they are and who is the user of the apps. For example company-wide apps might be managed by the network group while team-specific apps might be managed by the relevant team. Or it might be that initially less critical apps get more critical with the time in which case the responsibility for the app might be moved from the developer to the network group.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks, but you make this a word game: depends on who is responsible... Should the system mgmt not enforce security and the most secure practices? – Roland Sep 24 '20 at 09:32
  • @Roland: Not necessarily is "system management" (whatever this exactly is) responsible for enforcing all aspects of security. And even if they do this does not mean that they actually have to do it themselves but they might also delegate tasks and part of their responsibilities. – Steffen Ullrich Sep 24 '20 at 12:52
  • Of course x might delegate work to y, but my question is if this is secure. If system mgt let me store the private key of the CSR, and I lose it , or it gets leaked, the cert is not secure anymore. Someone must put in extra effort to secure the private key, so better leave this to sys mgt. Same for filling in the fields of CSR. If I, who apparently cannot be trusted wih the admin password of my own pc, fill in CN, system mgt has to double check, so might as well fill it in themselves. – Roland Sep 24 '20 at 15:48
  • @Roland: The question is never if something is __absolutely__ secure but if something is __sufficiently__ secure. You have to ask yourself how likely a compromise of the private key is this way and what harm could someone do with this. This risk should then be matched with the efforts needed to secure the key. Additionally, system management might have more risky things to protect and caring about your less risky thing might take valuable resources from protecting the more risky things. – Steffen Ullrich Sep 24 '20 at 15:56
  • You nail the point! I don't have to ask myself about the risks, because I am just the developer of some app on some server. I am not charged with security. I just wonder how, in 2020, this company is not worried about not having a server certificate on this machine. Usually I comply with requests, so I started creating CSR's, but found that my CSR's were rejected, first because wrong nr of bits in the private key, then about not having SAN. Then I came to the conclusion that sec.dept better create CSR themselves. – Roland Sep 28 '20 at 08:45