Upload Certificate and Key to RUEI in order to decrypt SSL traffic
- by stefan.thieme(at)oracle.com
So you want to monitor encrypted traffic with your RUEI collector ?Actually this is an easy thing if you follow the lines below...I will start out with creating a pair of snakeoil (so called
self-signed) certificate and key with the make-ssl-cert tool which comes
pre-packaged with apache only for the purpose of this example.$ sudo make-ssl-cert generate-default-snakeoil$ sudo ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key-rw-r--r-- 1 root root 615 2010-06-07 10:03 /etc/ssl/certs/ssl-cert-snakeoil.pem-rw-r----- 1 root ssl-cert 891 2010-06-07 10:03 /etc/ssl/private/ssl-cert-snakeoil.keyRUEI Configuration of Security SSL Keys
You will most likely get these two files from your Certificate Authority (CA)
and/or your system administrators should be able to extract this from
your WebServer or LoadBalancer handling SSL encryption for your
infrastructure.Now let's look at the content of these two files, the certificate (apache assumes this is in PEM format) is called a public key and the private key is used by the apache server to encrypt traffic for a client using the certificate to initiate the SSL connection with the server.In case you already know that these two match, you simply have to paste them in one text file and upload this text file to your RUEI instance.$ sudo cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/ruei.cert_and_key$ sudo cat /tmp/ruei.cert_and_key
-----BEGIN CERTIFICATE-----
MIIBmTCCAQICCQD7O3XXwVilWzANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZ1
YnVudHUwHhcNMTAwNjA3MDgwMzUzWhcNMjAwNjA0MDgwMzUzWjARMQ8wDQYDVQQD
EwZ1YnVudHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbs+JnI+p+K7Iqa
SQZdnYBxOpdRH0/9jt1QKvmH68v81h9+f1Z2rVR7Zrd/l+ruE3H9VvuzxMlKuMH7
qBX/gmjDZTlj9WJM+zc0tSk+e2udy9he20lGzTxv0vaykJkuKcvSWNk4WE9NuAdg
IHZvjKgoTSVmvM1ApMCg69nyOy97AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAk2rv
VEkxR1qPSpJiudDuGUHtWKBKWiWbmSwI3REZT+0vG+YDG5a55NdxgRk3zhQntqF7
gNYjKxblBByBpY7W0ci00kf7kFgvXWMeU96NSQJdnid/YxzQYn0dGL2rSh1dwdPN
NPQlNSfnEQ1yxFevR7aRdCqTbTXU3mxi8YaSscE=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC27PiZyPqfiuyKmkkGXZ2AcTqXUR9P/Y7dUCr5h+vL/NYffn9W
dq1Ue2a3f5fq7hNx/Vb7s8TJSrjB+6gV/4Jow2U5Y/ViTPs3NLUpPntrncvYXttJ
Rs08b9L2spCZLinL0ljZOFhPTbgHYCB2b4yoKE0lZrzNQKTAoOvZ8jsvewIDAQAB
AoGBAJ7LCWeeUwnKNFqBYmD3RTFpmX4furnal3lBDX0945BZtJr0WZ/6N679zIYA
aiVTdGfgjvDC9lHy3n3uctRd0Jqdh2QoSSxNBhq5elIApNIIYzu7w/XI/VhGcDlA
b6uadURQEC2q+M8YYjw3mwR2omhCWlHIViOHe/9T8jfP/8pxAkEA7k39WRcQildH
DFKcj7gurqlkElHysacMTFWf0ZDTEUS6bdkmNXwK6mH63BlmGLrYAP5AMgKgeDf8
D+WRfv8YKQJBAMSCQ7UGDN3ysyfIIrdc1RBEAk4BOrKHKtD5Ux0z5lcQkaCYrK8J
DuSldreN2yOhS99/S4CRWmGkTj04wRSnjwMCQQCaR5mW3QzTU4/m1XEQxsBKSdZE
2hMSmsCmhuSyK13Kl0FPLr/C7qyuc4KSjksABa8kbXaoKfUz/6LLs+ePXZ2JAkAv
+mIPk5+WnQgS4XFgdYDrzL8HTpOHPSs+BHG/goltnnT/0ebvgXWqa5+1pyPm6h29
PrYveM2pY1Va6z1xDowDAkEAttfzAwAHz+FUhWQCmOBpvBuW/KhYWKZTMpvxFMSY
YD5PH6NNyLfBx0J4nGPN5n/f6il0s9pzt3ko++/eUtWSnQ==
-----END RSA PRIVATE KEY-----
Simply click on the add new key and browse for the cert_and_key file on your desktop which you concatenated earlier using any text editor. You may need to add a passphrase in order to decrypt the RSA key in some cases (it should tell you BEGIN ENCRYPTED PRIVATE KEY in the header line). I will show you the success screen after uploading the certificate to
RUEI. You may want to restart your collector once you have uploaded all
the certificate/key pairs you want to use in order to make sure they get
picked up asap.You
should be able to see the number of SSL Connections rising in the
Collector statistics screen below. The figures for decrypt errors should
slowly go down and the usage figures for your encryption algortihm on
the subsequent SSL Encryption screen should go up.
