Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Register application with SSL from command line
rgmc
#1 Posted : Friday, March 1, 2013 8:34:51 PM(UTC)
Groups: Member
Joined: 3/1/2013(UTC)
Posts: 7

Hi,

Is there a parameter to register an application with a SSL certificate and https endpoints from the command line?

Thanks
Ultidev Team
#2 Posted : Friday, March 1, 2013 10:05:57 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi!

No, it's not allowed because for a certificate be secure, it should be generated on the machine whose identity it's representing, or at the very least be unique within a web farm. Creating a truly secure new certificate requires interactive steps which makes impossible to simplify it by doing it from an installer. If you are interested in redistributing a non-unique (a thus non-secure) certificates along with your application, we cannot enable this scenario. So since a certificate has to be generated on the target system and involves interactive steps, it can and should be done using UWS Explorer.

Please let us know if this information was helpful.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
rgmc
#3 Posted : Friday, March 1, 2013 11:20:13 PM(UTC)
Groups: Member
Joined: 3/1/2013(UTC)
Posts: 7

When the installer is run a unique machine specific self-signed ssl certificate could be created from the command line, programmatically or downloaded from a web service.

Use case:

- The installer is run
- The installer registers the installation in a remote web server
- The remote web server assigns a unique subdomain to that computer and generates a self-signed certificate with that subdomain
- The installer downloads the self-signed certificate
- The installer registers the application in UWS with the self-signed certificate and the subdomain assigned by the remote web server

Or are self-signed certificates the issue?

Thanks
rgmc
#4 Posted : Friday, March 1, 2013 11:43:04 PM(UTC)
Groups: Member
Joined: 3/1/2013(UTC)
Posts: 7

A wilcard certificate from a trusted certification authority could also be used.

The certificate could be *.mydomain.com

And a subdomain could be dinamically assigned to each new installation:

https://client2789.mydomain.com
https://client2790.mydomain.com
https://client2791.mydomain.com
...
Ultidev Team
#5 Posted : Saturday, March 2, 2013 12:00:51 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi there!

It's not really about whether it's possible - it is possible, but rather about whether it's a good idea to do it, which is really not, even though some people really want it. We do realize that it is possible to create a certificate that will appear secure to the client as a part of the installation process. A wildcard certificate could be shipped along with the application, a self-certificate can be issued, etc.

The problem is that most people want encryption without realizing that encrypting a conversation with an unverified party has no value. In this respect both self-signed and redistributed certificates are flawed and provide an appearance of security, while providing no actual security. Self-signed certificates have no way of proving true identity of the server - they are no more reliable in proving server's identity than driver's license you could create for yourself would tell who you truly are. And as we mentioned, encryption is useless if there is no guarantee that the party on the other end of the conversation is truly who they claim they are.

Redistributable certificates also suffer from a flaw of vouching for an identity of a machine merely by being placed there, which is also fundamentally non-secure. Private key, which is a part of the certificate, is something like your fingerprint - it's supposed to be very hard to move to another actor (that's what non-exportable keys are for) and to be unique. Wildcard certs represent identity of a web farm instead of a single machine, and therefore allowed to be moved, which reduces their security by making them like a fingerprint that can be adopted by other people. Wildcard certs and other redistributable certs break the cardinal rule of the PKI: they make private key easily obtainable by many actors.

These are very similar reasons as to why CAs do not sign certificates for "localhost", 192.168.x.x, etc. - because it's impossible to guarantee identity of the server, in which case encryption is moot. Same applies to every use case where issuer of a certificate has no way of proving server's identity, and redistributable applications never can w/o user interaction. If we were to get hold of your application distribution, we could install it on our server and all of the sudden our machine looks very much like your farm node to the outside world.

We do understand that there are many cases where administrators do not fully understand PKI security, and where mere presence of SSL and corresponding encryption is considered sufficient, but infrastructure products, like web servers, have much higher security requirements, and if we were to enable automatic SSL certificates, we'd be in trouble for creating a false sense of security where there is virtually none.

The only somewhat remotely realistic flow of enabling SSL for a redistributable app we tried was us ensuring that a wildcard/redistributable cert shipped with the application has password-protected private key, and password is compliant with some strict password strength rules. That would require people who install it to call someone who will tell them password. We ruled out this idea after one of our trial customers promptly started displaying the password before installation.

This all means that although we do realize that most users are soothed when they see SSL even if it's not doing much for actual security, and although would love nothing more than helping ISVs like you, we really cannot risk our brand supporting this case.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Guest
#6 Posted : Tuesday, March 8, 2016 3:20:16 AM(UTC)
Groups:

Message was deleted by a Moderator.
Guest
#7 Posted : Friday, March 30, 2018 10:22:42 PM(UTC)
Groups:

Message was deleted by a Moderator.
Rss Feed  Atom Feed
Users browsing this topic
Guest (4)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.