Secure your Cloud Services with TLS X.509 Client Certificates

No video

Secure your Cloud Services with TLS X.509 Client Certificates

Рет қаралды 13,779

Күн бұрын

How to secure Internet Servers with X.509 Client Certificates? How to deploy X.509 Client Certificates ? How does a Certificate Signing Request (CSR) work ? In this hands-on video we will run a little nodejs Server that requests Authentication with an X.509 Client Certificate, we will Sandbox a CSR with XCA and we will have a look at OpenXPKI which is a great Software to automate processes around TLS and Certificate Generation, Key Management and the like. Last but not least I show a Blueprint on how to securely link a hosted MQTT into your home automation Software.
The XCA Tool can be obtained here: hohnstaedt.de/...
More Info on my Cheat Sheet Repo here: github.com/one...
The nodejs Server Example is on my github: github.com/one...
0:00 The use case
1:27 Get the Demo Server from my Github repo
4:20 How to generate client certificates
5:37 How secure is this?
8:04 How to deploy client certificates
9:16 Certificate Signing requests (CSR)
12:45 OpenXPKI
14:10 A blue print for a secure MQTT / Home Automation App
KZfaq: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/one...
Patreon: / onemarcfifty
Blog: www.onemarcfif...

Пікірлер: 62

@jankoweise2428 5 күн бұрын

Not only excellent content, but also structured and examplified to perfection. And on top of that, it was fun to listen to it. Great tutorial. Abonniert

@user-nv3xm2pq7c 6 ай бұрын

I really do not know how i watched the best of best tutorials for free here.

@pberto Жыл бұрын

This third episode very confirm I havn't studied enough in my life.......good job, Marc.

@OneMarcFifty Жыл бұрын

Thank you ;-)

@issacohasi Жыл бұрын

Herr Marc (sorry I spent my all german vocabulary)! You really rock! Your explanation is very very detailed and self explicaned. I never understand this security topics before check your videos! Danke! Greentjns from brazil

@edwardvanhazendonk Жыл бұрын

Thanks for sharing this 3 videos, very informative and useful tools and tips! Great to have a smaller attack vector on our hosted stuff!

@OneMarcFifty Жыл бұрын

Hi Edward, many thanks for your feedback !

@dpg6769 Жыл бұрын

That was awesome Marc!! Very well explained

@OneMarcFifty Жыл бұрын

Thank you kindly!

@BrunoAlves-jn2tj Жыл бұрын

Hi Marc, I am using this playlist as study material for LPIC-3 exam, is really difficult find a good material about this subject and well-explained as you did in this playlist. Thank you so much!

@OneMarcFifty Жыл бұрын

Glad it was helpful! LPIC-3 is for sure a tough bite ;-) I wish you success with the exam!

@mihai6564 11 ай бұрын

I like the "Certificate Signing requests (CSR)" part

@raunomakela9226 Жыл бұрын

More of these for sure! Revocation of the same? Use this with; NextCloud? Pfsense management portal?

@OneMarcFifty Жыл бұрын

Many thanks Rauno - I have taken note of your suggestions ;-)

@ganonbit 5 ай бұрын

very thorough and helpful for my current project, thank you!

@iounios_italia Жыл бұрын

Brilliant! Thank you

@OneMarcFifty Жыл бұрын

Thank you for watching and for the feedback ;-)

@tissandre Жыл бұрын

To come back on my comment on the 1st video, I've done some research and, apparently, SSH don't support X.509 certificate natively. But, you still can generate CA keys with OpenSSL and use the same technique to secure a SSH connection. I'm trying to generate a X.509 key on my Yubikey and use this key a autehntication for a SSH server. But I must use SSH CA and Keys instead. (Which still can be stores on a Yubikey anyway, but are harder to access) But, as always your videos are really great stuff! Thanks!

@OneMarcFifty Жыл бұрын

Thanks for sharing Alexandre!

@killer2600 5 ай бұрын

Might be easier to use OpenPGP keys or FIDO keys to authenticate SSH using a Yubikey.

@AkosLukacs42 Жыл бұрын

Great information, thank you Marc!

@OneMarcFifty Жыл бұрын

Glad you enjoyed it!

@electrotsmishar Жыл бұрын

Thanks a lot. Your videos are very helpful and informative. Keep up your good work

@raughboy188 4 ай бұрын

Also it's worth noting that TLS certificate is successor to ssl thus more secure.

@remyzandwijk Жыл бұрын

Thanks for another great video Marc. I am wondering, how do you handle (client) certificate revocation? If certificates cannot be revoked, the application might be as well considered insecure imho. (I know, explaining it add minutes to the video, but I think it is worth explaining how it is done.)

@OneMarcFifty Жыл бұрын

Hi Remy, you are right - your server would need to be able to handle CRL (Certificate Revocation Lists) for this

@cebundy Жыл бұрын

Thank you for your helpful answer. I’m still trying to get this straight in my head. I think it’s still going to take a bit.😁

@lrlemos0 Жыл бұрын

Perfect as always!

