TLS Certificates

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

TLS Certificates

CodeSonar supports the use of TLS certificates for authentication.

Note that it is not possible to use certificate-based hub authentication in the presence of a proxy or reverse proxy.

Overview
Hub Server Certificate
Hub Client Authentication Certificate
User Certificate
Certificate Properties
Browser Warnings and Self-Signed Certificates
Plug-ins for Existing Certificate Infrastructure
More Information

Overview

CodeSonar makes use of TLS certificates for various authentication and security purposes. The certificates satisfy the requirements for TLS, X.509, and ASN.1. Certificates (and associated keys where applicable) are downloaded and uploaded in PEM encoding.

TLS certificates have several uses within CodeSonar.

Usage	Purpose
Hub Server Certificate	The certificate that the hub will present in HTTPS sessions. The hub also has the corresponding private key, which is used to prove it is the owner (subject) of the certificate.
Hub Client Authentication Certificate	The certificate that the hub will use to authenticate user certificates presented for user authentication. The hub may also have the corresponding private key, in which case it will also be able to issue user certificates.
User Certificate	A certificate that identifies a hub user. A user with the corresponding private key can use it for certificate-based hub authentication (provided that certificate-based authentication is enabled and the user has sufficient permissions).

Note: It is not possible to use certificate-based hub authentication in the presence of a proxy or reverse proxy. TLS client authentication is designed to prevent "man in the middle" attacks and the reverse proxy is a man in the middle.

Hub Server Certificate

HTTPS cannot be enabled without a hub server certificate and corresponding private key (the hub server private key). These are configured from the Configure HTTPS page or via the codesonar hub-start command, and stored on the hub. The Hub Server Certificate and keys are used to identify the hub and secure HTTPS sessions.

Hub Server Certificate Requirements

The hub server certificate requirements are as follows.

The certificate's Subject Common Name must match the hostname or IP address that hub clients (including web browsers viewing the hub GUI, and the build/analysis) will use in hub URLs. If you have specified a Public URL for the hub, Subject Common Name should match the hostname or IP address in that URL.
The certificate public key must correspond to the hub server private key.
The certificate must be trusted by the hub.

To avoid security warnings, the certificate must also be trusted by HTTP clients.

Obtaining a Hub Server Certificate

For best security, we recommend purchasing a hub server certificate from a trusted certificate authority.

Follow the instructions provided by your certificate authority to create a certificate signing request (CSR) that meets their requirements as well as the hub server certificate requirements listed above.
Once you have obtained a signed hub server certificate, use the web GUI Configure HTTPS page to configure the hub with the server certificate (or certificate chain) and private key.

Hub Client Authentication Certificate

The hub client authentication certificate is used to manage user certificate authentication. It is configured from the Configure HTTPS page or via the codesonar hub-start command, and stored on the hub.

We refer to the private key corresponding to the client authentication certificate as the client authentication private key. This key can be stored on the hub, allowing the hub to issue user certificates, but can be withheld if you prefer not to provide this functionality. User certificates are trusted if they are signed with the client authentication private key, whether or not that key is is stored on the hub.

There are three possible configuration states for hub client authentication when HTTPS is enabled on the hub.
(When HTTPS is not enabled, hub client authentication is not applicable.)

The hub has a client authentication certificate and corresponding private key.
Effect: Certificate-based user authentication is available. Existing user certificates can be uploaded to the hub; new certificates can be issued by the hub.
The hub has a client authentication certificate, but not the corresponding private key.
Effect: Certificate-based user authentication is available. Existing user certificates can be uploaded to the hub, but the hub cannot issue user certificates.
The hub does not support certificate-based user authentication.
Effect: Certificate-based user authentication is not available.

Client Authentication Certificate Requirements

The client authentication certificate requirements are as follows.

The certificate's Subject Common Name must match the hostname or IP address that hub clients (including web browsers viewing the hub GUI, and the build/analysis) will use in hub URLs. If you have specified a Public URL for the hub, Common Name should match the hostname or IP address in that URL.
The certificate's public key must correspond to the client authentication private key.
The certificate must be trusted by the hub.

