How to Test Strict Certificate Checking
During TLS hand-shake server sends it's certificate to client and it's up to the client how to verify the authenticity of the certificate. Snare Agent has two modes of server certificate checking i.e. 'Accept any' and 'Strict Certificate Checking' as shown in following diagram.
Next, it is explained how to enable and test strict certificate checking in Snare Agents. This is applicable to Windows/Lunix/macOS Snare Agents.
Create Server Certificate
These steps can be performed on any Windows/Linux/macOS machine. OpenSSL is needed for these steps. On Linux/macOS machines OpenSSL is already installed and for Windows the OpenSSL.exe can be downloaded from https://slproweb.com/products/Win32OpenSSL.html
Copy the following text into an empty text file and save it as .conf file
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net
DNS.4 = company.net |
(optional - only needed for strict certificate checking) Now make changes as per the Server machine. The *most* important properties are CN and DNS.x.
For example, if the Server name is WIN81 (that is one of VM in Snare test lab) the the .conf file will look as following
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = AU
ST = SA
L = Adelaide
O = Prophecy International Ltd.
OU = Snare
CN = WIN81.snare.ia
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = WIN81.snare.ia
DNS.2 = WIN81
DNS.3 = WIN81.ia |
Now run the following command to generate the .CSR file from the .conf file.
openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.private -config req.conf |
The above step will also create the private key fle company_san.private
Run following command to validate the .csr file and make sure there is no error reported
Specifically check that the CN and 'Subject Alternative Name' are correct and corresponds to the server machine. Without 'Subject Alternative Name' the certificate checking will fail on macOS 10.15+ Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support
Run following command to extract the public key from .csr file.
Create Selft-Signed Certificate (Windows/Linux/macOS)
Use following openssl command to cretae self signed certificate using recently created .csr and public key .pem files
Create CA Certificate (Windows/Linux/macOS)
Provide the .csr and publickey.pem files to your CA and get CA signed certificate
The CA should provide Base 64 Decoded
certificate.cer
CA certificate chain .p7b file
(Windows Only) also get the latest certificate revocation list file(s) from CA
latest base CRL .crl
latest delta CRL .crl
Then run following command to combine private key and server certificate .cer into a single .pfx File
Next we need to install the certificate.pfx on server and root certificate .p7b file to client side using following steps.
Server Side Certificate
Windows
Import the certificate.pfx into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select personal folder >> Right click Certificate >> All tasks >>import ). Remember to check "Mark this key as Exportable"
After import, the certificate is shown under Personal\Certificates as shown in following screenshot:
Double click the newly installed certificate i.e. WIN81.snare.ia in this case and go to 'Details' tab and then select the Thumbprint and it will show the thumbprint string. Now down this string as shown in following screenshot.
Open SAM GUI => General settings and select the newly installed certificate for "Agent HTTPS Certificate". The certificate is identified by it's "Thumbprint".
Linux
If server certificate is being used by Snare Server then, follow these steps to install the server certificate alongwith privte/public keys https://support.prophecyinternational.com/s/article/Using-a-CA-signed-cert-on-Snare-Server and Using a CA-signed cert on Snare Central Server
Client Side Certificate
On client side, the root Certificate Authority (CA) needs to be installed so that the server side certificate can be vlidated. The Snare agent can run on Windows/Linux/macOS so we have separate instructions for each OS.
Windows
Import the root certificate chain .p7b into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select 'Trusted Root Certificate Authorities' >> Right click >> All tasks >>import ) and impor the .p7b file. After import the certificate maager will show the Snare CA as following:
Also import both CRL files into Trusted Root Certificate Authorities\Certificate Revocation List. After import the Certificate Revocation List will look like this
Linux
(only if certificated is created by CA i.e. it’s not self-signed certificate) Get the root certificate file .crt for the CA. This .crt file is NOT server certificate that was created using CSR
Now copy the downloaded root certificate to /usr/share/ca-certificates/
Run following code to install the root certificate
Select the certificate.crt by pressing space and then continue and root certificate will be installed on client side
macOS
(only if certificated is created by CA i.e. it’s not self-signed certificate) Get the root certificate file .crt for the CA. This .crt file is NOT server certificate that was created using CSR
Double click certificate.crt file
Select "System" from Keychain drop-down box and press Add
Open "Keychain" app
Go to 'System' keychain and Select the option 'Certificates' from category
snare-WINxxxxx certificate will be shown
Double click the certificate and go to 'Trust'
Select 'Always Trust' from the drop-down box 'When using this certificate' and close the box from left (it must ask for admin password)
This is also explained at https://medium.com/@nickpeirson/adding-a-root-certificate-for-php-openssl-on-osx-f100b975d791 and https://www.eduhk.hk/ocio/content/faq-how-add-root-certificate-mac-os-x
Common Step for Windows/Linux/macOS
Once root certificate authority certificate is installed
Open Agent GUI => Security Certificates => Snare Agent Manager Certificate Verification => strict checking
Open Agent GUI => Access Configuration => put hostname that was given in .conf file i.e. WIN81.snare.ia or WIN81 or WIN81.ia
Make sure that from client machine, the SAM hostname can be pingged