Split domains for client cert authentication

There are a lot of problems with the optional client certificate authentication on a single domain. As soon as a valid client cert for the domain in present in the keychain (MDM for example), it will be used by santa, or safari. With this commit, we undo the recent work, but we try to keep only one certificate, using the Subject Alternative Name extension. This way, only one chain has to be distributed to the clients.
zentralopensource · Jun 27, 2019 · 9fb5cee · 9fb5cee
1 parent 8c11c2b
commit 9fb5cee
Show file tree

Hide file tree

Showing 15 changed files with 140 additions and 310 deletions.
diff --git a/conf/mdm/docker/nginx/conf.d/zentral-clicertauth.conf b/conf/mdm/docker/nginx/conf.d/zentral-clicertauth.conf
@@ -0,0 +1,22 @@
+server {
+        listen 443 ssl http2;
+	server_name zentral-clicertauth;
+
+        ssl_certificate /etc/nginx/tls/zentral-clicertauth.crt;
+        ssl_certificate_key /etc/nginx/tls/zentral-clicertauth.key;
+
+        ssl_verify_client on;
+        ssl_client_certificate /scep_CA/ca.pem;
+        ssl_crl /scep_CA/crl.pem;
+
+	location / {
+                proxy_pass        http://web:8000;
+                proxy_set_header  Host                $host;
+                proxy_set_header  X-Real-IP           $remote_addr;
+                proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
+                proxy_set_header  X-Url-Scheme        $scheme;
+                proxy_set_header  X-SSL-Client-Cert   $ssl_client_escaped_cert;
+                proxy_set_header  X-SSL-Client-S-DN   $ssl_client_s_dn;
+                client_max_body_size 10m;
+	}
+}
diff --git a/conf/mdm/docker/nginx/conf.d/zentral.conf b/conf/mdm/docker/nginx/conf.d/zentral.conf
@@ -5,10 +5,6 @@ server {
         ssl_certificate /etc/nginx/tls/zentral.crt;
         ssl_certificate_key /etc/nginx/tls/zentral.key;
 
-        ssl_verify_client optional;
-        ssl_client_certificate /scep_CA/ca.pem;
-        ssl_crl /scep_CA/crl.pem;
-
         location = /favicon.ico {
 		return 204;
 	}
@@ -40,18 +36,6 @@ server {
                 alias /zentral_static/;
         }
 
-        location ~ ^/mdm/(checkin|connect)/$ {
-                if ($ssl_client_verify != SUCCESS) {return 401;}
-                proxy_pass        http://web:8000;
-                proxy_set_header  Host             $host;
-                proxy_set_header  X-Real-IP        $remote_addr;
-                proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
-                proxy_set_header  X-Url-Scheme     $scheme;
-                proxy_set_header  X-SSL-Client-Cert   $ssl_client_escaped_cert;
-                proxy_set_header  X-SSL-Client-S-DN   $ssl_client_s_dn;
-                client_max_body_size 10m;
-        }
-
 	location / {
                 proxy_pass        http://web:8000;
                 proxy_set_header   Host             $host;

diff --git a/conf/mdm/zentral/base.json b/conf/mdm/zentral/base.json
@@ -1,6 +1,7 @@
 {
   "api": {
     "tls_hostname": "https://zentral",
+    "tls_hostname_for_client_cert_auth": "https://zentral-clicertauth",
     "tls_server_certs": "/zentral/conf/start/docker/tls/zentral_fullchain.crt",
     "tls_server_key": "/zentral/conf/start/docker/tls/zentral.key",
     "secret": "API SECRET !!! CHANGE THIS !!! DO NOT USE IN PRODUCTION !!!"

diff --git a/conf/start/docker/tls/.gitignore b/conf/start/docker/tls/.gitignore
@@ -0,0 +1,2 @@
+zentral_ca.key
+zentral_ca.srl
diff --git a/conf/start/docker/tls/README.md b/conf/start/docker/tls/README.md
@@ -1,22 +1,42 @@
 # TLS material
 
-The files in this directory are provided as examples.  DO NOT USE THEM IN PRODUCTION.
+The files in this directory are provided as examples. DO NOT USE THEM IN PRODUCTION!!!
 
 ## How?
 
-Self signed certificate for the CA
+Create a self signed certificate for the CA:
+
 ```
-openssl genrsa -out zentral_ca.key 2048
-openssl req -x509 -new -nodes -key zentral_ca.key -sha256 -days 3650 -out zentral_ca.crt
+openssl req -x509 -out zentral_ca.crt \
+            -newkey rsa:2048 -nodes -keyout zentral_ca.key \
+            -sha256 -days 3650 \
+            -extensions ext \
+            -config <(printf "[req]\nprompt=no\ndistinguished_name=dn\nreq_extensions=ext\n[dn]\nC=DE\nST=Hamburg\nL=Hamburg\nO=Zentral\nOU=IT\nCN=Zentral CA\nemailAddress=info@zentral.io\n[ext]\nbasicConstraints=CA:TRUE\nsubjectKeyIdentifier=hash\nkeyUsage=keyCertSign,cRLSign\n")
 ```
 
