Upload Certificate and Key to RUEI in order to decrypt SSL traffic

So you want to monitor encrypted traffic with your RUEI collector ?

Actually this is an easy thing if you follow the lines below...

I will start out with creating a pair of snakeoil (so called self-signed) certificate and key with the make-ssl-cert tool which comes pre-packaged with apache only for the purpose of this example.

$ sudo make-ssl-cert generate-default-snakeoil
$ sudo ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r--r-- 1 root root     615 2010-06-07 10:03 /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r----- 1 root ssl-cert 891 2010-06-07 10:03 /etc/ssl/private/ssl-cert-snakeoil.key

RUEI Configuration of Security SSL Keys

You will most likely get these two files from your Certificate Authority (CA) and/or your system administrators should be able to extract this from your WebServer or LoadBalancer handling SSL encryption for your infrastructure.

Now let's look at the content of these two files, the certificate (apache assumes this is in PEM format) is called a public key and the private key is used by the apache server to encrypt traffic for a client using the certificate to initiate the SSL connection with the server.

In case you already know that these two match, you simply have to paste them in one text file and upload this text file to your RUEI instance.

$ sudo cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/ruei.cert_and_key
$ sudo cat /tmp/ruei.cert_and_key
-----BEGIN CERTIFICATE-----
MIIBmTCCAQICCQD7O3XXwVilWzANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZ1
YnVudHUwHhcNMTAwNjA3MDgwMzUzWhcNMjAwNjA0MDgwMzUzWjARMQ8wDQYDVQQD
EwZ1YnVudHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbs+JnI+p+K7Iqa
SQZdnYBxOpdRH0/9jt1QKvmH68v81h9+f1Z2rVR7Zrd/l+ruE3H9VvuzxMlKuMH7
qBX/gmjDZTlj9WJM+zc0tSk+e2udy9he20lGzTxv0vaykJkuKcvSWNk4WE9NuAdg
IHZvjKgoTSVmvM1ApMCg69nyOy97AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAk2rv
VEkxR1qPSpJiudDuGUHtWKBKWiWbmSwI3REZT+0vG+YDG5a55NdxgRk3zhQntqF7
gNYjKxblBByBpY7W0ci00kf7kFgvXWMeU96NSQJdnid/YxzQYn0dGL2rSh1dwdPN
NPQlNSfnEQ1yxFevR7aRdCqTbTXU3mxi8YaSscE=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC27PiZyPqfiuyKmkkGXZ2AcTqXUR9P/Y7dUCr5h+vL/NYffn9W
dq1Ue2a3f5fq7hNx/Vb7s8TJSrjB+6gV/4Jow2U5Y/ViTPs3NLUpPntrncvYXttJ
Rs08b9L2spCZLinL0ljZOFhPTbgHYCB2b4yoKE0lZrzNQKTAoOvZ8jsvewIDAQAB
AoGBAJ7LCWeeUwnKNFqBYmD3RTFpmX4furnal3lBDX0945BZtJr0WZ/6N679zIYA
aiVTdGfgjvDC9lHy3n3uctRd0Jqdh2QoSSxNBhq5elIApNIIYzu7w/XI/VhGcDlA
b6uadURQEC2q+M8YYjw3mwR2omhCWlHIViOHe/9T8jfP/8pxAkEA7k39WRcQildH
DFKcj7gurqlkElHysacMTFWf0ZDTEUS6bdkmNXwK6mH63BlmGLrYAP5AMgKgeDf8
D+WRfv8YKQJBAMSCQ7UGDN3ysyfIIrdc1RBEAk4BOrKHKtD5Ux0z5lcQkaCYrK8J
DuSldreN2yOhS99/S4CRWmGkTj04wRSnjwMCQQCaR5mW3QzTU4/m1XEQxsBKSdZE
2hMSmsCmhuSyK13Kl0FPLr/C7qyuc4KSjksABa8kbXaoKfUz/6LLs+ePXZ2JAkAv
+mIPk5+WnQgS4XFgdYDrzL8HTpOHPSs+BHG/goltnnT/0ebvgXWqa5+1pyPm6h29
PrYveM2pY1Va6z1xDowDAkEAttfzAwAHz+FUhWQCmOBpvBuW/KhYWKZTMpvxFMSY
YD5PH6NNyLfBx0J4nGPN5n/f6il0s9pzt3ko++/eUtWSnQ==
-----END RSA PRIVATE KEY-----

