Sunday, April 19, 2015

TLS/SSL for Web Services

TLS protection should be a standard security policy these days. It's common place for servers hosting web pages and web services.

Certificates are inexpensive and relatively simple to setup and use. The basic outline is that you generate a private key on your server, pass this to the CA. They will use this to generate the Certificate and public key. They send you back the certificate and publish the public key on their servers. The certificate, private key and the CA's authority chain certificates are installed on your server and bound/configures to be utilised within the the webservice in question.

A 3rd party browser pointed to your https URL will request the certificate, which it uses to lookup the host servers details with the CA and obtain the public key. The public key is then used by the browser to lock the session key that it generates. Only the specific private key can unlock and obtain the session key that was locked by the related public key. Which is what the host server does and then both machines have identical keys to use for all further communication in that session.

Here are the main elements and terms you may come across when setting up SSL protection using a Certificate Authority (CA)

Machines:

  1. Host Server - where your web page or servces are being run. 
  2. Browsing Server - the party that wishes to communicate with your server in a secure way.
  3. Certificate Authority - the party the enables the secure communications by issuing certificates and publishing public keys.

Information/Documents

  1. Certificate Request - The private key generated on the host server
  2. Common Name (CN) - the URL used to access the host server with HTTPS protocol, 
  3. Subject Alternative Name - one or more other URLs used to access the host server with HTTPS protocol. 

To generate the private key various methods are described here you can also use the MMC with a certificate snap-in to do the job.

Here is the MMC method
  1. Open MMC and add the Certificate (Local Computer) snap in
  2. Ctrl + M | Choose 'Certificates' | Add | OK
  3. Pick 'Computer Account' | Local Computer | OK
  4. Expand out Certificates and right click | All tasks | Advanced Operations | Create Custom Request
  5. Certificate Enrolment - Proceed without enrolment policy | Next
  6. Custom Request - Template | Choose '(No Template) Legacy Key | Uncheck 'Suppress default extensions' |PKCS #10 | Next
  7. Expand down 'Details' on the Custom Request line | Click 'Properties' to open the dialogue with 4 tabs
  8. General Tab - Fill in what you like
  9. Subject Tab - Fill in 'Common Name' with your sub-domain and any other fields your CA may require
  10. Extensions Tab | Key Usage - Digital signature | Extended Key Usage - 'Server Auth.' & 'Client Auth.'
  11. Private key Tab | Cryptographic Service Provider - 'MS RSA SChannel Crypto. Provider' | Key Options - 'Key Size: 2048' and Check 'Make private key exportable' | Key Type - 'Exchange'
  12. Click OK | Save the key somewhere and send to your CA when requesting a new Certificate or Re-keying an existing one.
The file you created can be referred to as a Certificate request and contains your Private Key as well as the other details you completed. The contents is a hash function that starts with:

-----BEGIN NEW CERTIFICATE REQUEST-----

You can check the validity using openssl or via a web service if it's just a test.

openssl req -in mycsr.csr -noout -text

My experience of CA's is limited to www.starfieldtech.com but I think they offer a great service and very good value certificates, they are the R and D arm of internet giant GoDaddy. The simple SSL certificate from Starfield, which is all you would need for a single web service, costs just over £6 per annum.

As for the range of different SSL certificate types, this all comes down to how many domains you wish to protect with a single certificate and also a marketing/consumer/cosmetic issue specific for Web Pages such as having a 'green bar' with your company name in the URL bar e.g. https://www.paypal.com. These more expensive certificates require much more rigorous validation by the CA so take longer to issue (10 days+), the simple 'vanilla' SSL takes minutes only.

In the example of Starfield you purchase your SSL certificate then submit the CSR, starfield do what vaidaton they need to. For example in the case of wingateUK.com after submitting my CSR they looked up my contact details for the domain on WhoIs and emailed me. I clicked a link and that was it - approved.

To install the certificate may depend on how you requested it; as I requested mine via MMC I installed from there also.
  1. Expand out the Certificates (Local Computer) \ Personal \ Certificates & Right click 'Certificates'
  2. All Tasks \ Import
  3. Choose the file and run through the wizard
My particular web services application (MS Dynamics NAV) had me assigning the relevant port using a tool that came with it and also referenced the Certificates thumbprint that you can find by double clicking on the certificate file and looking in the details tab. Other application may vary!

One final note on SSL web services, the free to use WebServiceStudio v2 does not appear to work over HTTPS, but SoapUI does and it's also opensource, which is always nice.