-Then, for each service:
+Create a certificate request for zentral:
+
 ```
-openssl genrsa -out zentral.key 2048
-openssl req -new -key zentral.key -out zentral.csr
-openssl x509 -req -in zentral.csr -CA zentral_ca.crt -CAkey zentral_ca.key -CAcreateserial -out zentral.crt -days 3650 -sha256
+openssl req \
+        -newkey rsa:2048 -nodes -keyout zentral.key \
+        -subj '/CN=zentral' \
+        -out zentral.csr
 ```
 
-We add the root cert to the generated certs for nginx.
+Add the extensions and sign the request with the CA, to build the certificate:
 
-For the fullchains, we add the cert again.
+```
+openssl x509 \
+        -req -in zentral.csr \
+        -CA zentral_ca.crt -CAkey zentral_ca.key \
+        -CAcreateserial \
+        -days 3650 -sha256 \
+        -extensions ext \
+        -extfile <(printf "[ext]\nsubjectAltName=DNS:zentral,DNS:zentral-clicertauth\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth,emailProtection") \
+        -out zentral.crt
+```
+
+Create the fullchain:
+```
+cat zentral.crt zentral_ca.crt > zentral_fullchain.crt
+```
diff --git a/conf/start/docker/tls/zentral-clicertauth.crt b/conf/start/docker/tls/zentral-clicertauth.crt
diff --git a/conf/start/docker/tls/zentral-clicertauth.key b/conf/start/docker/tls/zentral-clicertauth.key
diff --git a/conf/start/docker/tls/zentral-clicertauth_fullchain.crt b/conf/start/docker/tls/zentral-clicertauth_fullchain.crt
diff --git a/conf/start/docker/tls/zentral.crt b/conf/start/docker/tls/zentral.crt
@@ -1,48 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDhTCCAm0CCQDHjTs+1Tm9HjANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
-REUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxEDAOBgNVBAoT
-B1plbnRyYWwxCzAJBgNVBAsTAklUMRMwEQYDVQQDEwpaZW50cmFsIENBMR4wHAYJ
-KoZIhvcNAQkBFg9pbmZvQHplbnRyYWwuaW8wHhcNMTcxMDE2MTUxOTU4WhcNMjcx
-MDE0MTUxOTU4WjCBgjELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAO
-BgNVBAcTB0hhbWJ1cmcxEDAOBgNVBAoTB1plbnRyYWwxCzAJBgNVBAsTAklUMRAw
-DgYDVQQDEwd6ZW50cmFsMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHplbnRyYWwuaW8w
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGsF5240E/QVecjCfxW5XM
-/vIsp0Zwyk+TyvykOGSKbANXkAqSyh/1ped7MHGx+RTfgXOBhWHuxQfMEaUVy8wu
-zDXZxroOR40Y2RUVf4VYCqwN2Wujoj6aAk1pVW4JSPm0sUuCXsxpyaD1ciC17Jde
-/yE0Iby4hNPSQnZOjZZC7CoF9aKojpEdebcXK9kf4IpS5yrsQ+KZHqI1f2vBS5cB
-4YkRP56pudEL9dSr6AeZnnhgxBYJ9H2FDBpB2FNeT+CjToApGPG5QSB2ClSsB+w3
-JycU+2/Ztk4UEJpil9eSW9ECzJ7C5IAaBlCyARiqpQYfWiVXCwRfpx1KTuthqzVH
-AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJQnxMqtpsIFiMFNA25+Ow5iuijWXhTl
-XNSnnjp52hAUxcgDLXmLT1IUzCyYIGii4+SEVLeYrgvR3k5vBGo80g+WZjfbnC0l
-6/cAsbETAtKunAbJ4kYGxiWa6DySCjr4yttLtebKaiiWaQgUa7V/qfub0cFf/ca9
-wYRyBVqWx6GNJXoO6qai3qMihkeXbbdD5uux88RJ+JkTc/Fyb77v1rS3WnuwGbWB
-s3bEFu6+3jLJx6UCAUH98ua74a7S/yV5FUHBAzTm721XLJ1b/scIMIVVplygnLRW
