Key and certificate management
228 views
Skip to first unread message
Jan Olszak
Jun 2, 2016, 4:24:57 PM6/2/16
to ory-hydra
Hi,
I'm writing a simple IdP. When it's accessing Hydra (https://hydra:4444/oauth/token) with Client Credentials flow I get an error:
x509: certificate is valid for localhost, not hydra
So Hydra is generating a self signed certificate for localhost. How can I pass my own key-certificate pair to Hydra?
Thanks,
Jan
Aeneas Rekkas
Jun 2, 2016, 4:41:03 PM6/2/16
to ory-...@googlegroups.com
One option is to skip the TLS check in the client in development :)
Once you have a valid TLS key, use the
http://docs.hdyra.apiary.io/#reference/json-web-keys-jwk API to
set `keys/
hydra.tls/private` `key/hydra.tls/public` (using HTTP PUT). the
keys need to be layouted as JWKs. There are helpers for this in
golang and in nodejs - I might add saving PEM keys some time as
well.
--
You received this message because you are subscribed to the Google Groups "ory-hydra" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ory-hydra+...@googlegroups.com.
To post to this group, send email to ory-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/fb88b580-5dda-4245-9053-3b92f1105873%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jan Olszak
Jun 2, 2016, 4:51:33 PM6/2/16
to ory-hydra
Are you planning to add passing external certificates to hydra?
Your solution is ok for development only and adds unneeded code to IdP.
I think it also breaks the example from the Readme on Chrome (it's impossible to accept the untrusted certificate if the CN is bad).
Aeneas Rekkas
Jun 2, 2016, 4:53:06 PM6/2/16
to ory-...@googlegroups.com
It is planned to pass PEM files to hydra, something like `hydra
keys add hydra.tls public --pem-file=public.cert`
--
You received this message because you are subscribed to the Google Groups "ory-hydra" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ory-hydra+...@googlegroups.com.
To post to this group, send email to ory-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/36074c61-0552-48a8-8a13-ed5fe858af71%40googlegroups.com.
Jan Olszak
Jun 2, 2016, 4:54:43 PM6/2/16
to ory-hydra
Why not:
hydra host --key key.pem --cert cert.pem
Aeneas Rekkas
Jun 2, 2016, 4:55:55 PM6/2/16
to ory-...@googlegroups.com
because you usually don't keep those files around when you deploy
using docker or heroku :)
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/9ec41526-ac81-49ae-8ae1-e15c47dd7bcf%40googlegroups.com.
Jan Olszak
Jun 2, 2016, 5:01:23 PM6/2/16
to ory-hydra
You don't? Where do you get them from then?
It's quite usual to copy the certificates when building the container.
Aeneas Rekkas
Jun 2, 2016, 5:09:43 PM6/2/16
to ory-...@googlegroups.com
I think `hydra key add ...` is fine, I could add a shortcut such as
`hydra tls set` or something to make it easier. I think `hydra host
--key` is also okay, but I dislike the fact that keys are kept
unencrypted on the disk.
I just remembered that you can't use SSL at heroku/cloudfoundry anyways as the proxy already solves that.
Why do you think that adding the TLS key from the CLI client is not enough?
I just remembered that you can't use SSL at heroku/cloudfoundry anyways as the proxy already solves that.
Why do you think that adding the TLS key from the CLI client is not enough?
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/43997c8b-b1c5-45a7-8af3-c42b49b6a300%40googlegroups.com.
Jan Olszak
Jun 2, 2016, 5:26:10 PM6/2/16
to ory-hydra
As far as I understand:
1. CLI runs on your laptop2. Hydra runs in the cloud with self signed certificate that is created for localhost.
3. If you use CLI you don't really know who you're talking to.
4. When you upload the real certificate with hydra tls set or the JWT API you might be sending them to the attacker
Unencrypted certificate and key will lay around in your proxy server anyway.
The Docker way would be to:
- pass the certificates in ENV (hydra would have to check the env) and save it
- mount them read-only on a volume and pass via command line or some configuration etc.
You have to have a persistent storage in case of a reboot.
Aeneas Rekkas
Jun 2, 2016, 5:27:56 PM6/2/16
to ory-...@googlegroups.com
Good points. I will add the ability to read the certificate from
env and from a file as well when running host. :)
--
You received this message because you are subscribed to the Google Groups "ory-hydra" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ory-hydra+...@googlegroups.com.
To post to this group, send email to ory-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/eba15b5e-c6d2-4bfc-adfe-aa3ff5f1ff60%40googlegroups.com.
Jan Olszak
Jun 2, 2016, 5:47:58 PM6/2/16
to ory-hydra
I'll add an issue.
Reply all
Reply to author
Forward
0 new messages