[caption id=“attachment_916” align=“alignright” width=“300”] Is SSL a rusty lock?[/caption]
Ah … my tax time again! What a complicated mess that is! “Enjoyment” only matched by one thing: Managing web server SSL certificates and dealing with the corresponding certificate authorities!
As PaperCut system administrators like Geoff from Colorado, John from Illinois or Robert from Iowa have recently found, managing SSL certificates can end up making doing your taxes look fun. This is in no small part due to the bureaucratic nature of the so-called X.509 and PKCS standards, which are as onerous as their names make them sound!
Further more, it’s exacerbated by the shenanigans of “certificate authorities” - those self-proclaimed guardians of Internet security that have somehow conspired with Microsoft and Mozilla to create a protection racket that charges each web master hundreds of dollars* for their web site to come up “green”… for a year only… then rinse, and repeat.
Not befitting its central role in The Grand Scheme of All Things Internet, the list of 20 or so certificate authorities dividing this booty remain sheepishly hidden in the deeper folds of Windows under
Control Panel -> Internet Properties -> Content -> Certificates -> Trusted Root Certification Authorities. System administrators wanting to provide validated HTTPS access to
end-user web pages (where users can perform various print management tasks) will have to create an SSL key for their domain. This key must be signed by one of these authorities.
The instructions in PaperCut’s manual on how to import SSL certificates trying to be as general as possible to accommodate all certificate authorities. However that doesn’t prevent some of them from making system administrators’ lives extra difficult by inflicting distractions such as:
Expired/changed root certificates: A certificate authority’s root certificate is normally created once and maintained for ’life’ - where ’life’ means ‘decades’ - certainly a long time on the Internet. This justifies the arduous process of distributing it to all operating systems, browsers, mobile devices etc. in the first place and ensures its integrity through broad public availability. Some authorities have nonetheless taken to signing customers’ keys with new root certificates long before the old established ones had expired.
Being a cross-platform solution, PaperCut maintains a list of root certificates independently of the operating system. These certificates are used to ensure integrity of the certificate chain. A new root certificates may or may not have reached wide circulation and in particular, may or may have not made it into PaperCut’s list. In case it didn’t, it is the system administrator’s responsibility to obtain the new root certificate from the authority and install it with the help of the command line provided in the manual.
Intermediate certificates: As an additional layer of bureaucracy, some certificate authorities sign customers’ keys with an intermediate certificate which in turn is signed with the root certificate. These intermediate certificate usually have shorter life times than root certificates, exist in larger numbers - several per authority - and although also mandated to be present in PaperCut’s list are less likely to be included in it to begin with. If an intermediate certificate has been used, it must also be installed as above.
Other formats: Like a siren luring the errant wanderer into the treacherous swamps of eternal doom the certificate authority might tempt the customer with certificates presented in ‘additional’ formats like PKCS#7 . PKCS#7 promises to simplify the certificate import process by bundling the customer’s certificate with intermediate certificates which can be imported in one go. This may or may not work, but one thing’s for sure, it’s one more condition to lead to more confusion!
At this point the inclined system administrator may start to question the logic behind all this. My advice in the interest of avoiding a headache and maintaining overall health and sanity is: Don’t! As with all thing imposed on one from above, be it taxes or X.509, the best thing one can do is smile and play along.
Whew! Now back to those taxes …
* The cheapest option seems to be StartCom , a recent addition to the Windows and Firefox authority lists, charging $50 for 2 years. Anyone using their services is invited to comment here on the experience.
Lock and chain image from Bala on Flickr / CC-BY-SA