-YOPvilU6PrDPZL7zpLTcfVDq4qw+xgCSSBRsm24HV8k4TZheIU2rlJo=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEfTCCA2WgAwIBAgIJAMk+cPxO4t7dMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
+MIIDcjCCAlqgAwIBAgIJAMeNOz7VOb0iMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
 VQQGEwJERTEQMA4GA1UECBMHSGFtYnVyZzEQMA4GA1UEBxMHSGFtYnVyZzEQMA4G
 A1UEChMHWmVudHJhbDELMAkGA1UECxMCSVQxEzARBgNVBAMTClplbnRyYWwgQ0Ex
-HjAcBgkqhkiG9w0BCQEWD2luZm9AemVudHJhbC5pbzAeFw0xNzEwMTYxNTE0Mzha
-Fw0yNzEwMTQxNTE0MzhaMIGFMQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy
-ZzEQMA4GA1UEBxMHSGFtYnVyZzEQMA4GA1UEChMHWmVudHJhbDELMAkGA1UECxMC
-SVQxEzARBgNVBAMTClplbnRyYWwgQ0ExHjAcBgkqhkiG9w0BCQEWD2luZm9AemVu
-dHJhbC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOLyeBkw6qok
-8mHXUOeb5ygQ7aFZpyRNtdEC1siJCy3mK/P3jtkUeFNLFKHdZZZWfFRb8SqrJ1H6
-3c+0zIfep2iyIm9u+o5C10i7u8VVD7S1HGdmLH0R0gfH7FOaF6DYIkVpKyF0dtKy
-e+34M3Nsg3dPfCgeMehh62lfhFgMaVdpBXukCr8HzrWCr3vT8sbFNKQl7E18NNml
-8VtDCdaXy8fkSwa6hXztxHrligpJ0YOe6/mts4lMO3RHaHETC+iL9Qrmkav36wWv
-ibf4FMdgc+fVDJzfRJI3rB8c4i9aNWbB6qUZVfwKRGa85CtBJnGS7HK5brgPOgUr
-aYwdT77+7ysCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUii2pua+A+firK3FBnpoo7FGW
-QrkwgboGA1UdIwSBsjCBr4AUii2pua+A+firK3FBnpoo7FGWQrmhgYukgYgwgYUx
-CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJn
-MRAwDgYDVQQKEwdaZW50cmFsMQswCQYDVQQLEwJJVDETMBEGA1UEAxMKWmVudHJh
-bCBDQTEeMBwGCSqGSIb3DQEJARYPaW5mb0B6ZW50cmFsLmlvggkAyT5w/E7i3t0w
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAg3CZBZ1zZ+xF4ba6BzjE
-ZmxRe6Iuqx+WuNr8PX9MkDGmIgL/GJmngYgT3/80TJ3jbG//w1Dvct0Y6tqyQJ11
-tG2pMCLEkwk1wTJZAy6G56e5y2yBtmQbmkYJ8UQ8U0Q+cL6rbgGJ07bLlcVf2D+B
-6PJNLEz0Msd4kJZKIMDt/Dm89J3DqVPmMr4u6ZGLB2H1GA+715K6LlUb+xlRsfJn
-FJhXPrQnuUEkJ3DHGQrK2IWLKbncaC7ke6w8csOf7RObR5V+lSfGp/QTeP+tjeLJ
-pjH6nMdX2VD25p4HtpVjo+PN2imrtrU9BgjS14JUENf2ELO/q6pe46arWxw79uHp
-ng==
+HjAcBgkqhkiG9w0BCQEWD2luZm9AemVudHJhbC5pbzAeFw0xOTA2MjcxMDU2MDVa
+Fw0yOTA2MjQxMDU2MDVaMBIxEDAOBgNVBAMMB3plbnRyYWwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCosp85fMRY3qIFUTZjX3mYwZI3i+B23clpqTqh
+zL7yROKIHJ59HysYY2OlZ9zcXP8+3HUsnA12YnY+sHJw7BELsFJq1whu6b3xe0nK
+IFWs7dOWaEPk3GcOoDWTlhto3bM2yAYyZvWySsYdsdKlKwhZOn8IHrIV5lCvW2CZ
+ewCYjYFQIxO9k7pVlS+KKHvSe9NWR3SKJiC57x5miUzljpRU7do2ktyTv/Bj7D6Z
+dhZ3+DfWxpcddfkqk97Nc2uXOypHtcozT3ZXcTv/v8fLX6IQXEIey4DeIK2ntV4m
+YQzmc2ERmSrfcS/tMK0/j+e+aBBrKxd+Or8vpZLwjr2+N2KrAgMBAAGjVzBVMCcG
+A1UdEQQgMB6CB3plbnRyYWyCE3plbnRyYWwtY2xpY2VydGF1dGgwCwYDVR0PBAQD
+AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDBDANBgkqhkiG9w0BAQsF
+AAOCAQEAbhtQtlT2ljJegcVZR99Kqb31gCgWsJCGluzdSVpQ6d7u1RXiQXmqgO5W
+cJyQekaSRwfjNYRtOK3qxJoAe/67t5cOFnSy00RdHgeQJnhzbhauD7ELW3UPW26r
+M3/hrpMTwmJaqa5ZHAygwMCEcsasB5WFDQCZuVOTpYBv21IIgqG6REskf1Xx8Xmd
+1BXmOL0TEIjnWqOkm77WLMH1hnxHMorztE5O1V8JCcM46u1l5y3cp/rStPPzg1ky
+rADUMx83/gKFjdKEuDtFCSwNs9KOzXjeeysD39Mv7e54e74Y5kSP+W/hUxaIX0oL
+KKbzX9i21E/u9379kpBdfZE18RWsDw==
 -----END CERTIFICATE-----