Installing SSL Root Certificate from S3 Bucket using PowerShell
In this day of age, protecting web endpoints with SSL is no longer optional; it is the industry de-facto in most scenarios, to protect users from the snaring "man-in-the-middle".
Installation of certificates are quite straight forward and well documented on most infrastructure-as-a-service (IAAS) and platform-as-a-service (PAAS) platforms.
- Installing SSL Certificates on Amazon Web Services (AWS) - http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
- Installing SSL Certificates on Microsoft Azure - https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
The real complexity is when we attempt to replicate our production environments using self-signed certificates on the development (DEV) and quality assurance (QA) stacks. In order for most automated integration tests to work, we will need to install the "Root CA" to the local certificate store of the machines that are "running" the test runners. A failure to do so will result in an "invalid SSL certificate" exception.
NOTE: If you are running a weak SHA-1 SSL certificate, you will get a warning on Google Chrome, as SHA-1 signing has been deemed as insecure and will only supported by major browsers until 2017.
Installing Root CA Manually
It is pretty simple to install a root certificate by hand, and there are already a few good tutorials on how to do so; I would not attempt to reinvent the wheel. Following is a step-by-step by Microsoft on doing so.
- Installing a root certificate on Windows Operating Systems - https://msdn.microsoft.com/en-us/library/cc750534.aspx
Installing Root CA using PowerShell
With the move towards increasing agility through automated deployments and micro-service architectures that gave rise of the DevOps movement, it is no longer acceptable to install these certificates by hand in most instances. Unless of course this root certificate is baked into the base image that our web instances roots from (this is the approach that I recommend, unfortunately, we might not always have the luxury to do so for a plethora of reasons).
Following the process that we will be using to install our Root Certificate onto the box:
- Upload our Root CA (.crt file) onto an AWS S3 Bucket (within a sub-folder of that bucket)
- Download the certificate file (.crt file) from the AWS S3 bucket to the box (into a temporary folder) during deployment using PowerShell
- Installing the certificate file onto the machine's Trusted Root Store using PowerShell
To make this happen, you will need to already have the AWS SDK installed on the box in order to download the cert file (.crt) from the S3 bucket; assuming that the file is not publicly available. If you are using Azure or other web providers, then you can ignore the section on downloading the certificate file (.crt file) from AWS S3, and replace it with the relevant code.
// Download cert from S3 bucket
function DownloadS3File($bucket, $targetPath, $targetFile, $accessKey, $secretKey, $region, $localPath) { $targetFilePath = $targetPath + $targetFile $localFilePath = $localPath + $targetFile Copy-S3Object -BucketName $bucket -Key $targetFilePath -LocalFile $localFilePath -AccessKey $accessKey -SecretKey $secretKey -Region $region return $localFilePath }
// Install certificate from local machine root CA store
function InstallCert($filePath) { Get-ChildItem -Path $filePath | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root }
To verify that your certificate has been successfully installed, you can open the Certificate Manager (certmgr.msc) and navigate to the "Trusted Root Certification Authorities\Certificates" to search for your newly installed certificate.