ubuntu_ruei_add_key.png


Simply click on the add new key and browse for the cert_and_key file on your desktop which you concatenated earlier using any text editor. You may need to add a passphrase in order to decrypt the RSA key in some cases (it should tell you BEGIN ENCRYPTED PRIVATE KEY in the header line).

I will show you the success screen after uploading the certificate to RUEI. You may want to restart your collector once you have uploaded all the certificate/key pairs you want to use in order to make sure they get picked up asap.

ubuntu_ruei_cert_and_key_uploaded.png


You should be able to see the number of SSL Connections rising in the Collector statistics screen below. The figures for decrypt errors should slowly go down and the usage figures for your encryption algortihm on the subsequent SSL Encryption screen should go up.

ubuntu_ruei_collector_ssl_connections.png


You should be 100% sure everything works fine by now, otherwise see below to distinguish the remaining 1% from your 99% certainty.

Verify Certificate and Key are matching

You can compare the modulus of private key and public certificate and they should match in order for the key to fit the lock. You only want to make sure they both fit each other.

We are actually interested only in the following details of the two files, which can be determined by using the -subject, -dates and -modulus command line switches instead of the complete -text output of the x509 certificate/rsa key contents.

$ sudo openssl x509 -noout -subject -in /etc/ssl/certs/ssl-cert-snakeoil.pem
subject= /CN=ubuntu
$ sudo openssl x509 -noout -dates -in /etc/ssl/certs/ssl-cert-snakeoil.pem
notBefore=Jun  7 08:03:53 2010 GMT
notAfter=Jun  4 08:03:53 2020 GMT
$ sudo openssl x509 -noout -modulus -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Modulus=B6ECF899C8FA9F8AEC8A9A49065D9D80713A97511F4FFD8EDD502AF987EBCBFCD61F7E7F5676AD547B66B77F97EAEE1371FD56FBB3C4C94AB8C1FBA815FF8268C3653963F5624CFB3734B5293E7B6B9DCBD85EDB4946CD3C6FD2F6B290992E29CBD258D938584F4DB8076020766F8CA8284D2566BCCD40A4C0A0EBD9F23B2F7B
$ sudo openssl rsa -noout -modulus -in /etc/ssl/private/ssl-cert-snakeoil.key
Modulus=B6ECF899C8FA9F8AEC8A9A49065D9D80713A97511F4FFD8EDD502AF987EBCBFCD61F7E7F5676AD547B66B77F97EAEE1371FD56FBB3C4C94AB8C1FBA815FF8268C3653963F5624CFB3734B5293E7B6B9DCBD85EDB4946CD3C6FD2F6B290992E29CBD258D938584F4DB8076020766F8CA8284D2566BCCD40A4C0A0EBD9F23B2F7B

As you can see the modulus matches exactly and we have the proof that the certificate has been created using the private key.

OpenSSL Certificate and Key Details

As I already told you, you do not need all the greedy details, but in case you want to know it in depth what is actually in those hex-blocks can be made visible with the following commands which show you the actual content in a human readable format.

Note: You may not want to post all the details of your private key =^) I told you I have been using a self-signed certificate only for showing you these details.

