X509 certificates for client authentication
Qickly generate a CA and client certificate for secure communication
iot crypto tech certificates ironWhy client certificates
If you are reading this post, you probably already know what is all that about, and I will not offend you with simplistic explanations. Just for the sake of clarity, I am referring to client certificates as those files that contain a private key for the user to access a certain service.
While it has become increasingly popular to distribute content over the internet with HTTPS, in order to make sure the communication is shielded from eventual eavesdroppers, not many authenticate securely the user identity as well.
There are good reason for that, of course. Without going into too much details, we can say that autenticate the user, that is, pre-sharing a different key with each and every user might be costly and unpractical in many ways. Therefore, if it is not essential, we usually don’t do it.
When to use them
There are times when you want to put online a service for users that require:
- the traffic to be cryptographically secure
- the key to be private for a specific user
- the user not to share any password with the site/service administrator
Where to use them
Provided we know where we want to be using client certificates, it might not be obvious that the place where we use them is typically a browser, if we are talking about html documents or other media; but it could also be some other piece of custom sofware, in that case we will hopefully have additional instructions about what to do with them.
How to use them
Usually the end user should have a private key (protected by a super-secret password that he is giving to none) with which, after passing some pains, he gets the actually a signed certificate. Together with that, he should receive a signed copy of the CA that signed his own certificate. This should tell the browser (or our awesome piece of code) that the client certificate is actually right.
If you haven’t spent enough time and resources, the CA itself could have been authenticated by an established real world CA company that keeps the certificates in a safe dug underground with no internet connection.
While this last step is actually pretty costly and worth in some cases, it is not always needed. For example, if your application has a small number of clients, or at least it is not on global scale. Let’s say the client is your mobile that authenticates towards your own webmail server: you can just make sure the server certificate that you have on the client is the good one, and you’re good to go. Other case could be some physical device you have access to and onto which you can save the good server certificate. That is known under the name of Certificate Pinning. Of course, in this last case the tricky part is in making sure you’ll be able to update the server certificate on the client when you need it, and besides making sure none else is able to do that.
If you can’t recognize yourself in those two example cases, then you definitely need a public CA to sign the CA, you will have to pay for it, and hopefully it makes sense for your billioner distributed application.
How to generate them
I got too past the point I put myself into describing the use case for this brand new crypto tool, that I think it is now time to explain how to use it.
Iron
Iron is a commandline utility to create a CA and certificates for services that need to share data over a secure channel with client authentication.
get the software
git clone https://github.com/paolo-lulli/iron
install with make
cd iron
./configure
make
sudo make install
Install from Deb package
create Deb package
Iron comes with a script that helps generating a .deb package. It can be used as follows:
cd iron
./makedeb.sh
install Deb package
If you choose to generate the debian package (and you run a debian/ubuntu distribution) installing is as easy as:
sudo dpkg -i ../target/iron-1.0.0.deb
Use the software
Iron comes with a minimal inline help:
$ iron
Usage: iron <command> [<args>]
Some useful iron commands are:
ca manage CA
certificate create certificates
client manage CSR for certificates creation
commands List all iron commands
debug manage CA
service manage service/server certificate creation
See 'iron help <command>' for information on a specific command.
For more detail about the usage see: Iron product page