Hacker News new | past | comments | ask | show | jobs | submit login
Know How To Roll Your SSL Certificates (petekeen.net)
120 points by zrail on Aug 13, 2014 | hide | past | favorite | 35 comments



"There's not much you can do to protect yourself against a service provider's certificate expiring,"

Well if you're a large bank or a heavyweight payment processor where an outage means lost $$$$ and not only $, you could easily have a few SSL certs from various root certs ready and roll one of them out once the sh*t hits the fan.


1) monitor the complete certificate chain

2) indeed have a backup certificate ready (might be non EV), this is especially a must if you use HSTS [1] (which you should use BTW) it is actually a (low priority) government recommendation (B5-6) in The Netherlands [2], but that might have something to do with the government heavily using DigiNotar which got compromised and had it root certificates revoked by Microsoft which caused some communication issues..

[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[2] https://www.ncsc.nl/binaries/nl/dienstverlening/expertise-ad... (in Dutch)


If you want to verify the complete chain or see if any of it is expired, I wrote some tools that'll do just that. It uses a pre-existing directory of CA certs (which you can generate with an included Makefile and cacert.pem) and downloads intermediaries.

https://github.com/psypete/public-bin/tree/public-bin/src/ne...


That's basically what Stripe ended up doing. They stopped returning their EV certificates and started returning their non-EV wildcard '*.stripe.com' certificate.


Nice. EV is of not much use for their embedded form anyway.


    Just make a monthly recurring entry in your calendar that says "Check SSL certificates". 
If you rely on your calendar, it's simpler to create an entry in your calender for changing the certificate a few days prior to its expiration date. Monthly reminders will be ignored too easily.


Better yet, add an SSL check to your monitoring system: open a ticket when it's going to expire in 30 days.


FYI I updated the post to mention monitoring systems.


A few days is probably cutting it a bit fine - what if you turn out to have an account problem with your cert provider?


s/days/weeks/g


> This is easy. Just make a monthly recurring entry in your calendar that says "Check SSL certificates".

I was honestly expecting them to reference a monitoring service. It is possible to do for free with Nagios if you have a Linux box kicking around on your network. There are also paid services who will monitor your certificates and send you a nice email when there is 30 days left to renew (including several SSL registers).


Here's a Python script I used when I ran a SSL monitoring site: https://gist.github.com/bretwalker/5420652. It'd be easy enough to get this running as in cron job.


We use http://certalert.me/ it's free and it does multiple domains. I don't know if would have caught stripe's problem.


Yes, do it automated and do it daily or even multiple times a day.


You need to automate it if you have more than 1 site. If you have just one site, you can just check the expiry date and put that in your calendar. No need to check it on a monthly basis, no clue why the author of the post would suggest that.


Even root or intermediate certificates can be misconfigured without notice, it doesn't need to be allways the expired date case.


I don't use it for this, but the Vigil App (iOS) will monitor and report SSL errors. It's a pretty basic app, but it is also set-it-and-forget-it easy.

http://vigil-app.com/support/#ignore_ssl


I'd go with 2048 RSA key length, and put the certificate subject straight in the command line:

  openssl req -nodes -newkey rsa:2048 -keyout www.example.com.2014.key -out www.example.com.2014.csr -subj "/C=COUNTRY/ST=STATE/L=CITY/O=COMPANY/OU=/CN=www.example.com"
I have exactly this in an Ansible playbook https://github.com/tilsammans/playbook (for rails).


The `genrsa` command is generating 2048 bit keys already. I added `-sha256` and `-utf8` based on some other feedback, though. Thanks!


The "default" in many configs is still actually 1024 bits, which is of course too small.


  Process
  - Know where your key is
  - Know how to generate a new CSR from that key
It's adviced to use a NEW private key, in case there was a private key compromise you didn't know about.

Also see https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Pr... (point 1.2).

BTW there is NO reason to regenerate the CSR if you reuse the private key.


Ah, that makes total sense. I'll update the post and the script.

Thanks!

Edit: updated


You should not reuse private keys, you are wasting a opportunity to replace it if it has been compromised without your knowledge.


If you want to be notified when your SSL certificates are about the expire, or when there's something wrong with them, I'm building a SaaS that will keep track of these things for you:

http://www.domainsquire.com/


Best of luck with this! I had the same idea, but I prototyped a hack using django admin + cron jobs.


You can also configure alerts to be sent when domains and SSL certificates expire using Expiration Reminder. We already have customers using it specifically for SSLs:

http://www.expirationreminder.net


All the certificate providers I've used get pretty insistent about renewing certs (given the huge cash-cow it is for them), I'm surprised this is a very common issue.


I'd guess a lot of issues are it going to old email addresses. Either staff who have left, team or company names changing, etc.


slightly off topic: i wonder why google (or mozilla) do not add something like a "less secure" root CA service where everybody can get a ssl cert for free (after showing control over the domain).

this would degrade the annoying message to a simple warning and probably make lots of hobbyist websites use only ssl.

(if you have to choose between annoy your user or just using plain http i guess many choose the later.)


Ever heard of StartSSL Free?

https://www.startssl.com/?app=39


StartSSL is great. I'm able to role and go live with SSL certs, now i've written down the process, in less than half an hour, with checking and all other stuff involved.


As much as I like the idea of free SSL certificates... For anything beyond a personal site, even an hour is crazy.

I can have a basic SSL certificate in 15 minutes at the outside for like $8. My time at work is worth a lot more than $8/hr.


I'm intrigued to know how the process for a 8$ cert is different to that of a basic free StartSSL cert. The last paid for certificate I got was a year ago, and getting a StartSSL certificate is just as streamlined a process as the paid one. The only thing I can think of is if you are talking about certificates with wild-card matching, which will save time on the individual certificates you have to get when free. But for $8, is it possible to get a wild-card matching one?


A good guide to creating your own CA to go with this:

https://pki-tutorial.readthedocs.org


Setting up your own CA is fine for certificates that will only be used internally, but anything customer facing needs a customer issuing certificate (unless you're a large enough company that can afford to get a certificate that allows you to sign new certs.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: