This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMS gateway certificate

Hi!

We are using SSPR to send SMS tokens and new passwords using a SMS Gateway.

Part of configuring this is to import the certificate from the SMS Gateway. In our case, this process imports the following certificates:

Certificate structure:
DST Root CA X3
-- Let's encrypt Authority X3 -- THIS IS IMPORTED
---- api.obfuscated.com -- THIS IS IMPORTED

It all works fine, but the problem I have is that the api.obfuscated.com certificate has a short validity period, it expires every 3 months and we don't know when the service provider renews the certificate.

Would it not be sufficient to import the "Let's encrypt Authority X3" certificate? That one is valid for 10 years.

Does anyone know how to work with this to ensure SSPR service reliability in the SMS gateway?

Best Regards
Marcus
Parents
  • 0
    On 11/21/2018 03:14 AM, marcus jonsson wrote:
    >
    > We are using SSPR to send SMS tokens and new passwords using a SMS
    > Gateway.
    >
    > Part of configuring this is to import the certificate from the SMS
    > Gateway. In our case, this process imports the following certificates:
    >
    > Certificate structure:
    > DST Root CA X3
    > -- Let's encrypt Authority X3 -- THIS IS IMPORTED
    > ---- api.obfuscated.com -- THIS IS IMPORTED


    You should never import the end certificate, in your case
    api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
    using self-signed certificates (you are not) and know what you are doing
    with them.

    > It all works fine, but the problem I have is that the api.obfuscated.com
    > certificate has a short validity period, it expires every 3 months and
    > we don't know when the service provider renews the certificate.


    That's part of the point of Let's Encrypt certs; they are meant to be
    short-lived so if they are compromised they do not matter much, but the CA
    allows for simple, even automatic, generation of new short-lived certificates.

    > Would it not be sufficient to import the "Let's encrypt Authority X3"
    > certificate? That one is valid for 10 years.


    Yes, this is what you should always do, and usually one would import all
    of the parent certs, assuming the existing truststore does not come with
    those trusted already (older things may not yet, but newer things do). By
    virtue of trusting the certificate authority (CA), your services trust all
    certificates minted from that CA (unless revoked, used for the wrong
    purpose, invalid time-wise/expired, etc.) which is why you should only
    import the CA and not the endpoint certificate.

    > Does anyone know how to work with this to ensure SSPR service
    > reliability in the SMS gateway?


    SSPR is just an app running in Apache Tomcat, and every time I have set it
    up I have only done so trusting CAs, not endpoint certs.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
Reply
  • 0
    On 11/21/2018 03:14 AM, marcus jonsson wrote:
    >
    > We are using SSPR to send SMS tokens and new passwords using a SMS
    > Gateway.
    >
    > Part of configuring this is to import the certificate from the SMS
    > Gateway. In our case, this process imports the following certificates:
    >
    > Certificate structure:
    > DST Root CA X3
    > -- Let's encrypt Authority X3 -- THIS IS IMPORTED
    > ---- api.obfuscated.com -- THIS IS IMPORTED


    You should never import the end certificate, in your case
    api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
    using self-signed certificates (you are not) and know what you are doing
    with them.

    > It all works fine, but the problem I have is that the api.obfuscated.com
    > certificate has a short validity period, it expires every 3 months and
    > we don't know when the service provider renews the certificate.


    That's part of the point of Let's Encrypt certs; they are meant to be
    short-lived so if they are compromised they do not matter much, but the CA
    allows for simple, even automatic, generation of new short-lived certificates.

    > Would it not be sufficient to import the "Let's encrypt Authority X3"
    > certificate? That one is valid for 10 years.


    Yes, this is what you should always do, and usually one would import all
    of the parent certs, assuming the existing truststore does not come with
    those trusted already (older things may not yet, but newer things do). By
    virtue of trusting the certificate authority (CA), your services trust all
    certificates minted from that CA (unless revoked, used for the wrong
    purpose, invalid time-wise/expired, etc.) which is why you should only
    import the CA and not the endpoint certificate.

    > Does anyone know how to work with this to ensure SSPR service
    > reliability in the SMS gateway?


    SSPR is just an app running in Apache Tomcat, and every time I have set it
    up I have only done so trusting CAs, not endpoint certs.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
Children
  • 0 in reply to 
    ab;2491288 wrote:
    On 11/21/2018 03:14 AM, marcus jonsson wrote:
    >
    > We are using SSPR to send SMS tokens and new passwords using a SMS
    > Gateway.
    >
    > Part of configuring this is to import the certificate from the SMS
    > Gateway. In our case, this process imports the following certificates:
    >
    > Certificate structure:
    > DST Root CA X3
    > -- Let's encrypt Authority X3 -- THIS IS IMPORTED
    > ---- api.obfuscated.com -- THIS IS IMPORTED


    You should never import the end certificate, in your case
    api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
    using self-signed certificates (you are not) and know what you are doing
    with them.

    > It all works fine, but the problem I have is that the api.obfuscated.com
    > certificate has a short validity period, it expires every 3 months and
    > we don't know when the service provider renews the certificate.


    That's part of the point of Let's Encrypt certs; they are meant to be
    short-lived so if they are compromised they do not matter much, but the CA
    allows for simple, even automatic, generation of new short-lived certificates.

    > Would it not be sufficient to import the "Let's encrypt Authority X3"
    > certificate? That one is valid for 10 years.


    Yes, this is what you should always do, and usually one would import all
    of the parent certs, assuming the existing truststore does not come with
    those trusted already (older things may not yet, but newer things do). By
    virtue of trusting the certificate authority (CA), your services trust all
    certificates minted from that CA (unless revoked, used for the wrong
    purpose, invalid time-wise/expired, etc.) which is why you should only
    import the CA and not the endpoint certificate.

    > Does anyone know how to work with this to ensure SSPR service
    > reliability in the SMS gateway?


    SSPR is just an app running in Apache Tomcat, and every time I have set it
    up I have only done so trusting CAs, not endpoint certs.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


    Hi AB!

    I agree with everything you write. Just to clarify, I have not manually imported these certs, that is done automatically when I click "Import certificate" in the SSPR UI.

    But based on your comments I will try and import the CA and intermeddiate (not endpoint) cert to tomcat certificate store and check if it works without using the "Import certificate" in the SSPR UI.

    Thanks for helping me out!

    Best Regards
    Marcus