$ sudo openssl rsa -noout -text -in /etc/ssl/private/ssl-cert-snakeoil.key
Private-Key: (1024 bit)
modulus:
    00:b6:ec:f8:99:c8:fa:9f:8a:ec:8a:9a:49:06:5d:
    9d:80:71:3a:97:51:1f:4f:fd:8e:dd:50:2a:f9:87:
    eb:cb:fc:d6:1f:7e:7f:56:76:ad:54:7b:66:b7:7f:
    97:ea:ee:13:71:fd:56:fb:b3:c4:c9:4a:b8:c1:fb:
    a8:15:ff:82:68:c3:65:39:63:f5:62:4c:fb:37:34:
    b5:29:3e:7b:6b:9d:cb:d8:5e:db:49:46:cd:3c:6f:
    d2:f6:b2:90:99:2e:29:cb:d2:58:d9:38:58:4f:4d:
    b8:07:60:20:76:6f:8c:a8:28:4d:25:66:bc:cd:40:
    a4:c0:a0:eb:d9:f2:3b:2f:7b
publicExponent: 65537 (0x10001)
privateExponent:
    00:9e:cb:09:67:9e:53:09:ca:34:5a:81:62:60:f7:
    45:31:69:99:7e:1f:ba:b9:da:97:79:41:0d:7d:3d:
    e3:90:59:b4:9a:f4:59:9f:fa:37:ae:fd:cc:86:00:
    6a:25:53:74:67:e0:8e:f0:c2:f6:51:f2:de:7d:ee:
    72:d4:5d:d0:9a:9d:87:64:28:49:2c:4d:06:1a:b9:
    7a:52:00:a4:d2:08:63:3b:bb:c3:f5:c8:fd:58:46:
    70:39:40:6f:ab:9a:75:44:50:10:2d:aa:f8:cf:18:
    62:3c:37:9b:04:76:a2:68:42:5a:51:c8:56:23:87:
    7b:ff:53:f2:37:cf:ff:ca:71
prime1:
    00:ee:4d:fd:59:17:10:8a:57:47:0c:52:9c:8f:b8:
    2e:ae:a9:64:12:51:f2:b1:a7:0c:4c:55:9f:d1:90:
    d3:11:44:ba:6d:d9:26:35:7c:0a:ea:61:fa:dc:19:
    66:18:ba:d8:00:fe:40:32:02:a0:78:37:fc:0f:e5:
    91:7e:ff:18:29
prime2:
    00:c4:82:43:b5:06:0c:dd:f2:b3:27:c8:22:b7:5c:
    d5:10:44:02:4e:01:3a:b2:87:2a:d0:f9:53:1d:33:
    e6:57:10:91:a0:98:ac:af:09:0e:e4:a5:76:b7:8d:
    db:23:a1:4b:df:7f:4b:80:91:5a:61:a4:4e:3d:38:
    c1:14:a7:8f:03
exponent1:
    00:9a:47:99:96:dd:0c:d3:53:8f:e6:d5:71:10:c6:
    c0:4a:49:d6:44:da:13:12:9a:c0:a6:86:e4:b2:2b:
    5d:ca:97:41:4f:2e:bf:c2:ee:ac:ae:73:82:92:8e:
    4b:00:05:af:24:6d:76:a8:29:f5:33:ff:a2:cb:b3:
    e7:8f:5d:9d:89
exponent2:
    2f:fa:62:0f:93:9f:96:9d:08:12:e1:71:60:75:80:
    eb:cc:bf:07:4e:93:87:3d:2b:3e:04:71:bf:82:89:
    6d:9e:74:ff:d1:e6:ef:81:75:aa:6b:9f:b5:a7:23:
    e6:ea:1d:bd:3e:b6:2f:78:cd:a9:63:55:5a:eb:3d:
    71:0e:8c:03
coefficient:
    00:b6:d7:f3:03:00:07:cf:e1:54:85:64:02:98:e0:
    69:bc:1b:96:fc:a8:58:58:a6:53:32:9b:f1:14:c4:
    98:60:3e:4f:1f:a3:4d:c8:b7:c1:c7:42:78:9c:63:
    cd:e6:7f:df:ea:29:74:b3:da:73:b7:79:28:fb:ef:
    de:52:d5:92:9d

