HTTP and HTTP: Encryption and Certificates
HTTP
threatER Enforce is normally managed through a standard browser. This feature allows you to manage your Enforce software from almost anywhere on the internet without needing any special device other than a computer, and no additional software besides a standard web browser.
Enforce implements Hypertext Transfer Protocol Secure (HTTPS), an internet standard protocol for securely transmitting web pages. HTTPS encrypts communications between the web server and client, and can authoritatively identify both ends of the communication channel.
According to internet standards, the HTTPS server normally listens on TCP port 443. If you change this, you will need to include the new port when you connect to Enforce; for example, if you change the port to 4567, you would need to access Enforce this way: https://192.168.1.1:4567
HTTP and HTTPS ports can be configured under the General Settings tab. These settings will limit administrative access to Enforce from specified ports.
HTTP: Encryption and Certificates
Users can create and manage Public Key Certificates for secure communications on Enforce.
Secure Internet communications between your web browser and Enforce is enabled via the use of Public Key Certificates. Although Enforce comes with a self-signed public key certificate, you may want to replace this with an authoritatively signed certificate. Signed security certificates enable authentication between trusted systems.
The Certificate that is pre configured on Enforce has a predefined expiration date, which can be identified by selecting this function.
*NOTE! Certificates are applied when you click the Create or Ok button from within a pop-up dialog.
Note that allowing a certificate to expire may result in blocked access to Enforce. Before the existing certificate expires, either create a new self-signed certificate, or request one that is authoritatively-signed by a Certificate Authority. Your organization may have its own Certificate Authority, or you can purchase one from a commercial organization.
Your Enforcer comes with strong data encryption, securing the communications between Enforce and the web browser. This feature prevents wiretappers and eavesdroppers from deciphering your Enforce communications, and may be particularly useful when you access Enforce from a public network. This security is part of the default Enforce configuration, and is automatically enabled. You can be confident that your connection is secure when you see "https://" in the address bar while accessing Enforce.
The https web browser function uses a secure internet protocol along with an encryption certificate installed on Enforce. Transport Layer Security (TLS) and Secure Socket Layer (SSL) are internet standard protocols that encrypt communications within applications such as web browsers or electronic mail. TLS and SSL get their encryption parameters from an SSL Certificate which comes pre-installed on Enforce. Since TLS and SSL are application-level protocols, they will only encrypt your web browser communications.
SSL Certificates are a type of Public Key Certificate, or electronic document based on the X.509 standard. X.509 is a framework for establishing a public key infrastructure, which specifies formats for Public Key Certificates, and specifies methods for authenticating these certificates via trusted Certificate Authorities. A certificate contains a public key used by other computers to encrypt data. The certificate holder also has a private key, which alone can decrypt the data, guaranteeing data privacy between the machines. A certificate may be authoritatively signed: a trusted firm or organization can apply a digital signature to a certificate, giving you confidence that the computer with that certificate is what it claims to be.
A new Enforcer has a single self-signed certificate used to encrypt communications between Enforce and your web browser, but this does not provide authentication. You can install an authoritatively signed certificate in Enforce, and you can install public key certificates in your web browsers, authenticating the administrative computers.
By default, Enforce will communicate with any computer, since Enforce does not require them to have public key certificates. In this case, security is based on administrator account passwords and optional network restrictions. This basic security may be adequate for many users, and be aware that enhancing this security requires considerable effort, coordination, follow-up activity, and possibly expense.
Your Enforce administration account must be assigned the Crypto Admin Role to make any changes in this section.
You can perform the following tasks from the HTTP: Certificates tab:
- View Server Certificates and CSRs
- View the Currently Applied Self-Signed Certificate
Select the enabled View Server Certificate button to view your current Public Key Certificate. Here is a sample certificate, similar to what is found on a new Enforce:
- View Currently Applied Certificate Signing Request: (Requires a CSR to be generated). See Certificate Signing Requests Below.
- Manage Server Certificates and CSRs
- Generate and Apply a New Self-Signed Certificate: Replaces Enforce's existing Public Key Certificate.
Enforce comes with a self-signed Public Key Certificate, which is used for secure internet communications between your web browser and Enforce. Like many similar security certificates, the one that comes with your Enforcer has an expiration date, which you can see if you view the existing certificate on the HTTP Settings menu screen.
