Intermediate certificate configuration in RESTconf

Jeffrin · June 23, 2023, 5:09am

Is intermediate certificate configuration supported in confD rest server?
I am configuring the server certificate through the below parameter.
/confdConfig/webui/transport/ssl/certFile

I also want the server to send the intermediate certificate to the client. Is there a way to configure the intermediate certificate?

I have already tried concatenating the intermediate certificate with the server certificate, but only the server certificate gets sent.

cohult · June 23, 2023, 8:35am

The CA certificate is optional, but you can configure it as the ConfD UG chapter “Storing TLS data in database” states. See also the confd.conf(5) man page under /confdConfig/webui/transport/ssl/caCertFile.

An example that does mutual authentication with readFromDb set to true in confd.conf. Seems like you are only interested in the first part, i.e.server authentication:

Note that the options keyFile, certFile, and caCertFile, are ignored when readFromDb is set to true. See the example and the confd.conf(5) man page for more details.

Jeffrin · June 26, 2023, 3:53am

I only want client authentication to happen. I have got root certificate which signed the intermediate certificate which in turn signed the server certificate.

I have installed the root certificate in the client side. In the server side, I have installed all the certificates. I want the server to send the intermediate and end certificate to the client so that the entire chain gets sorted.

I use the below parameter to configure the server certificate.
/confdConfig/webui/transport/ssl/certFile.

I have gone through the man page and found that the below parameter is used for client authentication.
/confdConfig/webui/transport/ssl/caCertFile .

I want to configure the intermediate certificate for server authentication only.

cohult · June 26, 2023, 8:35am

The server authentication is always done first. I.e., the client authenticates the server certificate that ConfD provides. In the same TLS message, if ConfD is configured to authenticate the client, a CertificateRequest with the list of acceptable CA certificates is passed to the client by ConfD before it sends its client certificate for client authentication.

As the confd.conf(5) man page states. The list of certificates in /confdConfig/webui/transport/ssl/caCertFile is included in the list of acceptable CA certificates passed to the client when a certificate is requested.

Did you “concatenate” the certificates similar to what is described here?:

Have you tested with /confdConfig/webui/transport/ssl/readFromDb set to true as the example I pointed to does and added the certificates to CDB under the /tls/certificate leaf, the /tls/private-key leaf, and the /tls/ca-certificates list?
As you can see in that example, the list of acceptable CA certificates is stored in a list with a name (string) identifying each certificate. In the example, there is only one CA certificate, called “rsa-1”, in that list, but you can add as many CA certificates as you wish.

confd.conf settings:

github.com

ConfD-Developer/ConfD-Demos/blob/master/x509tls-restconf/app/confd.conf#L255


      
            <tcp>
              <enabled>false</enabled>
              <ip>0.0.0.0</ip>
              <port>8008</port>
            </tcp>
          
            <ssl>
              <enabled>true</enabled>
              <ip>0.0.0.0</ip>
              <port>8888</port>
              <readFromDb>true</readFromDb>
              <protocols>tlsv1.3</protocols>
              <verify>3</verify>
            </ssl>
          </transport>
          
          <cgi>
            <enabled>true</enabled>
            <php>
              <enabled>true</enabled>
            </php>

CDB config:

github.com

ConfD-Developer/ConfD-Demos/blob/master/x509tls-restconf/app/run.sh#L24


      
          echo "Certificate request"
          openssl req -new -sha256 -key server.key.pem -subj "/CN=localhost" \
                  -out server.csr.pem
          echo "Signed public key certificate"
          openssl x509 -req -CA root-ca-cert-1.pem  -CAkey root-ca-key-1.pem \
                  -CAcreateserial -sha256 \
                  -in server.csr.pem -out server.cert.pem
          
          echo "Generate the TLS key config"
          echo "See CONFD_DIR/src/confd/yang/tailf-tls.yang for details"
          echo "<?xml version=\"1.0\"?>
          <config xmlns=\"http://tail-f.com/ns/config/1.0\">
            <tls xmlns=\"http://tail-f.com/ns/tls\">
                  <certificate>
                    <cert-data>" > ./confd-cdb/tls_data_nopw.xml
          cat server.cert.pem >> ./confd-cdb/tls_data_nopw.xml
          echo "          </cert-data>
                  </certificate>
                  <private-key>
                    <key-data>" >> ./confd-cdb/tls_data_nopw.xml
          cat server.key.pem >> ./confd-cdb/tls_data_nopw.xml

Jeffrin · July 4, 2023, 9:21am

Sorry I got one part of the question wrong. I am interested only in the server authentication part. I just want the server to send the intermediate certificate which signed the server certificate to the client.
The confD version I am using is 6.5.5.
I have tried setting the readFromDb entity as true, but still the intermediate certificate isn’t sent.
When I checked the yangfile, there is no readFromDb entity.
I have got a couple of questions.

1)Can /confdConfig/webui/transport/ssl/caCertFile be used for sending the intermediate certificates which signed the server certificate or it can only be used for mutual authentication?

2)Is readFromDb entity supported in 6.5.5 version.

3)For sending the server certificate, I am using the below configs.

<webui>
  <enabled>true</enabled>
  <docroot>%CONFD_DIR%/docroot</docroot>
  <transport>
    <tcp>
      <enabled>false</enabled>
      <ip>0.0.0.0</ip>
      <port>8008</port>
    </tcp>
    <ssl>
      <enabled>false</enabled>
      <ip>0.0.0.0</ip>
      <port>8888</port>
      <dscp>0</dscp>
      <keyFile>(path of keyfile)</keyFile>
      <certFile>(path of server certificate)</certFile>
      <verify>1</verify>
      <depth>1</depth>
      <ciphers>DEFAULT</ciphers>
      <protocols>tlsv1 tlsv1.1 tlsv1.2</protocols>
    </ssl>
  </transport>
</webui>

After that using maapi_set_elem2 function to configure the certFile with the path of certificate.
Could the same process be used to set the caCertFile with the path of intermediate certificate too? I have tried the same process, but it doesn’t work.

cohult · July 4, 2023, 9:37am

I tested successfully with ConfD 8.0.6, released June 2023. Not sure what works with ConfD 6.5.5 (March 2018).
Server only or mutual authentication is controlled by the confdConfig/webui/transport/ssl/verify parameter in confd.conf.