Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c23eb88a4f'
${ noResults }
smallstep-certificates/docs/recommendations.md

9.9 KiB
Raw Blame History

Sane Recommendations

TLS, PKI, X509, HTTPS, etc. all require configuration. All of these technologies allow the user to "shoot themselves in the foot" by misconfiguring them and reducing their benefits significantly. Therefore, offering an easy to use solution that works out of the box means choosing and enforcing sane default configurations for all these technologies.

Below we document some of the significant default configuration that we recommend. This document is a moving target: security and cryptography are constanly changing and evolving - vulnerabilities are found, new algorithms are created, etc. We inted for this document be an accurate representation of current best practices in the industry, and to have these practices codified as defaults in the certificates code base. If you have questions, suggestions, or comments about any of these decisions please let us know.

Tokens

We use JWTs (JSON Web Tokens to prove authenticity and identity within the Step ecosystem. JWTs have received negative attention because they are easy to misuse, misconfigure. We agree! But lots of things are easy to misuse. We also believe that when configured well JWTs are a great way to sign and encode data. Our JWT's are, by default, short-lived (5 minute lifespan) and can only be used once during the lifetime of the Step CA. We use a 1 minute clock drift leeway because that was the recommended default in the reputable JWT package that we chose. If using Step JWTs or your own JWTs in your code be sure to verify and validate every single standard attributed of the JWT. JWTs, like all cryptographic tools, are useless without proper attention to configuration and guidelines.

Keys

// RSA keys don't scale very well. To get 128 bits of security, you need 3,072-bit
// RSA keys, which are noticeably slower. ECDSA keys provide an alternative
// that offers better security and better performance. At 256 bits, ECDSA keys
// provide 128 bits of security. A small number of older clients don't support
// ECDSA, but most modern clients do.
Default Key Type: ECDSA
Default Curve Bits: P-256

// Encryption algorithm for writing private keys to disk. We've chosen AES
// (aka Rijndael) because it was the official choice of the Advanced Encryption
// Standard contest. The three supported key sizes are 128, 192, and 256. Each
// of these is considered to be unbreakable for the forseeable future, therefore
// we chose 128 bits as our default because the performance is better
// (as compared to the greater key sizes) and because we agree, with the
// designers of the algorithm, that 128 bits are quite sufficient for most
// security needs.
Default PEMCipher: AES128

X.509 Certificate Defaults

  • root certificate

    * Validity (10 year window)
  * Not Before: Now
  // A 10 year window seems advisable until software and tools can be written
  // for rotating the root certificate.
  * Not After: Now + 10 years
* Basic Constraints
  // The root certificate is a Certificate Authority, it will be used to sign
  // other Certificates.
  * CA: TRUE
  // The path length constraint expresses the number of possible intermediate
  // CA certificates in a path built from an end-entity certificate up to the
  // CA certificate. An absent path length constraint means that there is no
  // limitation to the number of intermediate certificates from end-entity to
  // the CA certificate. The smallstep PKI has only one intermediate CA
  //certificate between end-entity certificates and the root CA certificcate.
  * pathlen: 1
* Key Usage // Describes how the keys can be used.
  // Indicates that a certificate will be used with a protocol that encrypts keys.
  * Key Encipherment
  // Indicates that our root public key will be used to verify a signature on
  // certificates.
  * Certificate Signing
  // Indicates that our root public key will be used to verify a signature on
  // revocation
  // information, such as CRL.
  * CRL Sign
  // Indicates that our root public key may be used as a digital signature to
  // support security services that enable entity authentication and data
  // origin authentication with integrity.
  * Digital Signature

