Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate Keymaster CA to be used as client only certificates #144

Open
bjhaid opened this issue Jan 19, 2022 · 5 comments
Open

Generate Keymaster CA to be used as client only certificates #144

bjhaid opened this issue Jan 19, 2022 · 5 comments

Comments

@bjhaid
Copy link

bjhaid commented Jan 19, 2022

This will allow distributing the CA certificate to machines for trust and not worry about the certificate trusting servers. The certificate should probably have only the ExtKeyUsageClientAuth bit set
@cviecco
Copy link
Contributor

cviecco commented Jan 27, 2022

Do you mean keymaster's CA cert as dowloaded from https://keymaster.example.com/public/x509ca. I dont understand te question (why would clients want this cert anyway?). Or if its something else can you explain an provide steps for reproducing?

@rgooch
Copy link
Member

rgooch commented Feb 24, 2022

@bjhaid Ping?

@bjhaid
Copy link
Author

bjhaid commented Mar 2, 2022

I dont understand te question (why would clients want this cert anyway?).

This certs need to be trusted on the clients machine to prevent the continuous prompts to manually trust the certificate. To prevent the CA from being used to issue a server cert that can MITM the user's traffic, the CA needs to explicitly indicate it is only used for signing clients certs and nothing more. As it is today the CA can be used to sign both server and client certificates.

@cviecco
Copy link
Contributor

cviecco commented Mar 4, 2022
edited
Loading

@bjhaid what OS/browser combination are you seeing?
The expected behavior (when using a browser) is:

  1. The browser connects to the server and in the TLS handshake asks for an optional client side certificate. The server side certificate should be signed by a trusted authority.
  2. There should not be a need to inject the keymasterCA to users's browser, it should only be needed by servers that want to trust keymaster x509 certificates for clients (and while we could add the needed x509 flags) I am confused by the ask.
  3. The clients should try to NOT use the optional cert (but chrome does not do this, instead is asks if there is any cert client want to use, and users should cancel/ignore this). After this no more client interaction is expected.

Can you detail here the behaviour you are seeing? and what are you expecting?

@bjhaid
Copy link
Author

bjhaid commented Mar 16, 2022

the behavior I am seeing is:

  1. browser asks me for client cert to present to server as below(issuer and serial intentionally grayed out) :

Screen Shot 2022-03-16 at 2 17 14 PM

  1. I get the prompt in asking to trust as in the screenshot

Screen Shot 2022-03-16 at 2 11 44 PM

That prompt shows up 4-5 times

When I had not trusted the server's CA I would get prompt number 2 every time I tried logging into keymaster/cloudgate. To prevent that from happening, rather than requiring every user to manually trust the cert we can instead distribute it to the users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bjhaid @cviecco @rgooch