$ sudo openssl x509 -noout -text -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            fb:3b:75:d7:c1:58:a5:5b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ubuntu
        Validity
            Not Before: Jun  7 08:03:53 2010 GMT
            Not After : Jun  4 08:03:53 2020 GMT
        Subject: CN=ubuntu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b6:ec:f8:99:c8:fa:9f:8a:ec:8a:9a:49:06:5d:
                    9d:80:71:3a:97:51:1f:4f:fd:8e:dd:50:2a:f9:87:
                    eb:cb:fc:d6:1f:7e:7f:56:76:ad:54:7b:66:b7:7f:
                    97:ea:ee:13:71:fd:56:fb:b3:c4:c9:4a:b8:c1:fb:
                    a8:15:ff:82:68:c3:65:39:63:f5:62:4c:fb:37:34:
                    b5:29:3e:7b:6b:9d:cb:d8:5e:db:49:46:cd:3c:6f:
                    d2:f6:b2:90:99:2e:29:cb:d2:58:d9:38:58:4f:4d:
                    b8:07:60:20:76:6f:8c:a8:28:4d:25:66:bc:cd:40:
                    a4:c0:a0:eb:d9:f2:3b:2f:7b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        93:6a:ef:54:49:31:47:5a:8f:4a:92:62:b9:d0:ee:19:41:ed:
        58:a0:4a:5a:25:9b:99:2c:08:dd:11:19:4f:ed:2f:1b:e6:03:
        1b:96:b9:e4:d7:71:81:19:37:ce:14:27:b6:a1:7b:80:d6:23:
        2b:16:e5:04:1c:81:a5:8e:d6:d1:c8:b4:d2:47:fb:90:58:2f:
        5d:63:1e:53:de:8d:49:02:5d:9e:27:7f:63:1c:d0:62:7d:1d:
        18:bd:ab:4a:1d:5d:c1:d3:cd:34:f4:25:35:27:e7:11:0d:72:
        c4:57:af:47:b6:91:74:2a:93:6d:35:d4:de:6c:62:f1:86:92:
        b1:c1

The above output can also be seen if you direct your browser client to your website and check the certificate sent by the server to your browser. You will be able to lookup all the details including the validity dates, subject common name and the public key modulus.

mozilla_ubuntu_cert_public_key_modulus.png


Capture an SSL connection using Wireshark

And as you would have expected, looking at the low-level tcp data that has been exchanged between the client and server with a tcp-diagnostics tool (i.e. wireshark/tcpdump) you can also see the modulus in there.

wireshark_capture_options.png


These were the settings I used to capture all traffic on the local loopback interface, matching the filter expression: tcp and ip and host 127.0.0.1 and port 443. This tells Wireshark to leave out any other information, I may not have been interested in showing you.

wireshark_ubuntu_cert_public_key_modulus.png



Comments:

Great thing you've added the 'how to verify' steps - a common thing to forget, but very important to be done! Just a small hint: in order to make the 'modulus' easier comparable, you can add: |openssl md5 to the end of the compare lines. This will give you a shorter hash value to compare. Secondly - be aware that if you're using an SSL keystore, it could easily contain multiple KEYs and Certificates. Make sure you take the right one. OpenSSL can handle those stores, but by default it will pick only the first Key/Certificate pair from the store.

Posted by Jan van Tiggelen on mars 24, 2011 at 03:41 MD GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog covers various topics in the System Application Management Arena, i.e. the main Oracle tools are known as Oracle Real User Experience Insight and Oracle Application Testing Suite. It will from time to time take a look aside to see what integration offers with other tools of the Oracle Enterprise Manager Grid Control stack of tools.

Search

Categories
Archives
« prill 2014
DieHënMarMërEnjPreSht
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today