Blog | G5 Cyber Security

Server Trust with X.509 Certificates

G5 Cyber Security

TL;DR

This guide shows you how to set up a basic system where two servers trust each other using X.509 certificates. This is much more secure than relying on passwords for server-to-server communication.

Setting Up Server Trust with X.509 Certificates

  1. Generate a Certificate Authority (CA) Key and Certificate:
    • This CA will sign the certificates for your servers.
    • Use OpenSSL to create the CA key: 
      openssl genrsa -out ca.key 2048
    • Create a self-signed CA certificate: 
      openssl req -x509 -new -nodes -days 3650 -key ca.key -out ca.crt

      You’ll be prompted for information; fill it in appropriately.

  2. Generate Server Keys and Certificate Signing Requests (CSRs):
    • For each server, create a private key: 
      openssl genrsa -out server1.key 2048
      openssl genrsa -out server2.key 2048
    • Create a CSR for each server: 
      openssl req -new -key server1.key -out server1.csr
      openssl req -new -key server2.key -out server2.csr

      Again, fill in the requested information.

  3. Sign Server CSRs with the CA:
    • Use OpenSSL to sign each CSR using your CA key and certificate: 
      openssl x509 -req -in server1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server1.crt -days 365
      openssl x509 -req -in server2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server2.crt -days 365
  4. Distribute Certificates:
    • Copy the following to each respective server:
      • server1.crt and server1.key to Server 1
      • server2.crt and server2.key to Server 2
    • Copy the CA certificate (ca.crt) to both servers. This allows them to verify each other’s certificates.
  5. Configure Servers to Trust Each Other:
    • The exact configuration depends on your server software (e.g., Apache, Nginx, Python with SSL). Here’s a general example using Python: 
      import ssl
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
context.load_verify_locations('ca.crt')
# Use the context when connecting to the other server
    • Ensure your server software is configured to use the correct certificate and key files, and that it’s set up to verify certificates against ca.crt.
  6. Verify Communication:
    • Test communication between the servers. The connection should succeed because both servers trust the CA that signed their respective certificates.
    • If you encounter errors, double-check:
      • The correct certificate and key files are being used.
      • The ca.crt file is present on both servers.
      • Your server software configuration is accurate.
Exit mobile version