Say you implement an application on Openshift and put it behind Cloudflare.
Since Cloudflare offers universal certificates and allows self-signed certificate, can I use self-signed certificate on OpenShift for my application?
Yes, you can use a self signed certificate, it just won't show up as trusted by most browsers.
Related
Say I have a flutter app and an intranet server. The flutter client will try to talk to the server in TLS. I understood that we can generate a self signed certificate in server and I can have flutter client app load the certificate to talk to the server. I am thinking that if I store that certificate in asset, would that be secure ?
Seems that if someone got the certificate from asset, they can then talk to the server. Is that true ? If that is true that it seems that self certified certificate is not very secure.
Certificates are public, you're storing a copy of your self-signed certificate locally for your TLS client to trust it, as it'll only trust the system CAs by default. So no, nothing will be compromised if you store your certificate client-side.
What you shouldn't store client-side are private keys, they typically start with
-----BEGIN PRIVATE KEY-----.
I am using Google Kubernetes Engine and have the Google HTTPS Load Balancer as my ingress.
Right now the load balancer uses Let's Encrypt certificates. However, is there a simple way to ensure that the certificates are automatically renewed prior to their 90 day expiry?
You can now use "Google-managed SSL certificates" which is currently in beta: https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs
You have not specified how you configured Let's Encrypt for your load balancer. Right now Google does not offer this for you, so I assume you mean you set the Let's Encrypt certificate yourself. In this case, Google can't renew your certificate.
Until there's an official support you can install a third-party add-on like cert-manager to automate certificate configuration and renewal. There's a GKE tutorial for doing this at https://github.com/ahmetb/gke-letsencrypt.
Let's say we have a server only running REST API services, only on HTTPS.
The only consumer of the APIs is a mobile app.
Do we need certificate from CA or a self signed certificate is enough?
You will need to use a CA certificate. Otherwise, each mobile client will have to manually set your certificate as trusted.
You can potentially embed the certificate as trusted in the mobile app itself (assuming you distribute the app), however it will be a problem when the time comes to renew the certificate, or rekey/replace the certificate for whatever issue.
Using a globally trusted certificate is the way to go.
You can :
Keep a self-signed certificate, but then you have to pin the certificate, and you can't revoke it if the private key is compromised.
Use a home made certificate authorities, but then you have to pin the certificate, and manage the revocation process (maintain an OCSP or CRL).
Use a certificate from a trusted CA, revocation will be checked for you, and if you want additional security, you still can pin the certificate.
In my opinion, the use of a trusted CA is more secure and more simple.
I am trying to set up self signed SSL certificate for my IOS app which has a REST backend.
My question is should I use [securityPolicy setAllowInvalidCertificates:YES]; when we use self signed certificates? And NO with trusted certificates?
I didn't understand the exact mechanism however I read about SSL for hours.. It works with setAllowInvalidCertificates:YES but otherwise I get 1012 error.
Yes, you should set [securityPolicy setAllowInvalidCertificates:YES]; when using self signed certificates. And correct; you should use NO with trusted certificates.
You are likely still getting the error when it is set to NO because a part of your certificate chain is not trusted. Try using an app called SSL Detective to make sure the entire chain is trusted with no red (untrusted) components. AFNetworking doesn't like those.
My question is should I use [securityPolicy setAllowInvalidCertificates:YES]; when we use self signed certificates? And NO with trusted certificates?
No! This would defeat the whole purpose of SSL because it would make man-in-the-middle attacks possible. Better use public key pinning. I don't know how to do this with AFNetwork, but the linked resource has code for lots of environments.
I want to install the cacert ssl certificate on a server on which i want to host secure (https) facebook applications .I want to know if facebook allows https server to have cacert certificate to fetch facebook app
Yes. As long as you have a valid browser cert you will be fine. I have specifically used GoDaddy's ca certificate chain with a secure Facebook app with no difficulty.
For the majority of cheap shared hosting environments you don't necessarily need to purchase individual ssl as long as the server has a shared SSL as discussed here.