Controlling Certificate Names and CSRs - Which Client to Use

cr9c1 · May 22, 2017, 1:44pm

I’m just needing a little guidance… perhaps someone can help. I need a client that I can set up to automatically renew my certificate via a cron job, or what have you, that will allow me to specify the output certificate names, and will accept the use of a certificate signing request, all without a web server being run. I have tried certbot-auto on Debian 8, which works, but the output certificate names are somewhat random so I would need to write a script to copy those certificates to the correct location. Certbot-auto works perfect as far as actually renewing the certificate, but it doesn’t appear it offers the ability to specify output certificate names which is something I need. Does anyone know of any clients that would fit this need? Allows use of CSR, and output certificate names, without running a web server on the machine(i.e. standalone mode)? Thank you in advance. This is a fantastic product you have here.

tialaramex · May 22, 2017, 1:58pm

I believe https://acme.sh/ would be able to do this
https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR

See the main documentation for how to tell the shell script the filenames you want for things

cr9c1 · May 25, 2017, 2:38am

Thanks. I got acme.sh up and running. All appears well, appreciate the tip on acme.sh. It does what it says it will. I have noticed some people prefer generating a new private key with each certificate renewal. I noticed the script checks for the presence of a csr file and then signs from that csr if it exists. I’m assuming that at each renewal, it will reuse that CSR with the updated certificate? If I were to opt out of using my own CSR, would it reissue a new key each time it renews?

ahaw021 · May 27, 2017, 10:12am

hi @cr9c1

There are a couple of challenges with what you are proposing that I would like to outline

A) CSRs are linked to private keys. In cryptography it’s basically a way of saying for given domains I would like to use RSA or ECC key x to represent domains Y
B) Good Practices are to renew ECC or RSA domain keys on each renewal
C) Why are you trying to keep the same CSR - I understand there may be valid reasons but please articulate your reasons
D) Certbot will support what you want

paths:
Arguments changing execution paths & servers

–cert-path CERT_PATH
Path to where cert is saved (with auth --csr),
installed from, or revoked. (default: None)
–key-path KEY_PATH Path to private key for cert installation or
revocation (if account key is missing) (default: None)
–fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain (cert
plus chain). (default: None)
–chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default:
None)
–config-dir CONFIG_DIR
Configuration directory. (default: /etc/letsencrypt)
–work-dir WORK_DIR Working directory. (default: /var/lib/letsencrypt)
–logs-dir LOGS_DIR Logs directory. (default: /var/log/letsencrypt)
–server SERVER ACME Directory Resource URI. (default:
https://acme-v01.api.letsencrypt.org/directory)

Andrei

schoen · May 31, 2017, 12:03am

It could easily be for embedded devices or public-key pinning, neither of which is very objectionable.

I've suggested that changing keys regularly helps if you have, for example, frequent or occasional negotiation of non-forward-secret ciphersuites, but unfortunately Certbot currently fails to then destroy the old keys, meaning that we don't really get the full benefit. (It's more credible that an adversary would compromise a server to steal the old private keys on it than that the adversary would use some super-expensive unknown cryptanalytic attack to derive them from the old public keys.)

github.com/certbot/certbot

Purge old private key material

opened 11:22PM - 09 May 17 UTC

closed 03:31AM - 20 Jan 23 UTC

schoen

area: cert management area: security

Related to #4634. When we designed the lineage format with `/etc/letsencrypt/…archive`, we thought * sysadmins will *manually inspect* their new certificates before "deploying" them * sysadmins might find something to dislike about new certificates and choose not to use them * sysadmins might notice something to dislike about new certificates after they're deployed and reverse the deployment by reactivating an older certificate We've since almost entirely abandoned the first two concepts (for example, the default gap between obtaining and deploying a cert, which I had originally conceived of as one week, has been reduced to zero and the same code paths that obtain certs normally immediately attempt to install them). I'm not sure I've heard of any cases where sysadmins have deliberately used the third option, since if they dislike the new cert (which is rather rare), they will probably just go ahead and get an even newer cert. It's not necessarily inappropriate to have, or have the option of having, some history just in case the third situation actually comes up in an unanticipated circumstance, but there is a security cost to having lots of key material preserved indefinitely, and that's the case specifically where clients negotiate non-PFS ciphersuites with servers, such as `TLS_RSA_WITH_AES_128_CBC_SHA256` or `TLS_RSA_WITH_AES_128_GCM_SHA256`. In the last few years there has been a general deprecation of these ciphersuites in favor of (mostly) DHE and ECDHE ciphersuites. The difference is pretty significant; in DHE and ECDHE, the client and server exchange ephemeral Diffie-Hellman parameters which are discarded after the session negotiation is complete. These parameters are used to derive the session key. It's not thought to be feasible to derive the session key from the ephemeral parameters without solving the discrete logarithm problem (or elliptic curve discrete logarithm problem, in the case of ECDHE) and it's not clear that even powerful attackers will ever succeed when the parameters are chosen appropriately. (Unfortunately they will succeed when the parameters are chosen inappropriately. :frowning_face:) By contrast, in the non-DH RSA ciphersuites, RSA is used *directly* for key exchange: the client picks the session key and encrypts it under the server's RSA public key, then transmits this encrypted key over the wire. That means that the server private key that was in use in the course of that key exchange can be used directly to recover the session key; indeed, Wireshark has a feature that does exactly this if you give it a server private key. (The way this breaks with PFS ciphersuites is something that has really annoyed people who are trying to do legitimate consensual network debugging of TLS-wrapped protocols, and I assume also really annoyed wiretappers.) Our `/etc/letsencrypt/archive` directory is a useful target for anyone who wants to read old non-PFS TLS traffic with a particular server known to be running Certbot. If they can get ahold its contents, even years later, they can just go back to the appropriate 60-day period and plug the key into Wireshark and read any non-PFS HTTPS traffic they've intercepted. The best remedy for this is to get more use of PFS ciphersuites, but I'm concerned that they only represent the majority of TLS traffic today, not the overwhelming majority, and hence there would still be potentially significant value for an attacker to try to compromise a machine to steal its old key material, that we helpfully maintain (in duplicate) in `/etc/letsencrypt/archive` and `/etc/letsencrypt/keys`. I believe that old private keys should be purged, as best we can, on some schedule, in order to reduce the risk to old non-PFS TLS session contents. Maybe not immediately after renewal, but maybe after a second successful renewal, for example. It's not perfect, but we can `shred -u` the key file or something, creating a low probability that its complete contents will be recoverable later, rather than an effective certainty. This could also be a configurable option, which probably should be enabled by default (maybe `purge_old_privkeys = True` or something). We don't even need to unlink the files if we don't want to invalidate lineages from the broken symlink point of view. We can use `shred` instead of `shred -u`, and then the file still actually exists, but its contents have been overwritten a couple of times.

system · June 30, 2017, 12:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.