To avoid security warnings, the certificate must also be trusted by HTTP clients. A self-signed client authentication certificate is normal and recommended. You may wish to explicitly configure client browsers and CodeSonar installations to trust this certificate. Otherwise, users may become accustomed to ignoring certificate warnings, largely negating the security advantages of using HTTPS.

Obtaining a Hub Client Authentication Certificate

As noted above, a self-signed client authentication certificate is normal and recommended.

If you want to configure the hub with both client authentication certificate and corresponding private key, you have three options:

Have the hub generate a self-signed client authentication certificate and private key for you.
Use the same certificate-key pair that you are using for the hub server certificate.
Upload a client authentication certificate and private key that meet the client authentication certificate requirements.

If you want to configure the hub with client authentication certificate only (no private key), there is a single option:

Upload a client authentication certificate that meets the client authentication certificate requirements.

Functionality for all these configuration cases is provided in the web GUI Configure HTTPS page.

User Certificates

A user may provide one or more user certificates for authentication. User certificates are managed on a per-user basis and are configured from the User Certificates page.

There are two mechanisms for adding a user certificate for a hub user account.
- Uploading an existing certificate. The certificate must be encoded in PEM format and meet the user certificate requirements.
  This mechanism is available whenever HTTPS is enabled on the hub and a client authentication certificate is configured.
- Having the hub issue a new user certificate.
  This mechanism is only available when HTTPS is enabled on the hub and a client authentication certificate is configured and that configuration includes a private key.
The certificates themselves are stored on the hub.
The corresponding private keys are not stored on the hub. Instead, they are stored locally so that the user's browser can use them at authentication time.
See Managing Your User Certificates and Keys, below, for information on managing these keys.

Note: if the hub is configured to use a certificate-based third-party authentication services, the certificates presented and authenticated through that services are not required to be configured as user authentication certificates. See Hub Authentication: Successful Authentication for details.

User Certificate Requirements

The user authentication certificate requirements are as follows.

The user certificate's Subject Common Name must match the the account Username of the hub user account it is intended to authenticate.
The certificate must form a rooted trust chain with the hub client authentication certificate.

Signing in with user certificates

The following requirements must all be met in order for a user to sign in with a user certificate.

The user has both G_SIGN_IN and G_SIGN_IN_CERTIFICATE permission,
and
the hub is configured to permit TLS client authentication (from the Configure HTTPS page):
- HTTPS is enabled,
  and
- Client Authentication Key Configuration is not set to "Disabled Certificate-Based Authentication",
and
the user has at least one user certificate that meets all requirements,
and
the user's browser has access to that certificate and its corresponding private key.

Generating User Certificates and Keys

CodeSonar provides two mechanisms for generating user certificates and keys.

The User Certificates page provides a Generate and Save Certificate button.
If it is supported by your browser, you can use this interface to generate certificates for future browser authentication (that is, to authenticate/authorize interactions with the CodeSonar GUI).
Browser Note: The majority of commonly-used browsers do not readily support in-browser generation and storage of user certificates. In these browsers, the Generate and Save Certificate functionality is not available. Instead, follow the procedure for Manually Generating and Uploading User Certificates.
The codesonar generate-hub-cert command provides an alternative interface for requesting that the hub issue a new user certificate.
Users will typically use this interface to generate certificates for future authentication of CodeSonar command lines, especially the CodeSonar build/analysis.

The permissions required for both mechanisms are as follows.

To generate a user certificate for your own hub user account: G_CHANGE_OWN_CERTIFICATES.
To generate a user certificate for another user's account: G_ADMINISTER_USERS.

The general form of the codesonar generate-hub-cert command is as follows.

codesonar generate-hub-cert
[-auth authtype] [-hubuser username] [-hubpwfile pwfile] [-hubbearerfile bearerfile] [-hubcert certfile] [-hubkey privatekeyfile]
[-foruser uname] [-csr csrfile] [-outkey outkeyfile] [-out outcertfile] [[protocol://]host:port]

Where the command components are as follows.

[-auth authtype], [-hubuser username], [-hubpwfile pwfile], [-hubbearerfile bearerfile], [-hubcert certfile], [-hubkey privatekeyfile]	Specify credentials for command authentication and authorization. (See permission requirements above.)
[-foruser uname]	Specifies that the user certificate Subject Common Name will be uname. If -foruser is not specified, the Subject Common name is: username if -hubuser username is specified, determined by prompting the user to provide one otherwise. The certificate will be added to the user certificates set for hub user uname. Note that uname will only be able to sign in with the certificate if additional requirements are also met. Only users with G_ADMINISTER_USERS permission can use the -foruser option.
[-csr csrfile]	Specifies that temporary file csrfile should be used to store the certificate signing request. This option will only be of interest to users who don't have permission to write to the default certificate directory.
[-outkey outkeyfile]	Specifies that the generated private key should be saved in outkeyfile. The default location is <default_pemdir>/privkey.pem.
[-out outcertfile]	Specifies that the resulting certificate should be saved in outcertfile. The default location is <default_pemdir>/<uname_cert_subject>.<hub_render>.pem where <uname_cert_subject> is the certificate Subject Common Name (determined as described in the entry for -foruser). <hub_render> is <host>_<port>, derived by replacing the colon with an underscore in the <host>:<port> for the command.
[[protocol://]host:port]	CodeSonar will use the hub at protocol://host:port, failing if a hub is not already running at that location. If protocol:// is specified, CodeSonar will only try the specified URL. In particular, if http:// is specified then CodeSonar will not try the equivalent https:// URL even if directed to do so by the hub. If protocol:// is not specified, CodeSonar will try http:// first, then redirect to the equivalent https:// URL if directed to do so by the hub. If host:port is not specified, CodeSonar will determine a hub location using the steps described in Hub Location: How CodeSonar Determines Hub Location.
<default_pemdir>	The default directory for an individual user's CodeSonar certificates and keys depends on the operating system: Windows: typically C:\Users\<win_username>\AppData\Roaming\CodeSecure\Codesonar\ Otherwise: ~/.csurf/codesonar/ .csurf note: if environment variable CS_USER_HOME is specified, the $CS_USER_HOME/.csurf/codesonar/ directory will be used instead of $HOME/.csurf/codesonar/. If you modify the HOME environment variable (or CS_USER_HOME, if using) after creating a hub user certificate, subsequent CodeSonar commands will expect to find certificates in a different location to the one in which the hub user certificate is stored. If you need to modify the environment variable, either generate a new hub certificate afterward or manually move the existing certificate to the new directory location. This directory is also used to store launch daemon tokens.

For example, to generate a certificate for user alex on the hub located at https://hubmachine:7340:

codesonar generate-hub-cert https://hubmachine:7340 -hubuser alex

The certificate can then be used to authenticate and authorize a CodeSonar build/analysis of project ProjectX:

codesonar analyze ProjectX https://hubmachine:7340 -hubuser alex -auth certificate make

Managing Your User Certificates and Keys

When you generate a user certificate and key pair in your browser using the Generate a Certificate functionality in the User Certificates page, the browser will store the certificate and private key locally and use them for subsequent certificate-based hub authentication.

You may need to export the certificate and private key from the browser's local storage so that you can use them with other HTTPS clients, or on other machines; similarly you may need to explicitly import certificates and keys into your browser (especially existing certificates that you have uploaded using the Upload a Certificate functionality in the User Certificates page). These procedures will depend on your local operating system and your browser.

Windows (except Firefox browser)	Windows uses a centralized certificate store: if a browser registers a private key with this store, all other HTTPS clients that use the store will also be able to use that key. (Note that Firefox does not use this store.) To view the store, use the Windows Certificate Manager. certmgr.msc For more information, see How to: View certificates with the MMC snap-in [microsoft.com].
Otherwise	Firefox	Advanced Panel - Accessibility, browsing, network, updates, and other advanced settings in Firefox
	Chrome	Advanced Security Settings
	Safari	Import and export keychain items using Keychain Access on Mac (What is Keychain Access on Mac?)

