Using Keyless Certificate
Usually, if a domain name provides HTTPS access, the public and private keys of the certificate must be deployed on the server to complete communication encryption and decryption during the handshake process. If your domain name needs to connect to EdgeOne for security acceleration, you also need to upload and deploy both the public and private key of the certificate at EdgeOne's edge nodes. If you prefer to keep your certificate's private key more securely and do not want to upload it to the Tencent Cloud SSL console, EdgeOne supports the Keyless certificate deployment solution. This document describes how to use the Keyless certificate solution for EdgeOne.
Note:
This feature is currently undergoing internal testing. If you need to use it, please contact us.
Currently, the Keyless solution only supports the RSA algorithm certificate.
Solution Description
Handshake Process for HTTPS One-Way Authentication (Taking the RSA Key Exchange Algorithm as an Example)
Under normal circumstances, if an HTTPS certificate is configured on EdgeOne, the process for the client to initiate an HTTPS handshake request is as follows (taking the RSA key exchange algorithm as an example):
1. The client sends a hello request to EdgeOne, including a random number generated by the client and information about supported encryption suites;
2. Once EdgeOne receives the request, it generates a random number on the server side and sends the public key of the HTTPS certificate configured for the current domain name to the client;
3. After receiving the server's random number and the public key certificate for the current domain name, the client verifies the certificate using a CA certificate to ensure it is valid and trusted;
4. Once the certificate is confirmed to have passed the verification, the client generates a pre-master key based on the current encryption algorithm, encrypts it with the public key from the certificate, and sends it to EdgeOne;
5. EdgeOne receives the encrypted pre-master key and decrypts it with the private key from the certificate to obtain the pre-master key;
6. At this point, both the server and the client have the complete information on the client's random number, the server's random number, and pre-master key, which will be combined to generate a session key. Both the client and the server use this session key for communication.
The security of the above encrypted communication session lies in the fact that the private key of the certificate on the server is secure. If it is leaked, it could be exploited by attackers, leading to session information leakage.
Handshake Process in the Keyless Certificate Solution (Taking the RSA Key Exchange Algorithm as an Example)
EdgeOne currently supports the Keyless certificate solution. To further ensure the security of the private key of the certificate, it supports users to deploy only the public key of the domain name certificate to EdgeOne's edge nodes. Users can store the private key themselves and request the keyless storage server to use the private key to decrypt related data when needed. The main difference from the normal handshake process for HTTPS one-way authentication is that after the server receives the encrypted pre-master key, EdgeOne will forward the information to the Keyless Server, which will then complete the decryption and return the decrypted pre-master key information to EdgeOne via encrypted communication.
Note:
By default, HTTPS secure encrypted communication can be configured between EdgeOne's edge nodes and the Keyless Server. If you need to configure the HTTPS two-way authentication handshake to further ensure the security of the session, please contact us.
Preparations
1. Prepare a server for installing the Keyless Server, for example:
1.1.1.1
.2. Prepare a domain name that needs to use Keyless, for example:
www.example.com
. This domain name has been connected to EdgeOne, and its corresponding certificates are: server.crt
and server.key
.3. Prepare the server certificate that needs to be configured currently, including the client public and, private keys, for example:
example.crt
and example.key
.Directions
Step 1: Install the Keyless Server Service on the Server
1. Obtain the corresponding keyless.tar.gz installation package by contacting your business personnel.
2. Upload the installation package to the currently prepared Keyless Server.
3. Extract the installation package to the specified directory for installing the Keyless service, for example:
/test
.tar -xvzf keyless.tar.gz -C /test
4. Go to the directory of installed files.
cd /test/keyless
5. Run the following command to get the local IP address, for example:
172.16.64.24
.ifconfig -a
6. Upload the Keyless public key and private key certificates for storing the current domain name. Upload the certificates' public key and private key files to the
./ssl/
directory. For example: server.crt
, server.key
.7. Upload the server certificates required for the handshake between the EdgeOne edge node and the Keyless server. Upload the certificates' public key and private key files to the
./ssl/mutual_ssl/example.com/
directory. For example: example.com.crt
and example.com.key
.Note:
To configure the two-way authentication handshake, you need to upload the client's CA certificate to the
./ssl/mutual_ssl/
directory. After configuration, you also need to configure the client certificate carried by the EdgeOne edge node when it initiates access to the Keyless server. For the configuration of the certificate, please contact us for assistance.8. Modify the configuration file
vim ./trpc_go.yaml
8.1 Press i to enter the insert mode to begin editing the configuration file. Modify the following five parameters, while keeping the other parameters as default:
IP: The local IP address obtained in Step 5;
Port: The service port for external access. It is recommended to use 443, and it is necessary to ensure that the port is accessible;
tls_cert: The path of the server certificate's public key uploaded in Step 6;
tls_key: The path of the server certificate's private key uploaded in Step 6;
ca_cert: By default, no configuration is needed. If the configuration of the two-way authentication handshake is required, this item is used to specify the CA certificate path for the client certificate, which is the client CA certificate path uploaded in Step 6.
8.2 Press Esc to exit the insert mode, then enter
:wq
to save and exit.9. Run the following command to launch the keyless server service.
sudo nohup ./keyless &> log/output.log &ps -ef|grep keyless
10. Run the following command to check whether the current service has been launched successfully. If launch success is displayed, it means the service has been launched successfully.
tail -f log/keyless.logll
Step 2: Upload the Certificate to the Tencent Cloud SSL Certificate Console
Upload the certificate to be configured for the current domain name (including the public key only) to the Tencent Cloud SSL console. For the steps, refer to: Uploading a Certificate to the Tencent Cloud SSL Console.
Note:
If you need to upload a server certificate containing solely the public key, please contact us to enable allowlist access to Tencent Cloud's SSL product for you.
Step 3: Configure the Domain Name in the EdgeOne Console to Use the Keyless Certificate
1. Log in to the EdgeOne console, click Site List in the left menu bar, and click the site to be configured on the site list.
2. On the site details page, click Domain Name Service> Domain Management.
3. Find the domain name to be configured, click Edit in the HTTPS configuration column to go to the HTTPS configuration page, and choose to use the Keyless certificate.
4. Configure the address of the Keyless server. This address is the server address and port number you prepared in Step 1.
5. Select the HTTPS certificate to be used. This certificate is the one you uploaded in Step 2.
6. Click OK and wait for the configuration to be deployed so that it can take effect.
Step 4: Verify Access
Use curl to perform access verification and check if the HTTPS handshake can be accessed successfully. You can refer to the following curl command:
curl https://www.example.com/ -v -k
Updating a Keyless Certificate
1. Log in to the Keyless server, go to the currently installed Keyless directory, and upload the public key and private key certificates to be updated to the
./ssl/
directory; Note:
The file names of the Keyless public key and private key certificates must remain consistent. When updating the certificates, do not directly overwrite the old domain name certificates. It is recommended to use new file names for storage. For example, if original certificate names are
server.crt
and server.key
, new certificate names can be server_new.crt
and server_new.key
.2. After the upload is complete, execute the following command to reload the Keyless certificates:
curl http://127.0.0.1/KeylessReloadCerts -v
If the curl request is as follows and responds with 200, it means the loading is successful:
3. Upload the certificate to be updated currently (including the public key only) to the Tencent Cloud SSL console. For the steps, refer to:Uploading a Certificate to the Tencent Cloud SSL Console.
4. Log in to the EdgeOne console, click Site List on the left sidebar, and click the site to be configured on the site list.
5. On the site details page, click Domain Name Service > Domain Management.
6. Find the domain name to be configured, click Edit in the HTTPS configuration column to go to the HTTPS configuration page, and choose to use the Keyless certificate.
7. Change the HTTPS certificate to the one you newly uploaded, and then click OK . It will take effect once the configuration is deployed and issued.