How to Test Strict Certificate Checking

During TLS hand-shake server sends it's certificate to client and it's up to the client how to verify the authenticity of the certificate. Snare Agent has two modes of server certificate checking i.e. 'Accept any' and 'Strict Certificate Checking' as shown in following diagram.

Next, it is explained how to enable and test strict certificate checking in Snare Agents. This is applicable to Windows/Lunix/macOS Snare Agents.

 Create Server Certificate

These steps can be performed on any Windows/Linux/macOS machine. OpenSSL is needed for these steps. On Linux/macOS machines OpenSSL is already installed and for Windows the OpenSSL.exe can be downloaded from https://slproweb.com/products/Win32OpenSSL.html

  • Copy the following text into an empty text file and save it as .conf file

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.com DNS.2 = company.com DNS.3 = www.company.net DNS.4 = company.net
  • (optional - only needed for strict certificate checking) Now make changes as per the Server machine. The *most* important properties are CN and DNS.x.

  • For example, if the Server name is WIN81 (that is one of VM in Snare test lab) the the .conf file will look as following

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = AU ST = SA L = Adelaide O = Prophecy International Ltd. OU = Snare CN = WIN81.snare.ia [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = WIN81.snare.ia DNS.2 = WIN81 DNS.3 = WIN81.ia
  • Now run the following command to generate the .CSR file from the .conf file.

1 openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.private -config req.conf
  • The above step will also create the private key fle company_san.private

  • Run following command to validate the .csr file and make sure there is no error reported

1 openssl req -text -noout -verify -in company_san.csr
  • Specifically check that the CN and 'Subject Alternative Name' are correct and corresponds to the server machine. Without 'Subject Alternative Name' the certificate checking will fail on macOS 10.15+ https://support.apple.com/en-us/HT210176

  • Run following command to extract the public key from .csr file.

1 openssl req -in company_san.txt -noout -pubkey -out publickey.pem

 

  • Create Selft-Signed Certificate (Windows/Linux/macOS)

    • Use following openssl command to cretae self signed certificate using recently created .csr and public key .pem files

1 Openssl> x509 -req -days 365 -in company_san.csr -signkey company_san.private -sha256 -out certificate.cer
  • Create CA Certificate (Windows/Linux/macOS)

    • Provide the .csr and publickey.pem files to your CA and get CA signed certificate

    • The CA should provide Base 64 Decoded 

      • certificate.cer

      • CA certificate chain .p7b file

    • (Windows Only) also get the latest certificate revocation list file(s) from CA

      • latest base CRL .crl

      • latest delta CRL .crl

  • Then run following command to combine private key and server certificate .cer into a single .pfx File

1 openssl pkcs12 -inkey company_san.private -in certificate.cer -export -out certificate.pfx
  • Next we need to install the certificate.pfx on server and root certificate .p7b file to client side using following steps.

Server Side Certificate

  • Windows

    • Import the certificate.pfx into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select personal folder >> Right click Certificate >> All tasks >>import ). Remember to check "Mark this key as Exportable"

  • After import, the certificate is shown under Personal\Certificates as shown in following screenshot:

  • Double click the newly installed certificate i.e. WIN81.snare.ia in this case and go to 'Details' tab and then select the Thumbprint and it will show the thumbprint string. Now down this string as shown in following screenshot.

  • Open SAM GUI => General settings and select the newly installed certificate for "Agent HTTPS Certificate". The certificate is identified by it's "Thumbprint".

Linux

If server certificate is being used by Snare Server then, follow these steps to install the server certificate alongwith privte/public keys https://support.prophecyinternational.com/s/article/Using-a-CA-signed-cert-on-Snare-Server and https://prophecyinternational.atlassian.net/wiki/spaces/Snare/pages/893485237

 

Client Side Certificate

On client side, the root Certificate Authority (CA) needs to be installed so that the server side certificate can be vlidated. The Snare agent can run on Windows/Linux/macOS so we have separate instructions for each OS.

Windows

  • Import the root certificate chain .p7b into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select 'Trusted Root Certificate Authorities' >> Right click >> All tasks >>import ) and impor the .p7b file. After import the certificate maager will show the Snare CA as following:

  • Also import both CRL files into Trusted Root Certificate Authorities\Certificate Revocation List. After import the Certificate Revocation List will look like this

Linux

  • (only if certificated is created by CA i.e. it’s not self-signed certificate) Get the root certificate file .crt for the CA. This .crt file is NOT server certificate that was created using CSR

  • Now copy the downloaded root certificate to /usr/share/ca-certificates/

  • Run following code to install the root certificate

1 2 3 sudo cp certificate.crt /usr/share/ca-certificates/ sudo apt-get install debconf sudo dpkg-reconfigure ca-certificates
  • Select the certificate.crt by pressing space and then continue and root certificate will be installed on client side

macOS

Common Step for Windows/Linux/macOS

  • Once root certificate authority certificate is installed

  • Open Agent GUI => Security Certificates => Snare Agent Manager Certificate Verification => strict checking

  • Open Agent GUI => Access Configuration => put hostname that was given in .conf file i.e. WIN81.snare.ia or WIN81 or WIN81.ia

  • Make sure that from client machine, the SAM hostname can be pingged