Do not let the certificate expire, otherwise you may not be able to access the Enforce, and you will have to reset it using Maintenance Mode. Before the existing certificate expires, either create a new self-signed certificate, or request one that is authoritatively-signed by a Certificate Authority. Your organization may have its own Certificate Authority, or you can purchase one from a commercial organization. Please note that an authoritatively-signed certificate may take some time to process. For many uses, a self-signed certificate may provide sufficient security. Click on Generate Server Certificate button to create a new self signed certificate.
Since this function creates a new Public Key Certificate, when you click Submit, your secure web browser session will immediately halt. Follow these steps to restore connectivity by your web browser:
- Delete the existing certificate on your web browser.
- Add this certificate as an exception on your web browser.
- Do this for all other web browsers on all other administrator computers.
You can either create a new self-signed certificate, or you can obtain an authoritatively-signed certificate from a Certificate Authority (CA).
- Certificate Signing Request
- Generate a new CSR: A Certificate Signing Request is used to initiate the request and receipt of an authoritatively signed Public Key Certificate from a Certificate Authority.
To initiate an authoritatively-signed certificate, you must first generate a Certificate Signing Request. From the HTTP: Certificates window, select the Generate a new Sertificate Signing Request button. The Create HTTP Certificate Signing Request window appears.
Fill out the following fields:
Generate New Private Key | Select this option if you do not want to reuse your private key. |
Country | Two letter country name abbreviation. Use SSL Country Codes, listed here: http://www.digicert. com/ssl-certificate-country-codes.htm |
State | Spell out the full name of your state or province. |
Locality | Spell out the full name of your city, town, or locality |
Organization | Do not use abbreviations. This may contain upper and lower case characters, spaces, or numbers, but no symbols that need a shift key to type, such as shift-1, the exclamation point. |
Organizational Unit | Your particular department. If you are generating a certificate as an individual, put your fictitious or Doing Business As (DBA) name here. |
Common Name | Typically the fully qualified domain name (FQDN) of Enforce, such as: Enforce.example.com. If your Common Name has no periods, then this will generate a certificate for an intranet device. This must exactly match the domain name that your web browser will use to access Enforce. |
Once you have completed the fields, select the Create button to complete this function.
Click on View the current Certificate Signing Request in the View panel under Server Certificates and copy everything in the subject area between and including these line:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Send the copied text to a Certificate Authority (CA) for signing, and request an SSL Certificate. Your organization may have its own Certificate Authority, or you may use one of the companies found on these lists:
-
- Certificate Authorities trusted by Microsoft Internet Explorer: http://support.microsoft. com/kb/931125
- CAs trusted by Mozilla Firefox: http://www.mozilla.org/projects/security/certs/included/
A list of trusted CAs will be found pre-installed in your web browser:
-
- In Firefox, select the menu items: Tools->Options->Advanced->View Certificates->Authorities
- For Internet Explorer: Tools->Internet Options->Content->Certificates->Trusted Root Certificate Authorities
- Import and apply a CA signed certificate
The process needed, amount of time, or cost involved in obtaining a signed certificate may be highly variable. Eventually you will get back a digital signature from the Certificate Authority which can be uploaded to the Enforcer using the button.
- Remove the current Certificate Signing Request
If you change your mind about obtaining an authoritatively signed public key certificate or if you need to make changes to your request, you can click the button. This deletes the pending Certificate Signing Request and disables applicable buttons.
- Import/Export PKCS12 Certificate
Public Key Certificates are used for secure communications between your web browser and your Enforcer. You can load a public key certificate file into Enforce, or you can save the contents of Enforce's public key certificate.
- Import Certificate: Install a public key certificate in Enforce. Use this if you created Enforce's Certificate on another computer.
- Export Certificate: Save a copy of Enforce's public key certificate on your computer.
You can generate a Public Key Certificate on Enforce itself, as found in the Generate New Self-Signed Certificate or Generate CSR . You can also create a new certificate for Enforce on another computer. If that software can generate a PKCS#12 format key file, you can upload it to Enforce using the Import Certificate function.
When importing a certificate, click the Browse button to find the Key Certificate file on your local computer, and enter the file's password. Click Import to load the keys into Enforce. You need the Crypto Admin Role to Import a certificate.
You may want to save your Enforcer's public and private keys for safekeeping. This may be useful in the future if you have to restore your Enforcer to its factory default settings.
When exporting a certificate, enter a password for the key certificate file, and re-enter the password. Click Export to save the key certificate to your local computer. You must remember this password, otherwise the key certificate file will be unreadable. This will save a PKCS#12 format key file on your local computer.
Comments
0 comments
Please sign in to leave a comment.