Hello.
I understand the principle of packet signature verification by agents, but one thing is missing from the documentation: how can I check with a CRL (or an OCSP service) if the signer has been revoked?
I have a CA dedicated to packet signing, which is deployed on the workstations. For each operator, I create a certificate signed by this CA. But if one of these private keys is compromised, I would like to be able to simply revoke the certificate in question, possibly re-sign the necessary packets with another signer, and let the agents update.
Should I concatenate the CRL with the CA?
CRL verification for packages?
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
The certificate URL must be included in the certificates during their generation (http).
The WAPT server will download the certificate CRLs from the WAPT packages when generating the Packages file (uploading a package).
The agent can then retrieve the CRLs available in the "ssl" folder located in the Packages file (zip).
The WAPT server will download the certificate CRLs from the WAPT packages when generating the Packages file (uploading a package).
The agent can then retrieve the CRLs available in the "ssl" folder located in the Packages file (zip).
Absolutely, that's the casesfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The URL of the certificate must be entered in the certificates when they are generated (http)
Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server? (I admit I haven't tested this yet ^^)sfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The wapt server will handle downloading the certificate references (CRLs) of the certificates present in the wapt packages when generating the Packages file (uploading a package)
Hmm, I don't quite understand. The goal is precisely to ensure that packets signed with a revoked certificate won't be accepted by the agents. If they're basing it on a CRL contained within the packet itself, it could very well be an old CRL (dating back to when the certificate hadn't yet been revoked). I must be missing somethingsfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The agent can retrieve the available CRLs from the "ssl" folder located in the Packages Files (zip)
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
It's mainly the WAPT agent that will reject the packet (and nothing can be done about it)dani wrote: Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server?
That's why your CRL has a limited validity period (normally). You need to regenerate your CRL regularlyDani wrote: Mmmmhhh, I don't quite understand. The goal is precisely to ensure that packets signed with a revoked certificate won't be accepted by the agents. If they're basing it on a CRL contained within the packet itself, it could very well be an old CRL (dating back to when the certificate hadn't yet been revoked). I must be missing something.
!Okay, I'll do some tests then, to better understand how it works, and I'll come back here if I have any more questionssfonteneau wrote: ↑Dec 20, 2018 - 10:34 PMIt's mainly the WAPT agent that will reject the packet (and nothing can be done about it)dani wrote: Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server?
Thanks for the info anyway
