query on files under /etc/raddb/certs
Hello, I see the files below are generated under /etc/raddb/certs directory. Can someone explain to me the usage of these files? Our system is very secure and did not want to create certs and keys dynamically. -rw-r--r-- 1 root 0 4393 Nov 5 18:47 01.pem -rw-r--r-- 1 root 0 4370 Nov 5 18:47 02.pem -rw-r----- 1 root 0 6155 Nov 5 18:42 Makefile -rw-r----- 1 root 0 8714 Nov 5 18:42 README -rwxr-x--- 1 root 0 2706 Nov 5 18:47 bootstrap -rw-r----- 1 root 0 1432 Nov 5 18:42 ca.cnf -rw-r--r-- 1 root 0 1256 Nov 5 18:47 ca.der -rw-r--r-- 1 root 0 1751 Nov 5 18:47 ca.key -rw-r--r-- 1 root 0 1757 Nov 5 18:47 ca.pem -rw-r----- 1 root 0 1103 Nov 5 18:42 client.cnf -rw-r--r-- 1 root 0 4370 Nov 5 18:47 client.crt -rw-r--r-- 1 root 0 1045 Nov 5 18:47 client.csr -rw-r--r-- 1 root 0 1743 Nov 5 18:47 client.key -rw-r--r-- 1 root 0 2581 Nov 5 18:47 client.p12 -rw-r--r-- 1 root 0 3545 Nov 5 18:47 client.pem -rw-r--r-- 1 root 0 424 Nov 5 18:47 dh -rw-r--r-- 1 root 0 229 Nov 5 18:47 index.txt -rw-r--r-- 1 root 0 21 Nov 5 18:47 index.txt.attr -rw-r--r-- 1 root 0 21 Nov 5 18:47 index.txt.attr.old -rw-r--r-- 1 root 0 120 Nov 5 18:47 index.txt.old -rw-r----- 1 root 0 1131 Nov 5 18:42 inner-server.cnf -rw-r--r-- 1 root 0 166 Nov 5 18:42 passwords.mk -rw-r--r-- 1 root 0 3 Nov 5 18:47 serial -rw-r--r-- 1 root 0 3 Nov 5 18:47 serial.old -rw-r----- 1 root 0 1125 Nov 5 18:42 server.cnf -rw-r--r-- 1 root 0 4393 Nov 5 18:47 server.crt -rw-r--r-- 1 root 0 1062 Nov 5 18:47 server.csr -rw-r--r-- 1 root 0 1751 Nov 5 18:47 server.key -rw-r--r-- 1 root 0 2589 Nov 5 18:47 server.p12 -rw-r--r-- 1 root 0 3576 Nov 5 18:47 server.pem -rw-r--r-- 1 root 0 3545 Nov 5 18:47 user@example.org.pem -rw-r----- 1 root 0 708 Nov 5 18:42 xpextensions Regards Simon
On Nov 12, 2020, at 1:43 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
Hello,
I see the files below are generated under /etc/raddb/certs directory. Can someone explain to me the usage of these files? Our system is very secure and did not want to create certs and keys dynamically.
There's a README in that directory which explains how to create certificates. It also explains what the various files are for.
-rw-r--r-- 1 root 0 4393 Nov 5 18:47 01.pem -rw-r--r-- 1 root 0 4370 Nov 5 18:47 02.pem -rw-r----- 1 root 0 6155 Nov 5 18:42 Makefile -rw-r----- 1 root 0 8714 Nov 5 18:42 README
Oh look, a "README". Perhaps it should be read? As for you "do not want to create certs and keys dynamically", well, the server doesn't randomly create certificates and keys. It only does so when you tell it to. So.... if you don't want to create certs and keys, then don't create the certs and keys. It's that simple. Alan DeKok.
Hi Alan, Thank you for replying to me. So if, I don't need to create certs and keys Can I delete all those files (To make them more secure by not creating any cert and key by someone who can hack) . I have some static certs and key files. Regards Simon On Thu, Nov 12, 2020 at 11:01 AM Alan DeKok <aland@deployingradius.com> wrote:
On Nov 12, 2020, at 1:43 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
Hello,
I see the files below are generated under /etc/raddb/certs directory. Can someone explain to me the usage of these files? Our system is very secure and did not want to create certs and keys dynamically.