@OneMarcFifty Жыл бұрын

Many thanks ;-)

@BS-my2ky 9 ай бұрын

Superb! Let's if you lost your phone. How do you revoke that trust from the phone to your VPS from opening your garage door?

@naiko52 4 ай бұрын

Great video, thank you! Is this secure enough? Would a DMZ (e.g. for IoT devices) still be necessary to avoid potential access to my LAN (other private devices such as my PC)?

@mr_trex9106 Жыл бұрын

Excellent video! Thank you!

@OneMarcFifty Жыл бұрын

Thanks a lot ;-)

@dexterman6361 7 ай бұрын

This series was amazing! I am following your videos and managed to set up a VLAN and I am kinda excited haha. Thank you :) A quick question though. I want to be able to access my home but was thinking if there was a way I can reject connections at the packet level, for minimizing issues with applications security issues. Is that possible? If so, how do I do that?

@user-np2xe2ri4x 9 ай бұрын

This is excellent. I am grateful

@TahaZabuawala Ай бұрын

Awesome tutorial? Can someone share the links of the first 2 videos of this series

@skeginaldp1533 Жыл бұрын

Enjoyed. Thank you!

@OneMarcFifty Жыл бұрын

Glad you enjoyed it!

@jamesmani903 8 ай бұрын

Hi Marc, The testuser client certificate in the git repo expires on 22Oct23. Will the node program work after this date? Also, Can we catch errors in the node program which can show the reason for connection refusal.

@BoyanYanakiev Жыл бұрын

Great video again Marc! Is it just me that has the home network features track your video topics? :) I have a question on this one. In the video you mention that there is no need to punch through the firewall and i have seen/heard this in other videos/tutorials on home security offering different solutions. Can you please explain (in the simplest way that only you can :) ) how is a certificate better than using wireguard for example? You mention at about min 15 no VPN, no firewall holes. I get how port forwarding is different and how passwords are insecure but even in this video you talk about connection on port 8443. So how is that more or less secure than wireguard into openwrt on port 51820. Both use public key cryptography and both use fixed port connections. The only difference i see is that may be in the example with the MQTT you give the home router does not need fixed IP... but there are ways around that as well for a vpn. In a wireguard set up i only need exchange the public keys as well similar to the sign request. What is it that i don't see?

@OneMarcFifty Жыл бұрын

Hi Boyan, the main thing here is that the MQTT daemon on the VPS would be listening directly on the edge, i.e. the connection from your LAN to the VPS would be OUTGOING, not incoming (hence no whole in your firewall at home because you would connect from home to the VPS). Of course you could do the same with Wireguard, but then you would build a whole network stack around the connection while all you want is just MQTT.

@piyushshastri5206 Жыл бұрын

How to combine bands in openwrt like tp link smart connect feature

@OneMarcFifty Жыл бұрын

You could use band steering for this (usteer or dawn or the like)...

@royagunk4545 11 ай бұрын

hi mark, have you ever made a video about Certificate revokecation? tq

@boubou40 Жыл бұрын

Thank you for this video

@OneMarcFifty Жыл бұрын

My pleasure

@ThomasSchlimm 10 ай бұрын

Hi Marc, thanks for your explanation. It helps a lot. As I currently implement the use of client certificate in a oauth2 scenario between service now ans a SAP on premise system every information helps a lot. What I did not understand ist the need of a private key on the client side. As fas as I understand the client certificate is only a "substitute" for the identification and not part of an encryption. But ... on postman I need to reference to a PKCS12 file with the private key to get the test working. Can you explain it to me? Cheers Thomas.

@cebundy Жыл бұрын

if anyone can generate a certificate though something like openssl, how does the server know a partiicular certificate is allowed?

@OneMarcFifty Жыл бұрын

Because it needs to be signed with the same private key in order to be trusted. You can create any certificate but you can’t make the server trust it if you don‘t have control over its private key

@TshegofatsoTshehla Жыл бұрын

I love this content

@OneMarcFifty Жыл бұрын

Thank you so much ;-)

@RifatErdemSahin Жыл бұрын

green screen quality getting better with the light

@OneMarcFifty Жыл бұрын

Thank you.

@simonpinkney4622 5 ай бұрын

@onemarcfifty - Very nice good job, a nice balance or techie with thinking too much about the maths. I'm also interested in PKI / x509 from a client point of view, and especially from a DevOps / API / automation point of view. Think Self Service and Ephemerol environments where I create->destroy them daily/weekly/monthly

@Christakxst Жыл бұрын

Really useful !! Thanks!!!

@royagunk4545 Жыл бұрын

do we have to create a private key every time we create a certificate?

@OneMarcFifty Жыл бұрын

Hi Roy, in _theory_ you could re-use a key but I wouldn't - in fact the key should never leave the device that it is created on...

@royagunk4545 Жыл бұрын

@@OneMarcFifty thanks marc....awesome

@nalle475 Жыл бұрын

Nice video 😊

@OneMarcFifty Жыл бұрын

Thanks mate ;-)

@TecSanento 10 ай бұрын

Just consider adding Client certificate authentication to a web application with an API is often a Bad idea because you can't add Client certificate Into most of Client applications