This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMS gateway certificate

Hi!

We are using SSPR to send SMS tokens and new passwords using a SMS Gateway.

Part of configuring this is to import the certificate from the SMS Gateway. In our case, this process imports the following certificates:

Certificate structure:
DST Root CA X3
-- Let's encrypt Authority X3 -- THIS IS IMPORTED
---- api.obfuscated.com -- THIS IS IMPORTED

It all works fine, but the problem I have is that the api.obfuscated.com certificate has a short validity period, it expires every 3 months and we don't know when the service provider renews the certificate.

Would it not be sufficient to import the "Let's encrypt Authority X3" certificate? That one is valid for 10 years.

Does anyone know how to work with this to ensure SSPR service reliability in the SMS gateway?

Best Regards
Marcus
Parents
  • 0
    On 11/21/2018 03:14 AM, marcus jonsson wrote:
    >
    > We are using SSPR to send SMS tokens and new passwords using a SMS
    > Gateway.
    >
    > Part of configuring this is to import the certificate from the SMS
    > Gateway. In our case, this process imports the following certificates:
    >
    > Certificate structure:
    > DST Root CA X3
    > -- Let's encrypt Authority X3 -- THIS IS IMPORTED
    > ---- api.obfuscated.com -- THIS IS IMPORTED


    You should never import the end certificate, in your case
    api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
    using self-signed certificates (you are not) and know what you are doing
    with them.

    > It all works fine, but the problem I have is that the api.obfuscated.com
    > certificate has a short validity period, it expires every 3 months and
    > we don't know when the service provider renews the certificate.


    That's part of the point of Let's Encrypt certs; they are meant to be
    short-lived so if they are compromised they do not matter much, but the CA
    allows for simple, even automatic, generation of new short-lived certificates.

    > Would it not be sufficient to import the "Let's encrypt Authority X3"
    > certificate? That one is valid for 10 years.


    Yes, this is what you should always do, and usually one would import all
    of the parent certs, assuming the existing truststore does not come with
    those trusted already (older things may not yet, but newer things do). By
    virtue of trusting the certificate authority (CA), your services trust all
    certificates minted from that CA (unless revoked, used for the wrong
    purpose, invalid time-wise/expired, etc.) which is why you should only
    import the CA and not the endpoint certificate.

    > Does anyone know how to work with this to ensure SSPR service
    > reliability in the SMS gateway?


    SSPR is just an app running in Apache Tomcat, and every time I have set it
    up I have only done so trusting CAs, not endpoint certs.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • 0 in reply to 
    ab;2491288 wrote:
    On 11/21/2018 03:14 AM, marcus jonsson wrote:
    >
    > We are using SSPR to send SMS tokens and new passwords using a SMS
    > Gateway.
    >
    > Part of configuring this is to import the certificate from the SMS
    > Gateway. In our case, this process imports the following certificates:
    >
    > Certificate structure:
    > DST Root CA X3
    > -- Let's encrypt Authority X3 -- THIS IS IMPORTED
    > ---- api.obfuscated.com -- THIS IS IMPORTED


    You should never import the end certificate, in your case
    api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
    using self-signed certificates (you are not) and know what you are doing
    with them.

    > It all works fine, but the problem I have is that the api.obfuscated.com
    > certificate has a short validity period, it expires every 3 months and
    > we don't know when the service provider renews the certificate.


    That's part of the point of Let's Encrypt certs; they are meant to be
    short-lived so if they are compromised they do not matter much, but the CA
    allows for simple, even automatic, generation of new short-lived certificates.

    > Would it not be sufficient to import the "Let's encrypt Authority X3"
    > certificate? That one is valid for 10 years.


    Yes, this is what you should always do, and usually one would import all
    of the parent certs, assuming the existing truststore does not come with
    those trusted already (older things may not yet, but newer things do). By
    virtue of trusting the certificate authority (CA), your services trust all
    certificates minted from that CA (unless revoked, used for the wrong
    purpose, invalid time-wise/expired, etc.) which is why you should only
    import the CA and not the endpoint certificate.

    > Does anyone know how to work with this to ensure SSPR service
    > reliability in the SMS gateway?


    SSPR is just an app running in Apache Tomcat, and every time I have set it
    up I have only done so trusting CAs, not endpoint certs.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


    Hi AB!

    I agree with everything you write. Just to clarify, I have not manually imported these certs, that is done automatically when I click "Import certificate" in the SSPR UI.

    But based on your comments I will try and import the CA and intermeddiate (not endpoint) cert to tomcat certificate store and check if it works without using the "Import certificate" in the SSPR UI.

    Thanks for helping me out!

    Best Regards
    Marcus
  • 0 in reply to 
    On 11/21/2018 05:46 AM, marcus jonsson wrote:
    >
    > I agree with everything you write. Just to clarify, I have not manually
    > imported these certs, that is done automatically when I click "Import
    > certificate" in the SSPR UI.


    I have not used that import option for SMS things, so perhaps there is a
    bug there, but it's a little one; imported expired certs are meaningless
    so long as the CAs are trusted. I have only worked with the LDAP import
    option and, while I think it shows the endpoing cert, my understanding is
    that it would always import the CA only. With that said, my notes
    indicate that I manually import into a truststore every time regardless,
    probably as a practice from before the import option existed.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • 0 in reply to 
    ab;2491293 wrote:
    On 11/21/2018 05:46 AM, marcus jonsson wrote:
    >
    > I agree with everything you write. Just to clarify, I have not manually
    > imported these certs, that is done automatically when I click "Import
    > certificate" in the SSPR UI.


    I have not used that import option for SMS things, so perhaps there is a
    bug there, but it's a little one; imported expired certs are meaningless
    so long as the CAs are trusted. I have only worked with the LDAP import
    option and, while I think it shows the endpoing cert, my understanding is
    that it would always import the CA only. With that said, my notes
    indicate that I manually import into a truststore every time regardless,
    probably as a practice from before the import option existed.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


    Hi.

    I tried some ideas, but cant make it work.

    Where do you suggest I import the CA and intermediate certificates? I tried to manually edit SSPRConfiguration.xml and removing only the endpoint certificate, but this does not work. I also tried to add these two certificates to the JRE cacerts, but the result is the same.

    When I try to send I get the error message:
    unable to send message: 5078 ERROR_SMS_SEND_ERROR (error while sending SMS, discarding message: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: java.security.cert.CertificateException: server certificate {subject=CN=api.obfuscated.com} does not match a certificate in the configuration trust store.

    Do you have any guidance or ideas for me?

    Best regards
    Marcus
  • 0   in reply to 

    Hello,

    was there any resolution to this? I am researching this and would help if there was a final solution in there. Perhaps you only needed a restart of service? Sweat smile

  • 0   in reply to   

    Hi Zan,

    It might be worth opening a case with the support team so this can be explored further

    Regards

    Liam O'Dowd

  • 0   in reply to   

    my resolution, for now, was to remove all certificates and the thing still works without any certificates imported, it might be it has a general keystore with all the trusted roots and it works because of that (SMS gateway provider has publicly trusted root), but this is what I did, I have not tried other solutions as this one worked and it was good enough for me

    Thank you both  and  for answering.

Reply
  • 0   in reply to   

    my resolution, for now, was to remove all certificates and the thing still works without any certificates imported, it might be it has a general keystore with all the trusted roots and it works because of that (SMS gateway provider has publicly trusted root), but this is what I did, I have not tried other solutions as this one worked and it was good enough for me

    Thank you both  and  for answering.

Children
No Data