Managing Certbot with Sub domains for HTTP Public Key Pinning

I’m setting up a web server with Public Key Pinning, and the best practice to do so is to keep a private key and certificate signing request (CSR) offline, with the CSR in your pin list, in case you need an escape hatch and need to get a certificate somewhere you didn’t put in the rest of your pins.

Let’s say I need a certificate that is signed for both example.com and www.example.com. I know how to generate a key, and generate a CSR with a single common name, and then how to get certbot to generate a certificate from a CSR.

But what if I want more than that common name, and I want the two domains I listed above? How would I generate that CSR with OpenSSL so that certbot could generate a single certificate with both names as SANs?

Does certbot/LE automatically add the apex domain when signing a www subdomain, like some other CAs do (eg. RapidSSL)? Or would I have to use instructions like this to generate the CSR?

Thank you.

No.

Yes. :slight_frown:

As an alternative, how about just generate the private key? You can generate a CSR for it later if you ever need it.

hi @dtemp

It all depends on how you setup your HPKP

Specifically:

Including Subdomains In HPKP

There are 2 ways of dealing with subdomains that also utilise TLS on your site. You can have each domain issue its own unique HPKP policy that specifies the fingerprints for identities to be used on that domain, or, you can issue a HPKP policy at the top that will cascade down all subdomains by using the includeSubdomains directive. Each method has advantages and drawbacks.

http://www.exploresecurity.com/five-considerations-for-http-public-key-pinning-hpkp/ is also another guide

So to answer your question no certbot has no way of knowing what your subdomains are therefore it is not able to create automatic subdomains

You may ask why no www. - well that’s a good question. The main problem with validations is each subdomain has to be validated. Users may not have a www. subdomain or may have another service provide SSL certificates for it.

Generally it’s hard to guess what people do. As an example look at the amount of trouble people have with the apache plugin (which should be a fairly consistent setting) so not taking guesses is a good approach

Andrei

I do agree that BYOK (bring your own key) is a feature that should be available in Certbot so please submit a feature request

With a BYOK strategem you should be able to specify domains you want to cover

In HPKP (HTTP Public Key Pinning) you generally want to keep the private key as you can generate all other articfacts CSR and Cert from it

Another approach is to generate 3 copies of the certificates each time (1 active and 2x standby)

Andrei

If you want to have an "offline spare" with HPKP, you can pin a hash of a CSR but not of a private key. The CSR having the owner info, what domains it's valid for, and the public key. You can then get any CA to sign that cert and include expiry info with it, and it would be trusted by people who have your old pinning list.

1 Like

That’s a good explanation for why an ACME-based CA wouldn’t grant certs for extra domains, thank you. I suppose other companies can do it because they just email the WHOIS contact and, once they establish domain ownership, they’ll put whatever subdomains you want (including wildcards).

Certbot supports this.

I am well aware that certbot accepts CSRs

Yes. You can obtain a certificate for an existing CSR, which means you may generate your own CSR using your own private key. However, certbot will not accept a private key as input and generate a CSR for you.

I believe you are confusing CAA with HPKP.

I am not aware of any validations by CA’s of HPKP policies

Review this article for pinning options: https://scotthelme.co.uk/guidance-on-setting-up-hpkp/

I think the easiest thing to pin is the intermediates (let’s encrypt) meaning that you can always issue a new certificate if a certificate is compromised without having to worry about keeping backup keys etc

Andrei

Working on this. :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.