1

The time has come for us to renew and update our wildcard certificate. I've been tasked with researching the ways we can protect the private key without compromising the security of the certificate. (With the key and cert together, anyone could impersonate us.)

I understand the pros and cons of using wildcard certs, and this is the direction the IT Director has decided to go.

We're a 99% Windows shop; no configuration management setup. We're likely going to have to touch each machine that uses the wildcard cert.

I know some configuration management tools (like Puppet) have modules that you can use to pass a secured variable instead of a clear text password. Is there a way to install the cert on machines without having to distribute the private key to other team members?

Any thoughts/ideas/best practices would be greatly appreciated.

Improve this question
6
  • Really depends on how you manage the machines. You might be using Microsoft System Centre for example or you might simply allow WinRM (remote management) on each machine and use remote PowerShell.
    – Julian Knight
    Commented Jan 5, 2017 at 20:14
  • 2
    use an HSM / Smart Card
    – Neil McGuigan
    Commented Jan 5, 2017 at 20:17
  • Can remote PowerShell obscure the private key? The end goal is for the cert to be installed, via/with key, without having to share the private key (actual string) with the whole team. But we want the team members to be able to help with the install so that one person doesn't have to go through the whole process on each machine.
    – bsant
    Commented Jan 5, 2017 at 20:20
  • 2
    Agree with @NeilMcGuigan, nothing else but HSM/Smart Card will help you. Software-based key storages do not provide enough security and can't guarantee key privacy. For example, if you backup your systems, certificate and associated private key may be included there and attacks against backups will compromise the key.
    – Crypt32
    Commented Jan 5, 2017 at 20:25
  • @bsant: What are you trying to do? Distribute the privkey/pubkey to a bunch of servers, all of which need the privkey?
    – StackzOfZtuff
    Commented Jan 6, 2017 at 5:34

1 Answer 1

Reset to default
1

I'd configure a reverse proxy with SSL decryption capabilities. Therefore the cert is put in a single server and it terminates the SSL/TLS connection.

Your private key will only be on one server and you'll also have the ability to inspect HTTP traffic using a IDS/IPS.

Improve this answer
3
  • How does this work if we need to import the cert onto several servers?
    – bsant
    Commented Jan 6, 2017 at 16:36
  • You just import the certificate into one server - the reverse proxy
    – DDS
    Commented Jan 9, 2017 at 2:46
  • So your SSL connection terminates at the reverse proxy. Thereafter it's HTTP. Or if you are worried about the connection between the reverse proxy and the web server, you can use a different SSL connection between them. The good thing is that those SSL connections can use your internally generated certs and does not have to be a public CA assigned certs. I'm not aware of any windows product, but nginx should be able to do this for you. Or you can use a commercial product like f5.
    – DDS
    Commented Jan 9, 2017 at 3:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .