0

I'm attempting to create a local web server using Flask, a Python microframework, that uses the PKIs on a DoD CAC.

I've created the self-signed root CA and server certificate and key following this set of instructions. I then downloaded the necessary CA files from here which were:

  • DOD ID CA-49
  • DOD EMAIL CA-50

From there I've loaded up the following basic "hello world" application:

import ssl
from flask import Flask

app = Flask(__name__)

@app.route("/")
def main():
    return "Hello World"

if __name__ == '__main__':
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.load_verify_locations('DODIDCA_49.pem')
    ctx.load_cert_chain('localhost.crt', 'localhost.key')
    app.run(ssl_context=ctx)

This runs on https://127.0.0.1:5000/ and when I visit it through Microsoft Edge it prompts me for my CAC credentials (which I can pick either certificate to use and enter my PIN). Once my PIN is input, the page reloads and says the website is not secure. If I removedd the verify_mode and load_verify_locations lines, I'm no longer prompted for my CAC credentials and the website loads to print the text.

I desire the previous sequence which requires me to pick a valid credential, but I cannot figure out how to get the browsers to trust the server certificates in conjuncture with the DoD CAs provided.

How can I accomplish this on Windows 10?

pstatix
  • 111
  • 2
  • Self signed certs will not be trusted; they are intended for testing, not production use, and will always be recognized as not originating from the same certificate chain as the DOD files. If you want everything to be trusted, you need an actual DOD server certificate with the full certificate chain. – pmdba Jul 17 '20 at 02:48
  • @pmdba Which is fine and is what I figured I would need to do. I would need to generate a CSR and have the DOD provide server certificates. But for testing, how would I get the browser to not complain about it? I want to test accessing the certificate information – pstatix Jul 17 '20 at 12:02
  • Depends on the specific browser. IE and Edge will generally not allow you to ignore "bad" certificates for any reason. Firefox has an option to accept risk and ignore future warnings. Chrome may still prompt you but allow you to proceed. – pmdba Jul 17 '20 at 14:27
  • @pmdba Exploring all this certificate stuff in depth for the first time, I've mostly just used PKIs to extract the certificate/key into PEM format to send via API requests. I was reading [this](https://www.thesslstore.com/blog/root-certificates-intermediate/) article explaining the chain. Now I have no access to root, just the PKIs which are signed by the intermediate. For the intermediate though, I only have the certificate so therefore the server doesnt fill the DoD chain. Is the chain: `PKI (verified with CA/intermediate) > Server (once signed) > Root`? – pstatix Jul 17 '20 at 18:40
  • @pmdba In other words, what role does the intermediate CA certificate play here? I cannot use it to sign the server certificates (no private key), but is it used to verify the certificates against it? – pstatix Jul 17 '20 at 18:41
  • more like server > intermediate > root and pki > intermediate > root. two different chains, one for the user and one for the server. Both the user and server certs are generated from the same set of "current" CAs, which are in turn validated by another couple of levels of intermediate and root CAs. The web server needs to have the complete list of all CAs to be able to construct trust chains for both the user and the server. – pmdba Jul 17 '20 at 18:54
  • @pmdba Okay, so if I need to use the self signed certificates for testing, but I also need to use the `pki > intermediate > root` chain as part of that testing, what options do I have? There don't seem to be any development server certificates available. – pstatix Jul 17 '20 at 19:00
  • You can have your self-signed cert and the DOD certificate chain together in the server config. It still won't work with IE or Edge - they'll only work with "safe" server certificates - but you should be able to test with Firefox or possibly Chrome. – pmdba Jul 17 '20 at 19:11
  • @pmdba Unfortunately I cannot get it to work with either of those browsers, constant SSL_Handshake_Failure_Alert messages. – pstatix Jul 19 '20 at 16:02

0 Answers0