There's a README in that directory which explains how to create certificates. It also explains what the various files are for.
-rw-r--r-- 1 root 0 4393 Nov 5 18:47 01.pem -rw-r--r-- 1 root 0 4370 Nov 5 18:47 02.pem -rw-r----- 1 root 0 6155 Nov 5 18:42 Makefile -rw-r----- 1 root 0 8714 Nov 5 18:42 README
Oh look, a "README". Perhaps it should be read?
As for you "do not want to create certs and keys dynamically", well, the server doesn't randomly create certificates and keys. It only does so when you tell it to.
So.... if you don't want to create certs and keys, then don't create the certs and keys. It's that simple.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
Thank you for replying to me. So if, I don't need to create certs and keys Can I delete all those files
If you're not using them, yes.
(To make them more secure by not creating any cert and key by someone who can hack).
That doesn't make sense. If you're not using them, it doesn't matter if someone else reads them. They don't mean anything, and they don't contain any useful information.
I have some static certs and key files.
You can *look* at those files to see what they are. There's a Makefile in raddb/certs which includes targets to print out the contents of the files. Or, you can use OpenSSL. These files aren't specific to FreeRADIUS. They're created with OpenSSL. So they can be read by OpenSSL. If you look at the files, odds are that they will be for "example.com" or "example.org". Which are web sites *not* owned by you. So the certs are entirely meaningless. and leaking the contents of these files does nothing. I am extremely wary of security theatre. If you want to delete files you don't use, that's one thing. But doing so does not make your systems any more secure. Alan DeKok.
Hi Alan, When I read the file README it says below content: This directory contains scripts to create the server certificates. To make a set of default (i.e. test) certificates, simply type: $ ./bootstrap The "openssl" command will be run against the sample configuration files included here, and will make a self-signed certificate authority (i.e. root CA), and a server certificate. This "root CA" should be installed on any client machine needing to do EAP-TLS, PEAP, or EAP-TTLS. So can someone create a false certificate and key and create a session ? If we delete all these scripts also it is not possible to create any certificate and we get complete control of where it gets the certificates and keys ? Regards Simon On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <aland@deployingradius.com> wrote:
On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
Thank you for replying to me. So if, I don't need to create certs and
keys
Can I delete all those files
If you're not using them, yes.
(To make them more secure by not creating any cert and key by someone who can hack).
That doesn't make sense. If you're not using them, it doesn't matter if someone else reads them. They don't mean anything, and they don't contain any useful information.
I have some static certs and key files.
You can *look* at those files to see what they are. There's a Makefile in raddb/certs which includes targets to print out the contents of the files. Or, you can use OpenSSL. These files aren't specific to FreeRADIUS. They're created with OpenSSL. So they can be read by OpenSSL.
If you look at the files, odds are that they will be for "example.com" or "example.org". Which are web sites *not* owned by you. So the certs are entirely meaningless. and leaking the contents of these files does nothing.
I am extremely wary of security theatre. If you want to delete files you don't use, that's one thing. But doing so does not make your systems any more secure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 12, 2020, at 5:00 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
When I read the file README it says below content:
Yes, please post that to the list. Because we haven't seen it before.
So can someone create a false certificate and key and create a session ?
I think you didn't read my previous message. If someone breaks into your system, then having them read these certificate files is the LEAST of your worries. Stop worrying about useless things. If you want to know how the server uses these files, read the documentation and then default configuration files.
If we delete all these scripts also it is not possible to create any certificate and we get complete control of where it gets the certificates and keys ?
Yes, because the scripts aren't available anywhere else on the Internet. Oh, wait... A secure system is *not* created by worrying about random things. A secure system is created by *understanding* things. Right now, you're asking very detailed questions, and not paying attention to the bigger picture. This is entirely the wrong approach. Your questions are irrelevant because they're based on a false understanding of how things work. Alan DeKok.
participants (2)
-
Alan DeKok -
SIMON BABY