Re: [PLUG] expiring certificates quickly

brent timothy saner via plug on 13 Oct 2020 12:59:23 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] expiring certificates quickly

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] expiring certificates quickly
Date: Tue, 13 Oct 2020 15:58:56 -0400
Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=4kdjr5pbiK79GgMFPkRekLN7OkbhOg4JlGJAtTcJPdw=; b=GB6zxpHLfIDPLv8QWkoca1Tf9OUQX17kH7tAZgdbA0IPr4KrrCvNR9PBeIDH2YFsqT Z9TGe8grrLbEZ2kvmarMni1pg+dZKHVsST/NsVnyQ7/m1LbeW/lkbyd3R+j9Y5JGVF9y K7ojlsJhAEDYQR8UyG9hZRP2C3HkjQtSJZudF3dzjXWAaC6NJlzIo2s2Q11UngcByyBD DGwm+2hP9Tia6VOaoyYV+Nd7qMGupcZ97ThqT6SugerZmpoNblp8jJWt3rJVs5p/n2p2 iNa5hUmgG7r24FOLESowPqi7ONox8sFfsSrzEp7zmyP9TuAO05KfSdYHVn5wWeICndMG X9TA==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

On 10/13/20 15:00, Rich Freeman via plug wrote:
> On Tue, Oct 13, 2020 at 2:23 PM Rita via plug
> <plug@lists.phillylinux.org> wrote:
>>
>> I am setting up postgresql ssl authentication (https://www.postgresql.org/docs/9.5/ssl-tcp.html). I have it working but I am curious if I can expire my certificates quicker.
>>
>> Here is how I request a client cert
>>
>> openssl x509 -req -in client/client.csr -days 1 \
>>         -CA certs/ca.crt -CAkey keys/ca.key -CAcreateserial \
>>         -out certs/client.crt
>>
>> Ideally, I would like to have a valid cert for 60 secs. Is possible to do?
> 
> It looks like this should be possible if you use the openssl ca app
> instead of the x509 app.  I think this requires a config file.  man
> openssl-ca has the gory details including some examples.  I don't
> think they have any end date examples, but the enddate field uses the
> format YYYYMMDDHHMMSSZ . It also supports -days.  Looking at the
> source for the x509 app days is an integer, and all the calls to
> set_cert_times just pass the days value and not explicit end dates.
> 
> The x509 app does have an option to preserve start/end dates so if you
> can generate an unsigned certificate and use that mode to modify it,
> then that might also work.
> 
> There is also a shell utility called faketime that intercepts
> date/time calls.  From what I can tell the x509 app keeps the current
> time when it sets the end date (ie if it is 1PM today and you pass
> -days 1, then you end up with a cert that expires at 1PM tomorrow).
> That means you could run it with a fake time 1 day in the past less 1
> minute, and pass -days 1, and end up with something that expires a
> minute from now.  The start date would be 1 day in the past though,
> which means that maybe it could be used for time-travel shenanigans.
> 
> I think the ca app would be the cleanest approach if you're willing to
> deal with its syntax and config files.
> 

Speaking as someone who's done CA administration via OpenSSL... I'd
recommend not. It's a PITA, especially if you want those certs' TTL to
only be 60 seconds as OP mentioned. Vault even *recommends* certificates
with extremely short expirations and is geared towards that. No need to
fake time or the like.

This is something more ideal for e.g. Vault[0], as it has a REST API[1]
that lets you automate that signing process[2]. There's definitely a
learning curve, but the realistic alternative is something like
deploying an ACME[3] server like boulder[4], which has a much more
significant learning curve. Hashicorp does have a quickstart
walkthrough[5] though, to make that learning curve a little more shallow.


[0] https://www.vaultproject.io/
[1] https://www.vaultproject.io/api-docs
[2] https://www.vaultproject.io/api-docs/secret/pki
[3] https://tools.ietf.org/html/rfc8555
    https://tools.ietf.org/html/rfc8737
[4] https://github.com/letsencrypt/boulder
[5] https://www.vaultproject.io/docs/secrets/pki#quick-start

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] expiring certificates quickly
  - From: Rita via plug <plug@lists.phillylinux.org>
- Re: [PLUG] expiring certificates quickly
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] expiring certificates quickly
Next by Date: [PLUG] high severeity BT bug
Previous by thread: Re: [PLUG] expiring certificates quickly
Next by thread: [PLUG] high severeity BT bug
Index(es):
- Date
- Thread