You should be 100% sure everything works fine by now, otherwise see below to distinguish the remaining 1% from your 99% certainty.Verify Certificate and Key are matchingYou can compare the modulus of private key and public certificate and they should match in order for the key to fit the lock. You only want to make sure they both fit each other.We
are actually interested only in the following details of the two files, which can be
determined by using the -subject, -dates and -modulus command line
switches instead of the complete -text output of the x509
certificate/rsa key contents.$ sudo openssl x509 -noout -subject -in /etc/ssl/certs/ssl-cert-snakeoil.pemsubject= /CN=ubuntu$ sudo openssl x509 -noout -dates -in /etc/ssl/certs/ssl-cert-snakeoil.pemnotBefore=Jun 7 08:03:53 2010 GMTnotAfter=Jun 4 08:03:53 2020 GMT$ sudo openssl x509 -noout -modulus -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Modulus=B6ECF899C8FA9F8AEC8A9A49065D9D80713A97511F4FFD8EDD502AF987EBCBFCD61F7E7F5676AD547B66B77F97EAEE1371FD56FBB3C4C94AB8C1FBA815FF8268C3653963F5624CFB3734B5293E7B6B9DCBD85EDB4946CD3C6FD2F6B290992E29CBD258D938584F4DB8076020766F8CA8284D2566BCCD40A4C0A0EBD9F23B2F7B
$ sudo openssl rsa -noout -modulus -in /etc/ssl/private/ssl-cert-snakeoil.keyModulus=B6ECF899C8FA9F8AEC8A9A49065D9D80713A97511F4FFD8EDD502AF987EBCBFCD61F7E7F5676AD547B66B77F97EAEE1371FD56FBB3C4C94AB8C1FBA815FF8268C3653963F5624CFB3734B5293E7B6B9DCBD85EDB4946CD3C6FD2F6B290992E29CBD258D938584F4DB8076020766F8CA8284D2566BCCD40A4C0A0EBD9F23B2F7BAs you can see the modulus matches exactly and we have the proof that the certificate has been created using the private key.
OpenSSL Certificate and Key DetailsAs I already told you, you do not need all the greedy details, but in case you want to know it in depth what is actually in those hex-blocks can be made visible with the
following commands which show you the actual content in a human
readable format.Note: You may not want to post all the details of your private key =^) I told you I have been using a self-signed certificate only for showing you these details.$ sudo openssl rsa -noout -text -in /etc/ssl/private/ssl-cert-snakeoil.keyPrivate-Key: (1024 bit)modulus: 00:b6:ec:f8:99:c8:fa:9f:8a:ec:8a:9a:49:06:5d: 9d:80:71:3a:97:51:1f:4f:fd:8e:dd:50:2a:f9:87: eb:cb:fc:d6:1f:7e:7f:56:76:ad:54:7b:66:b7:7f: 97:ea:ee:13:71:fd:56:fb:b3:c4:c9:4a:b8:c1:fb: a8:15:ff:82:68:c3:65:39:63:f5:62:4c:fb:37:34: b5:29:3e:7b:6b:9d:cb:d8:5e:db:49:46:cd:3c:6f: d2:f6:b2:90:99:2e:29:cb:d2:58:d9:38:58:4f:4d: b8:07:60:20:76:6f:8c:a8:28:4d:25:66:bc:cd:40: a4:c0:a0:eb:d9:f2:3b:2f:7bpublicExponent: 65537 (0x10001)privateExponent: 00:9e:cb:09:67:9e:53:09:ca:34:5a:81:62:60:f7: 45:31:69:99:7e:1f:ba:b9:da:97:79:41:0d:7d:3d: e3:90:59:b4:9a:f4:59:9f:fa:37:ae:fd:cc:86:00: 6a:25:53:74:67:e0:8e:f0:c2:f6:51:f2:de:7d:ee: 72:d4:5d:d0:9a:9d:87:64:28:49:2c:4d:06:1a:b9: 7a:52:00:a4:d2:08:63:3b:bb:c3:f5:c8:fd:58:46: 70:39:40:6f:ab:9a:75:44:50:10:2d:aa:f8:cf:18: 62:3c:37:9b:04:76:a2:68:42:5a:51:c8:56:23:87: 7b:ff:53:f2:37:cf:ff:ca:71prime1: 