advertisement
SSL/TLS Client: Understanding Certificate Chains
In the previous section, we described a situation where the wrong CA certificate was configured on
Jetdirect. Let’s explain this more thoroughly because it is a common issue reported on Jetdirect.
Remember, Jetdirect is an embedded system and has limited flash space. Therefore, it cannot store a multitude of certificates on its flash file system. What Jetdirect needs to do is “Walk the Certificate
Chain”. Let’s explain by reviewing our CA Hierarchy.
Figure 31 - CA Hierarchy
In this example, RootCA is the top level CA, which is also called the Root. What usually happens at customer sites is that the Root CA is created and it issues one or more certificates to Subordinate CAs, also known as Intermediate CAs, and they do the dirty work of issuing certificates to various entities in the customer’s network. The Root CA is then shutdown and locked up in a secure room with this information backed up in several places. The Root CA establishes the trust of the whole environment and is very well protected.
We can see that RootCA issues a certificate to R2, which grants R2 the capability to issue certificates to other entities. R2’s certificate is signed by the Root CA. R2 then can issue certificates to other devices.
77
Figure 32 -
Notice that R2’s certificate is issued by RootCA. What does RootCA’s certificate look like? Let’s look at Figure 33.
78
Figure 33 - RootCA
Notice the RootCA is “self-signed”. All Root CAs will be self-signed – these CAs represent the single point of trust. A logical question would be: “Which CA do I configure on Jetdirect?” Let’s look at some diagrams . First, we have an incorrect configuration, as shown in Figure 34 –
Incorrect HP Jetdirect CA Configuration .
79
RootCA.example.internal
Root Certificate Authority: RootCA
RootCA’s Info +
RootCA’s
Public Key
RootCA’s Digital
Signature
RootCA’s Certificate
R2.example.internal
Subordinate Certificate Authority: R2
R2’s Info +
R2’s Public Key
RootCA’s Digital
Signature
R2’s Certificate
What Certificates should be configured on
Jetdirect so that an SSL Client will be successful?
R2’s Info + LJ 4345MFP Info +
INCORRECT!
R2’s Public Key
RootCA’s Digital
Signature
LJ 4345MFP’s configured CA
Certificate hpprinter’s
Public Key
R2’s Digital
Signature
LJ 4345MFP’s Identity
Certificate
Figure 34 - Incorrect HP Jetdirect CA Configuration.
The Subordinate CA cannot be used as the CA certificate on Jetdirect!
Now we can look at a correct configuration in Figure 35 – Correct HP Jetdirect CA
Configuration.
80
RootCA.example.internal
Root Certificate Authority: RootCA
RootCA’s Info +
RootCA’s
Public Key
RootCA’s Digital
Signature
RootCA’s Certificate
R2.example.internal
Subordinate Certificate Authority: R2
R2’s Info +
R2’s Public Key
RootCA’s Digital
Signature
R2’s Certificate
What Certificates should be configured on
Jetdirect so that an SSL Client will be successful?
RootCA’s Info +
LJ 4345MFP’s Info +
RootCA’s
Public Key
RootCA’s Digital
Signature
RootCA’s Certificate
CORRECT!
Public Key
R2’s Digital
Signature
LJ 4345MFP’s Identity
Certificate
Figure 35 - Correct HP Jetdirect CA Configuration
Be sure the Root CA of your CA Hierarchy has its public key certificate configured on Jetdirect!
Here is a question for you: When Jetdirect is acting as a client and receives the server’s certificate signed by R2, how can it know that R2’s certificate was signed by RootCA? The answer: It cannot!
Another special thing must happen: The server must send R2’s CA certificate along with its own certificate. This allows Jetdirect to “walk the chain” and verify the certificate chain is valid. Refer to
Figure 36 – Walking the Chain 1
81
Figure 36 - Walking the Chain 1
Jetdirect has one certificate stored on it – the RootCA public key certificate. During the SSL/TLS handshake with the LDAP server, two certificates are sent back to Jetdirect. One is the LDAP Server’s certificate and the other is the public key certificate for R2. Jetdirect stores them in its volatile memory and can begin to “walk the chain”. Refer to Figure 37 – Walking the Chain 2:
Figure 37 - Walking the Chain 2
82
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Introduction
- 2 What is SSL/TLS?
- 3 HTTPS Decoded
- 9 Digital Certificates
- 12 Public Key Infrastructure and Public Key Certificate Basics
- 20 SSL/TLS Protocol Basics
- 26 Using HTTPS with HP Jetdirect
- 52 A Detailed Look at the SSL/TLS Connection
- 60 SSL/TLS Server Settings
- 61 HP Jetdirect as an SSL/TLS Client
- 77 SSL/TLS Client: Understanding Certificate Chains
- 83 SSL/TLS Client: Certificates and Name Verification
- 89 IPP over SSL/TLS
- 94 HP Jetdirect Certificate Guidelines
- 94 Embedded Devices and Digital Certificates
- 95 Which HP Jetdirect Products Support SSL/TLS?
- 95 Summary