  • intermediate certificate

    * Validity (10 year window)
  * Not Before: Now
  // A 10 year window seems advisable until software and tools can be written
  // for rotating the intermediates certificates without considerable agony
  // on the part of the user.
  * Not After: Now + 10 years
* Basic Constraints
  // The intermediate certificate is a Certificate Authority, used to sign
  // end-entity (service, process, job, etc.) certificates.
  * CA: TRUE
  // The path length constraint expresses the number of possible intermediate
  // CA certificates in a path built from an end-entity certificate up to the
  // CA certificate. An absent path length constraint means that there is no
  // limitation to the number of intermediate certificates from end-entity to
  // the CA certificate. There are no additional intermediary certificates in
  // the path between the smallstep intermediate CA and end-entity certificates.
  * pathlen: 0
* Key Usage
  // Indicates that a certificate will be used with a protocol that encrypts keys.
  * Key Encipherment
  // Indicates that our root public key will be used to verify a signature on
  // certificates.
  * Certificate Signing
  // Indicates that this public key can be used to verify a signature on
  // revocation information, such as CRL.
  * CRL Sign
  // Indicates that this public key may be used as a digital signature to
  // support security services that enable entity authentication and data
  // origin authentication with integrity.
  * Digital Signature
* Extended Key Usage
  // Certificate can be used as the server side certificate in the TLS protocol.
  * TLS Web Server Authentication
  // Certificate can be used as the client side certificate in the TLS protocol.
  * TLS Web Client Authentication

  • Leaf Certificate - End Entity Certificate (certificates returned by the CA)

    * Validity (24 hour window)
  * Not Before: Now
  // The default is a 24hr window. This value is somewhat arbitrary, however,
  // our goal is to have seamless end-entity certificate rotation (we are
  // getting close). Rotating certificates frequently is good security hygiene
  // because it gives bad actors very little time to form an attack and limits
  // the usefulness of any single private key in the system. We will continue
  // to work towards decreasing this window because we believe it significantly
  // reduces probability and effectiveness of any attack.
  * Not After: Now + 24 hours
* Key Usage
  // Indicates that a certificate will be used with a protocol that encrypts keys.
  * Key Encipherment
  // Indicates that this public key may be used as a digital signature to
  // support security services that enable entity authentication and data
  // origin authentication with integrity.
  * Digital Signature
* Extended Key Usage
  // Certificate can be used as the server side certificate in the TLS protocol.
  * TLS Web Server Authentication
  // Certificate can be used as the client side certificate in the TLS protocol.
  * TLS Web Client Authentication

Default TLS Configuration Options

// The PCI Security Standards Council is requiring all payment processors
// and merchants to move to TLS 1.2 and above by June 30, 2018. By setting
// TLS 1.2 as the default for all tls protocol negotiation we encourage our
// users to adopt the same security conventions.
* MinVersion: TLS 1.2
* MaxVersion: TLS 1.2

// https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
// The default 'ciphersuites' is a single cipher combination. For communication
// between services running step there is no need for cipher suite negotiation.
// The server can specify a single cipher suite which the client is already
// known to support. Reasons for selecting "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":
//  - ECDHE key exchange algorithm has perfect forward secrecy
//  - ECDSA has smaller keys and better performance (than RSA)
//  - CHACHA20 with POLY1305 is the cipher mode used by google.
//  - CHACHA20's performance is better than GCM and CBC.
// NOTE: The http2 spec requires the "TLS_ECDHE_(RSA|ECDSA)_WITH_AES_128_GCM_SHA256"
// ciphersuite be accepted by the server, therefore it makes our list of
// default ciphersuites until we build the functionality to modify our defaults
// based on http version.
* DefaultCipherSuites: [
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  ]
// The following is a list of step approved cipher suites. Not all communication
// can be mediated with step TLS functionality. For those connections the list of
// server supported cipher suites must have more options - in case older clients
// do not support our favored cipher suite. Reasons for selecting these cipher
// suites can be found in the ssllabs article cited above.
* ApprovedCipherSuites: [
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  ]
// TLS renegotiation significantly complicates the state machine and has been
// the source of numerous, subtle security issues. Therefore, by default we
// disable it.
* Renegotation: Never