Certificates
A Public Key Infrastructure (PKI) is a crucial framework encompassing roles, policies, hardware, software and procedures to create, manage, distribute, use, store and revoke digital certificates. These certificates facilitate secure communication, authentication and data integrity between users, devices and servers.
The DD Engine @ DD1000i uses the following PEM formatted certificates and keys:
- Client certificate used to verify the client when communicating with the DD Manager.
- Server certificate with corresponding key to verify the server when a client communicates with the DD Manager.
- CA certificate used to verify the client certificate when communicating with the DD Manager.
For any organization using the DD Engine @ DD1000i for payload traffic, it is recommended to generate unique certificates and keys, using a PKI approved by organizational policies. Advenica Customer Services can be requested to create a setup of required PKI elements only suitable for test environments.
Management recommendations
Company specific guidelines for PKI should always be followed. Below follows a presentation of a few fundamentals relevant for when using the DD Engine @ DD1000i. More information about TLS certificate management can be found at NIST.
- Regularly review and audit certificates. If any part of the TLS chain has been compromised, the entire DD Engine @ DD1000i should be updated with new certificates.
- Keep all systems involved in PKI updated with the latest security patches to address vulnerabilities that could impact the security of the PKI infrastructure.
- Safeguard private keys using strong encryption and store them in secure, tamper-evident containers. Limit access to those who genuinely need it.
- Store certificates and private keys in secure, dedicated repositories with restricted access. If using the auto generated certificates, remember to also securely store the client certificate.
Certificate & key generation
When generating certificates and keys for the DD Engine @ DD1000i the created files must be PEM encoded and fulfil the requirements of TLS 1.3.
The following information is to be regarded as an example using OpenSSL to generate certificates and keys in a Linux environment. Further information can be found on https://www.openssl.org.
Prerequisites
Make sure the following is fulfilled:
- OpenSSL software is installed on the system.
Procedure
The generation procedure is based on several OpenSSL commands being run as described below. The resulting output (see table below) of each command will be saved to the directory where the command is run. All key and certificate filenames used in the following example can be replaced to fit organizational requirements.
The table presents the required files:
| Step | Activity | Input | Output |
|---|---|---|---|
| 1 | Create Certificate Authority (CA) | Command | Ca.key CA.crt |
| 2 | Generate server CSR | Command | Server.key Server.csr |
| 3 | Create SAN configuration file | Text editor | san_config.txt |
| 4 | Sign server certificate | Server.csr CA.crt CA.key san_config.txt | Server.crt |
| 5 | Generate client CSR | Command | Client_A.key Client_A.csr |
| 6 | Sign client certificate | Client_A.csr CA.crt CA.key | Client_A.crt |
| 7 | Create .p12 file | Client_A.crt Client_A.key | Client_A.p12 |
The step-by-step guide presents a suggested workflow to produce the files in the table above:
Decide on a name for the Certificate Authority, e.g., CA. Run the following command and respond to the prompted questions:
openssl req -x509 -newkey rsa:4096 -keyout **CA.key** -out **CA.crt** -nodes -days 3600
Repeat steps 1-7 to generate a second set of keys and certificates to be used for the other side of the DD1000i.
Expected result
Once all the steps presented above have been executed, these files must be available for the DD Engine @ DD1000i setup.
| File | Signed by CA | Side | Upload to |
|---|---|---|---|
| CA_Up.crt | - | Upstream | Web browser & DD1000i Local admin |
| Server_Up.crt Server_Up.key | CA_Up | Upstream | DD1000i Local admin |
| Client_Up.p12 | CA_Up | Upstream | Web browser |
| CA_Down.crt | - | Downstream | Web browser & DD1000i Local admin |
| Server_Down.crt Server_Down.key | CA_Down | Downstream | DD1000i Local admin |
| Client_Down.p12 | CA_Down | Downstream | Web browser |
Upload certificates and keys
The PKI files must be uploaded to the appropriate destinations as described in the table above. Server certificate, key and CA certificate should be uploaded to the DD Engine @ DD1000i via the Local admin. Client certificate and CA certificate should be uploaded to the web browser in order to Configure the DD Engine @ DD1000i.
A basic Public Key Infrastructure using OpenSSL has now been established. This infrastructure will enable secure communication and authentication between the client and DD Engine @ DD1000i. Keep in mind that real-world deployments require additional security considerations and adherence to best practices.