• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Public Key Pinning Support Nginx Ubuntu Cloud Server

By Abhishek Ghosh December 30, 2014 1:07 pm Updated on December 30, 2014

Public Key Pinning Support Nginx Ubuntu Cloud Server

Advertisement

Here is a guide for enabling Public Key Pinning Support Nginx Ubuntu Cloud Server, which is essentially an advanced step for HSTS setup. We have discussed about HSTS for Nginx, Online Certificate Status Protocol (OSCP) and OCSP stapling and this article on Public Key Pinning is one level up.

 

Public Key Pinning Support Nginx Ubuntu Cloud Server : Basics

 

Public Key Pinning Extension for HTTP is described here by Google Inc. (October 5, 2014) as draft at the time of publication of this article :

Vim
1
https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21

As written on the draft as an abstract – a new HTTP header that allows web host operators to instruct user agents to remember (“pin”) the hosts’ cryptographic identities over a period of time. During that time, UAs will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.

Advertisement

---

This is important for possible vulnerabilities added for running Governmental Spyware activities. Certification Authorities will be the next target of NSA for sure. It is very important for Cloud Servers as they are multi tenant in nature. nginx with NAXSI is too secure to hack, yet, if the HSTS is compromised via compromised Certification Authorities, our servers will be too tweak for the port 80.

Public-Key-Pinning-Support-Nginx

 

Public Key Pinning Support Nginx Ubuntu Cloud Server : Steps

 

What we do to check return of a HSTS domain? we run cURL with grep :

Vim
1
curl -I -s https://thecustomizewindows.com | grep "Strict"

We will get the output :

Vim
1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Now run this :

Vim
1
curl -I -s https://raymii.org | grep "Public-Key-Pins"

We will get the output :

Vim
1
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains

How to get it? Most importantly, how to safe guard? The safest way to pin TLS certificate™s public key is to include the pin of a second public key. This RSA key should in no way be related to your first key, just generate a new one.

In other words, we have two SSL certificates, both from GeoTrust. One is for only the bare domain and another is both for www.thecustomizewindows.com and thecustomizewindows.com. This is not a mistake! We have two front end servers to handle www – only the redirections. In case our main server’s cert gets compromised, we can use the second one! We have a bash script handy to do it! You can use your real Keys in use, but it can be a point of failure and itself can backfire.

Another option is to seat and wait when we will be under attack and revoke. Revoking is not good, but re-issue is good which we said in Generate CSR, Private Key With SHA256 Signature article. The Public Key Pinning is different from the limited preload list based key pinning introduced by Firefox. Steps are simple :

Vim
1
openssl req -inform pem -pubkey -noout < example.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

As usually you will not have two different SSL certs, you need to generate a csr file and generate a “backup” pin too :

Vim
1
openssl req -new -newkey rsa:4096 -nodes -sha256 \ -keyout example.com.backup.key -out example.com.backup.csr

We have ready to use two sets of keys!

In case of Nginx, we will add this line in SSL server block :

Vim
1
add_header Public-Key-Pins 'pin-sha256="base64+info1="; pin-sha256="backup+pin+here=="; max-age=15768000; includeSubDomains';

max-age=15768000 is 6 months. You can increase it to match with your SSL cert’s expiration time. Run nginx -t and then service nginx restart to test on SSL Labs.

This Article Has Been Shared 950 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Public Key Pinning Support Nginx Ubuntu Cloud Server

  • Cloud Computing, Virtualization and WebHosting Magazine – Announcement

    Cloud Computing, Virtualization and WebHosting Magazine, available as print version and online edition will be published by The Customize Windows Media Group.

  • Cloud Software Solutions for Cloud Hosting

    Cloud Software Solutions are available from various third party software companies for better management of your application or website hosted on the Cloud.

  • How the Business of Mobile Data Traffic Will Evolve?

    How the business of mobile data traffic will evolve? The use of data has increased dramatically and more traffic is generated by applications and services.

  • Checklist Secure Cloud Computing : Part 2

    Checklist for secure Cloud Computing is the continuation of previous article which addresses preliminary issues for many available Cloud solutions.

  • What is Red Hat OpenShift : Explained in Details

    What is Red Hat OpenShift? Red Hat OpenShift is a Platform as a Service which has a free usage tier,its a hosting service like your beloved paid shared hosting.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Safe Chargers for Samsung Galaxy S22 Ultra June 27, 2022
  • How Telecoms Can Use The Cloud To Power Their 5G Network June 24, 2022
  • A Beginner Guide to Cloud Computing for Development June 22, 2022
  • 5 Benefits of Using a Virtual Data Room Today June 19, 2022
  • Top System Administration Courses 2022 June 18, 2022

About This Article

Cite this article as: Abhishek Ghosh, "Public Key Pinning Support Nginx Ubuntu Cloud Server," in The Customize Windows, December 30, 2014, June 29, 2022, https://thecustomizewindows.com/2014/12/public-key-pinning-support-nginx-ubuntu-cloud-server/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy