如何在Cloud Foundry / Heroku中保留SSL服务器证书以进行验证?
[英]How to keep the SSL server certificate for verification in Cloud Foundry/Heroku?
问题描述
I am developing an app to run in Cloud Foundry. 
我正在开发一个可在Cloud Foundry中运行的应用程序。
- The app makes constant connections to a web service using https protocol. 该应用程序使用https协议与Web服务进行持续连接。
- The web service uses a pair of self-signed certificate created by openssl. Web服务使用由openssl创建的一对自签名证书。
- As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate. 由于没有DNS设置,因此我将IP地址用作ssl证书中的公用名(CN)。
- However, the web service IP address varies from time to time. 但是,Web服务IP地址不时变化。 The ssl certificate has to be re-generated each time. 每次必须重新生成ssl证书。
- In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service's SSL cert as a file with my app. 为了使该应用程序能够连接,它需要信任SSL证书,因此我将Web服务的SSL证书的公钥打包为与我的应用程序一起的文件。
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes. 问题是SSL证书的公钥更改后,我必须将应用程序重新上传到Cloud Foundry。
Here are some possible solutions: 以下是一些可能的解决方案:
- Register a host name in DNS. 在DNS中注册主机名。 In that case, the certificate is only bound to host name. 在这种情况下,证书仅绑定到主机名。 (Might not be possible cos of the budget. ) (可能不是预算的cos。)
- Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. 创建专用CA并从CA颁发证书,然后在客户端上将CA安装为受信任的CA。 It is feasible and a common way for internal services. 这是内部服务的可行且常见的方式。 However, what if the app is pushed to the CF? 但是,如果将应用程序推送到CF怎么办? How can we configure the node for the certs? 我们如何为证书配置节点?
- Disable the SSL server authentication. 禁用SSL服务器身份验证。 Not sure whether it would put the app at risk if the authentication is skipped. 不知道如果跳过身份验证,是否会对应用程序造成威胁。 For the time being, the app pulls data from the web service. 目前,该应用程序从Web服务中提取数据。
- I've been thinking of keeping the public key in the database. 我一直在考虑将公共密钥保留在数据库中。 In that case, I don't need to re-upload the app to make it take effect. 在这种情况下,我无需重新上传应用程序即可使其生效。 But I am not sure whether it is a safe way. 但是我不确定这是否安全。
Question 题
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. 我正在寻找一种通用安全的方法来将SSL服务器证书保留在Cloud Foundry env中。 Are any of the above solutions viable? 上述解决方案是否可行? If not, is there any other CF preferred ways? 如果没有,还有其他CF首选方法吗?
Thank you 谢谢
1 个解决方案
解决方案1
0 2016-07-05 09:36:26
This is a bit old, but in case this helps... 这有点旧,但是如果有帮助的话...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). 您是否尝试使用任何主机名(甚至“ localhost”)生成服务器SSL证书。 As you are uploading this certificate in your application (ie to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address. 当您在应用程序中上载此证书时(即“盲目”信任它),我认为它可以工作,并且可以避免对IP地址的依赖性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.