请选择

Using Keyless Certificate

Usually, if a domain name provides HTTPS access, the public and private keys of the certificate must be deployed on the server to complete communication encryption and decryption during the handshake process. If your domain name needs to connect to EdgeOne for security acceleration, you also need to upload and deploy both the public and private key of the certificate at EdgeOne's edge nodes. If you prefer to keep your certificate's private key more securely and do not want to upload it to the Tencent Cloud SSL console, EdgeOne supports the Keyless certificate deployment solution. This document describes how to use the Keyless certificate solution for EdgeOne.
Note:
This feature is currently undergoing internal testing. If you need to use it, please contact us.
Currently, the Keyless solution only supports the RSA algorithm certificate.

Solution Description

Handshake Process for HTTPS One-Way Authentication (Taking the RSA Key Exchange Algorithm as an Example)

Under normal circumstances, if an HTTPS certificate is configured on EdgeOne, the process for the client to initiate an HTTPS handshake request is as follows (taking the RSA key exchange algorithm as an example):
1. The client sends a hello request to EdgeOne, including a random number generated by the client and information about supported encryption suites;
2. Once EdgeOne receives the request, it generates a random number on the server side and sends the public key of the HTTPS certificate configured for the current domain name to the client;
3. After receiving the server's random number and the public key certificate for the current domain name, the client verifies the certificate using a CA certificate to ensure it is valid and trusted;
4. Once the certificate is confirmed to have passed the verification, the client generates a pre-master key based on the current encryption algorithm, encrypts it with the public key from the certificate, and sends it to EdgeOne;
5. EdgeOne receives the encrypted pre-master key and decrypts it with the private key from the certificate to obtain the pre-master key;
6. At this point, both the server and the client have the complete information on the client's random number, the server's random number, and pre-master key, which will be combined to generate a session key. Both the client and the server use this session key for communication.

The security of the above encrypted communication session lies in the fact that the private key of the certificate on the server is secure. If it is leaked, it could be exploited by attackers, leading to session information leakage.

Handshake Process in the Keyless Certificate Solution (Taking the RSA Key Exchange Algorithm as an Example)

EdgeOne currently supports the Keyless certificate solution. To further ensure the security of the private key of the certificate, it supports users to deploy only the public key of the domain name certificate to EdgeOne's edge nodes. Users can store the private key themselves and request the keyless storage server to use the private key to decrypt related data when needed. The main difference from the normal handshake process for HTTPS one-way authentication is that after the server receives the encrypted pre-master key, EdgeOne will forward the information to the Keyless Server, which will then complete the decryption and return the decrypted pre-master key information to EdgeOne via encrypted communication.

Note:
By default, HTTPS secure encrypted communication can be configured between EdgeOne's edge nodes and the Keyless Server. If you need to configure the HTTPS two-way authentication handshake to further ensure the security of the session, please contact us.

Preparations

1. Prepare a server for installing the Keyless Server, for example: 1.1.1.1.
2. Prepare a domain name that needs to use Keyless, for example: www.example.com. This domain name has been connected to EdgeOne.
3. Prepare the server certificate that needs to be configured currently, including the client public and, private keys, for example: example.crt and example.key.

Directions

Step 1: Install the Keyless Server Service on the Server

1. Obtain the corresponding keyless.tar.gz installation package by contacting your business personnel.
2. Upload the installation package to the currently prepared Keyless Server.
3. Extract the installation package to the specified directory for installing the Keyless service, for example: /test.
tar -xvzf keyless.tar.gz -C /test
4. Go to the directory of installed files.
cd /test/keyless
5. Run the following command to get the local IP address, for example: 172.16.64.24.
ifconfig -a

6. Configure the server certificate by uploading the certificate's public and private key files to the /ssl/mutual/example.com/ directory; if the configuration of the two-way authentication handshake is needed, also upload the client's CA certificate to the /ssl/mutual/ directory.
7. Modify the configuration file
vim ./trpc_go.yaml
7.1 Press i to enter the insert mode to begin editing the configuration file. Modify the following five parameters, while keeping the other parameters as default:
IP: The local IP address obtained in Step 5;
Port: The service port for external access. It is recommended to use 443, and it is necessary to ensure that the port is accessible;
tls_cert: The path of the server certificate's public key uploaded in Step 6;
tls_key: The path of the server certificate's private key uploaded in Step 6;
ca_cert: By default, no configuration is needed. If the configuration of the two-way authentication handshake is required, this item is used to specify the CA certificate path for the client certificate, which is the client CA certificate path uploaded in Step 6.

7.2 Press Esc to exit the insert mode, then enter :wq to save and exit.
8. Run the following command to launch the keyless server service.
nohup ./keyless &> log/output.log &
ps -ef|grep keyless
9. Run the following command to check whether the current service has been launched successfully. If launch success is displayed, it means the service has been launched successfully.
tail -f log/keyless.logll


Step 2: Upload the Certificate to the Tencent Cloud SSL Certificate Console

Upload the certificate that needs to be configured for the current domain name (only containing the public key) to the Tencent Cloud SSL console.
Note:
If you need to upload a server certificate containing solely the public key, please contact us to enable allowlist access to Tencent Cloud's SSL product for you.

Step 3: Configure the Domain Name in the EdgeOne Console to Use the Keyless Certificate

1. Log in to the EdgeOne console, click Site List in the left menu bar, and click the site to be configured on the site list.
2. On the site details page, click Domain Name Service> Domain Management.
3. Find the domain name to be configured, click Edit in the HTTPS configuration column to go to the HTTPS configuration page, and choose to use the Keyless certificate.
4. Configure the address of the Keyless server. This address is the server address and port number you prepared in Step 1.

5. Select the HTTPS certificate to be used. This certificate is the one you uploaded in Step 2.
6. Click OK and wait for the configuration to be deployed so that it can take effect.

Step 4: Verify Access

Refer to the following curl access verification to check if the HTTPS handshake is successful.
curl -v --cert ecc.eo-mainland.top.crt --key ecc.eo-mainland.top.key --cacert ecc.eo-mainland.top.pem https://ecc.eo-mainland.top/11.txt -svi