Archive for May, 2009

Alert when SSL certificate due for renewal

Thursday, May 14th, 2009

How many times has someone forgotten to renew an SSL certificate? Often it is because a previous admin has moved to another function. Here is a program that I wrote to check the ‘time to live’ of certificates on servers remotely using OpenSSL. Read the source code for details on how to call it. Download it here and put it in a daily cronjob that sends you e-mail if renewal time is near.

PGP Signed Web Page – Root Cert part 3

Monday, May 11th, 2009

While looking at ways to prove the authenticity of a PKI Root Certificate published on a web page I recalled this nice method of PGP signing a web page. The result looks like this.

You can validate the web page using GPG/PGP (get the public key)

wget http://example.com/root-cert-pem.html  
gpg --verify root-cert-pem.html

How to prove a Root Certificate – part 2

Monday, May 11th, 2009

Another way to prove the authenticity of the Root Certificate is to publish it signed by a certificate issued by a previously trusted PKI. This can be useful in the case where a PKI is being established to replace a legacy system. 

I have previously used the Mozilla NSS tool CMSUTIL to sign a data file but this time I decided to write a program using the Microsoft CryptoAPI on Windows because that it less sensitive to expired certificates. NSS CMSUTIL will not validate the signature if the signing certificate has expired and that could be a problem in this case as we are using a certificate from a legact PKI to sign the Root Certificate of the replacement PKI.

Here is the CMS signed data blob containing the Root Certificate cmssigned.dat 

You can verify the signature and examine the signing certificate using this program cms-verify.cpp and for completeness here is the program that I used to sign it cms-sign.cpp   

How to prove a Root Certificate

Thursday, May 7th, 2009

When a company establishes a PKI they usually publish their Root Certificate on their web site. Often they publish cryptographic hashes of the Root Certificate so that people who download it can verify that it has not been tampered with. The problem is that if anyone was able to tamper with the published Root Certificate (by compromise of the web page or a man in the middle attack) then they would also be able to tamper with the published hashes. 

I was involved in establishing a PKI and that set me thinking about how best to prove the authenticity of the Root Certificate. There are several ways. An obvious one is to use SSL on the web page. Another is to publish the hashes on multiple web sites, like this blog for example. So, here they are:    Root Certificate hashes   

Another way is to have the Root Certificate signed by an external key, such as the PGP Digital Timestamping Service and then publish the signature like this  root-certificate-timestamp.asc  

Here is the signature from another timestamping service TimeMarker    timemarkerorg_marker.pgp 

They also offer a service to timestamp a URL link and here is the result  timemarkerorg.zip