SSL/TLS Client: Understanding Certificate Chains. HP 250m

SSL/TLS Client: Understanding Certificate Chains

In the previous section, we described a situation where the wrong CA certificate was configured on

Jetdirect. Let’s explain this more thoroughly because it is a common issue reported on Jetdirect.

Remember, Jetdirect is an embedded system and has limited flash space. Therefore, it cannot store a multitude of certificates on its flash file system. What Jetdirect needs to do is “Walk the Certificate

Chain”. Let’s explain by reviewing our CA Hierarchy.

Figure 31 - CA Hierarchy

In this example, RootCA is the top level CA, which is also called the Root. What usually happens at customer sites is that the Root CA is created and it issues one or more certificates to Subordinate CAs, also known as Intermediate CAs, and they do the dirty work of issuing certificates to various entities in the customer’s network. The Root CA is then shutdown and locked up in a secure room with this information backed up in several places. The Root CA establishes the trust of the whole environment and is very well protected.

We can see that RootCA issues a certificate to R2, which grants R2 the capability to issue certificates to other entities. R2’s certificate is signed by the Root CA. R2 then can issue certificates to other devices.

77

Figure 32 -

Notice that R2’s certificate is issued by RootCA. What does RootCA’s certificate look like? Let’s look at Figure 33.

78

Figure 33 - RootCA

Notice the RootCA is “self-signed”. All Root CAs will be self-signed – these CAs represent the single point of trust. A logical question would be: “Which CA do I configure on Jetdirect?” Let’s look at some diagrams . First, we have an incorrect configuration, as shown in Figure 34 –

Incorrect HP Jetdirect CA Configuration .

79

RootCA.example.internal

Root Certificate Authority: RootCA

RootCA’s Info +

RootCA’s

Public Key

RootCA’s Digital

Signature

RootCA’s Certificate

R2.example.internal

Subordinate Certificate Authority: R2

R2’s Info +

R2’s Public Key

RootCA’s Digital

Signature

R2’s Certificate

What Certificates should be configured on

Jetdirect so that an SSL Client will be successful?

R2’s Info + LJ 4345MFP Info +

INCORRECT!

R2’s Public Key

RootCA’s Digital

Signature

LJ 4345MFP’s configured CA

Certificate hpprinter’s

Public Key

R2’s Digital

Signature

LJ 4345MFP’s Identity

Certificate

Figure 34 - Incorrect HP Jetdirect CA Configuration.

The Subordinate CA cannot be used as the CA certificate on Jetdirect!

Now we can look at a correct configuration in Figure 35 – Correct HP Jetdirect CA

Configuration.

80

RootCA.example.internal

Root Certificate Authority: RootCA

RootCA’s Info +

RootCA’s

Public Key

RootCA’s Digital

Signature

RootCA’s Certificate

R2.example.internal

Subordinate Certificate Authority: R2

R2’s Info +

R2’s Public Key

RootCA’s Digital

Signature

R2’s Certificate

What Certificates should be configured on

Jetdirect so that an SSL Client will be successful?

RootCA’s Info +

LJ 4345MFP’s Info +

RootCA’s

Public Key

RootCA’s Digital

Signature

RootCA’s Certificate

CORRECT!

Public Key

R2’s Digital

Signature

LJ 4345MFP’s Identity

Certificate

Figure 35 - Correct HP Jetdirect CA Configuration

Be sure the Root CA of your CA Hierarchy has its public key certificate configured on Jetdirect!

Here is a question for you: When Jetdirect is acting as a client and receives the server’s certificate signed by R2, how can it know that R2’s certificate was signed by RootCA? The answer: It cannot!

Another special thing must happen: The server must send R2’s CA certificate along with its own certificate. This allows Jetdirect to “walk the chain” and verify the certificate chain is valid. Refer to

Figure 36 – Walking the Chain 1

81

Figure 36 - Walking the Chain 1

Jetdirect has one certificate stored on it – the RootCA public key certificate. During the SSL/TLS handshake with the LDAP server, two certificates are sent back to Jetdirect. One is the LDAP Server’s certificate and the other is the public key certificate for R2. Jetdirect stores them in its volatile memory and can begin to “walk the chain”. Refer to Figure 37 – Walking the Chain 2:

Figure 37 - Walking the Chain 2

82