[openssl-users] Is a certificate supposed to certify a device ...

Jakob Bohm jb-openssl at wisemo.com
Tue May 24 10:01:30 UTC 2016

A certificate certifies whatever it says it certifies,
nothing else.

More precisely, an X.509 certificate of the kind used with
OpenSSL, OpenVPN etc. certifies that:

   The secret private key that corresponds to the public
   key listed in the certificate is known only to something
   or someone for whom the combination of all the other
   things said in the certificate are true, and that
   whomever is listed in the certificate as the "Issuer"
   has verified that to be true.

So for example, if your OpenVPN certificate says that
"YourLinuxVM certifies that only YourLinuxVM has a copy of
the private key for some public key, and that this key is
intended for OpenVPN use between May 20th 2016 and May
20th 2017", that in itself is not much of a statement.  A
more important statement is the fact that you somehow
installed a copy of that certificate at the other end of
the VPN tunnel and told that end to trust that certificate
as something relevant to the OpenVPN use.

If you have reason to believe a private key may have been
stolen/copied to a dangerous place, you should "revoke"
the certificate that says knowledge of that private key
means anything, then generate a new key plus certificate
and install that.  Replacing keys like that is pretty
routine, just like changing passwords is routine, except
that with keys and certificates, you don't have to think
up a new password, because the computer does that for you.

As for the risk of instant compromise of a new machine as
it is being installed, there are two standard

1. Don't allow the Internet to contact that machine until
   it has been completely installed with all the security
   updates provided by whichever Linux distribution
   (branded collection of prebuilt software, such as Red
   Hat, Fedora, Ubuntu, Debian etc.) you are using.  This
   should be done by not opening any real ports for that
   machine in your firewall/router except for whatever
   is needed by the install process itself.

2. Use a server operating system with a lot less security
   bugs than e.g. Windows Server 2003, depending on which
   Linux distribution and which version of that you used,
   you may already have done that.

On 24/05/2016 09:21, Kim kim wrote:
> Hello,
> I am a non English native and just a newbie, the opposite of an IT 
> expert, and am totally stuck on this. If any of you can kindly give 
> any advice on my stupid or basic questions I would indeed greatly, 
> greatly appreciate your help:
> Some while ago, for the first time in my life I (installed servers 
> and) created certificates/keys, in order to use Openvpn on my stuffs. 
> I successfully created those but then I felt I needed to figure out 
> much more about other parts of server security, so I couldn't use 
> those immediately but just leave those alone.
> What I've done was,
> - I wanted to use Openvpn on my work and all other stuffs (I'm not an 
> expert; I just wanted to learn and do the basic things, if I can.).
> - After reading some documents I understood/thought I should have 
> "server" in order to use Openvpn. (Until then, I only have Microsoft 
> Windows (not server) and virtual machine guest Windows (not server) on 
> it.)
> - So I installed some Linux "server(s)" as guest os(es), for the first 
> time in my life.
>      here what I actually did was: 1. installed A server, 2. following 
> the instructions on the Openvpn website etc, completed the steps 
> issuing cerficates (CA, server, client) using easy-rsa, 3. installed B 
> server as another guest os, 2. completed the issueing certificates 
> (CA, server, client) steps.
> - But I felt I should learn and configure the rest part of server 
> security in order to actually start using the system(s), so I couldn't 
> go further at that time; so I just quit going further and had to leave 
> those alone, without doing anything on it.
> - disconnected the internet connections from those guest OSes.
> And then i've been worried about the certificates and keys that were 
> properly issued at that time, I believe. I don't know what I have to 
> be worried about actually and even if I really have to be worried 
> about any things regarding it or not.
> At that time I created the certificates mainly for the use of all my 
> basic(?)/initial(?) system, so the CAs, servers, and clients 
> cerfiticates were only created and as far as I remember I didn't 
> send these to others or share with any.
> But I'm worried as I hear server can be hacked very quickly after 
> created...
> Haven't deleted/couldn't delete those two servers because I don't know 
> if it will be needed, if the certificates and keys need to be revoked....
> I wonder, do I have to revoke all the cerfiticates and keys, including 
> CA itself? Do I revoke the CAs using the same CAs?
> (And actually I had a window os, not server, too before installing 
> those two servers, in which I also issued some certs and keys to use 
> Openvpn (until then I didn't think about the need of "server" for 
> using Openvpn), but then I just completely deleted the window device 
> itself without making any revocation or whatsoever.. so currently I 
> don't even have that system... Can I still even revoke those 
> certificates and keys issued on the deleted device? how?...)
> I now really need to proceed with my stuffs but I'm still stuck on it.
> I don't know what should I do to delete any risk/danger remaining, if 
> any. Or can I simply delete these two servers) without revoking(?) any 
> or whatsoever, without anything to worry about?
> Is a certificate supposed to certify a device (either CA, server or 
> client)? *So therefore don't I have to be even worried about the certs 
> and keys if I no longer use the device itself (or if I delete the 
> device itself)?* What is the bottom line for compromised etc 
> certificates/keys (maybe in security perspective or whatsoever...)?
> I look forward to hearing from you.
> Thank you very much for your time and your help indeed!
> Best regards,
> Kim


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list