00:ee:4d:fd:59:17:10:8a:57:47:0c:52:9c:8f:b8: 2e:ae:a9:64:12:51:f2:b1:a7:0c:4c:55:9f:d1:90: d3:11:44:ba:6d:d9:26:35:7c:0a:ea:61:fa:dc:19: 66:18:ba:d8:00:fe:40:32:02:a0:78:37:fc:0f:e5: 91:7e:ff:18:29prime2: 00:c4:82:43:b5:06:0c:dd:f2:b3:27:c8:22:b7:5c: d5:10:44:02:4e:01:3a:b2:87:2a:d0:f9:53:1d:33: e6:57:10:91:a0:98:ac:af:09:0e:e4:a5:76:b7:8d: db:23:a1:4b:df:7f:4b:80:91:5a:61:a4:4e:3d:38: c1:14:a7:8f:03exponent1: 00:9a:47:99:96:dd:0c:d3:53:8f:e6:d5:71:10:c6: c0:4a:49:d6:44:da:13:12:9a:c0:a6:86:e4:b2:2b: 5d:ca:97:41:4f:2e:bf:c2:ee:ac:ae:73:82:92:8e: 4b:00:05:af:24:6d:76:a8:29:f5:33:ff:a2:cb:b3: e7:8f:5d:9d:89exponent2: 2f:fa:62:0f:93:9f:96:9d:08:12:e1:71:60:75:80: eb:cc:bf:07:4e:93:87:3d:2b:3e:04:71:bf:82:89: 6d:9e:74:ff:d1:e6:ef:81:75:aa:6b:9f:b5:a7:23: e6:ea:1d:bd:3e:b6:2f:78:cd:a9:63:55:5a:eb:3d: 71:0e:8c:03coefficient: 00:b6:d7:f3:03:00:07:cf:e1:54:85:64:02:98:e0: 69:bc:1b:96:fc:a8:58:58:a6:53:32:9b:f1:14:c4: 98:60:3e:4f:1f:a3:4d:c8:b7:c1:c7:42:78:9c:63: cd:e6:7f:df:ea:29:74:b3:da:73:b7:79:28:fb:ef: de:52:d5:92:9d$ sudo openssl x509 -noout -text -in /etc/ssl/certs/ssl-cert-snakeoil.pemCertificate: Data: Version: 1 (0x0) Serial Number: fb:3b:75:d7:c1:58:a5:5b Signature Algorithm: sha1WithRSAEncryption Issuer: CN=ubuntu Validity Not Before: Jun 7 08:03:53 2010 GMT Not After : Jun 4 08:03:53 2020 GMT Subject: CN=ubuntu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:ec:f8:99:c8:fa:9f:8a:ec:8a:9a:49:06:5d: 9d:80:71:3a:97:51:1f:4f:fd:8e:dd:50:2a:f9:87: eb:cb:fc:d6:1f:7e:7f:56:76:ad:54:7b:66:b7:7f: 97:ea:ee:13:71:fd:56:fb:b3:c4:c9:4a:b8:c1:fb: a8:15:ff:82:68:c3:65:39:63:f5:62:4c:fb:37:34: b5:29:3e:7b:6b:9d:cb:d8:5e:db:49:46:cd:3c:6f: d2:f6:b2:90:99:2e:29:cb:d2:58:d9:38:58:4f:4d: b8:07:60:20:76:6f:8c:a8:28:4d:25:66:bc:cd:40: a4:c0:a0:eb:d9:f2:3b:2f:7b Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 93:6a:ef:54:49:31:47:5a:8f:4a:92:62:b9:d0:ee:19:41:ed: 58:a0:4a:5a:25:9b:99:2c:08:dd:11:19:4f:ed:2f:1b:e6:03: 1b:96:b9:e4:d7:71:81:19:37:ce:14:27:b6:a1:7b:80:d6:23: 2b:16:e5:04:1c:81:a5:8e:d6:d1:c8:b4:d2:47:fb:90:58:2f: 5d:63:1e:53:de:8d:49:02:5d:9e:27:7f:63:1c:d0:62:7d:1d: 18:bd:ab:4a:1d:5d:c1:d3:cd:34:f4:25:35:27:e7:11:0d:72: c4:57:af:47:b6:91:74:2a:93:6d:35:d4:de:6c:62:f1:86:92: b1:c1The
above output can also be seen if you direct your browser client to your
website and check the certificate sent by the server to your browser.
You will be able to lookup all the details including the validity dates,
subject common name and the public key modulus.Capture an SSL connection using WiresharkAnd
as you would have expected, looking at the low-level tcp data that has
been exchanged between the client and server with a tcp-diagnostics tool
(i.e. wireshark/tcpdump) you can also see the modulus in there.These
were the settings I used to capture all traffic on the local loopback
interface, matching the filter expression: tcp and ip and host 127.0.0.1
and port 443. This tells Wireshark to leave out any other information, I
may not have been interested in showing you.