For general operations on certificates and keys, use a toolkit such as OpenSSL. For example, you can use the OpenSSL x509 commandto convert a certificate file to a different format.

See also the notes on certificate revocation, below.

Certificate Properties

The CodeSonar Configure HTTPS and User Certificates pages report the following properties for stored certificates. For more information about TLS certificate specifications (and TLS in general), see the corresponding RFCs.

Registered	The timestamp at which the certificate was registered with the hub.
Begins	The certificate is not valid before this timestamp.
Expires	The certificate is not valid after this timestamp.
Serial Number	Unique identifier for the certificate.
Version	Certificate format version.
SHA1 Thumbprint	The SHA-1 hash of the certificate.
Key Type	The type of the certificate's key pair.
Issuer location information	Issuer Country Issuer State Issuer City Issuer Organization Issuer Unit In a self-signed certificate, each issuer location field will have the same contents as the corresponding subject location field.
Issuer Name	The Common Name (CN) of the certificate issuer. In a self-signed certificate, will be the same as Subject Name.
Issuer Email	The contact email address for the certificate issuer. In a self-signed certificate, will be the same as Subject Email.
Subject location information	Subject Country Subject State Subject City Subject Organization Subject Unit In a self-signed certificate, each subject location field will have the same contents as the corresponding issuer location field.
Subject Name	The Common Name (CN) of the certificate subject. In a self-signed certificate, will be the same as Issuer Name. For the hub server certificate and hub client authentication certificate, this must match the hostname or IP address that hub clients (including web browsers viewing the hub GUI, and the build/analysis) will use in hub URLs. For a user certificate, this must match the Username of the hub user account for which it is presented.
Subject Email	The contact email address for the certificate subject. In a self-signed certificate, will be the same as Issuer Email.

Trusted Certificates

We say a TLS certificate C is trusted by the hub if one of the following is true.

C is self-signed.
Additional certificates have been uploaded in the same file, providing a trust chain to C from a certificate that is itself self-signed.

We say a TLS certificate C is trusted by a hub client if one of the following is true.

The client recognizes C's signer as a "trusted certificate authority". Examples of trusted authorities are VeriSign, GlobalSign, Thawte.
- Web GUI: web browsers manage their own certificate authority lists: consult your browser documentation for details.
- Other hub clients (such as the CodeSonar build/analysis): CodeSonar proceeds as follows.
  1. If per-user file <default_pemdir>/cacerts.pem exists, the trusted certificate authorities for CodeSonar are considered to correspond to the certificates in that file.
    Note that this file does not exist by default: it must be explicitly created by the user.
  2. Otherwise, if per-installation file $CSONAR/gtr/cacerts.pem exists, the trusted certificate authorities for CodeSonar are considered to correspond to the certificates in that file.
    This file is shipped with CodeSonar and contains a number of trusted certificate authority certificates. You can edit it to add or remove certificates, though if you are adding certificates make sure they are from a trusted certificate authority (otherwise they should be added to the exception certificate file instead).
  3. Otherwise, there are no trusted certificate authorities for CodeSonar.
  Note that $CSONAR/gtr/cacerts.pem is not checked if <default_pemdir>/cacerts.pem exists: if you are creating a per-user certificate file, you should generally do so by copying the per-installation file and then editing it to make any required changes. The option of using a per-user file is provided so that you can use the same certificate set across multiple CodeSonar installations: most users will not need to create one and can rely on $CSONAR/gtr/cacerts.pem.
The client has been explicitly instructed to trust C.
Typically this occurs as follows. The hub presents untrusted C. The client informs the user that C is untrusted and prompts the user to decide how to proceed. If the user decides to trust C, the client records C as a trusted certificate exception and proceeds with the hub session, otherwise the client does not proceed with the hub session.
- Web GUI: web browsers manage their own trusted certificate exception lists: consult your browser documentation for details.
- Other hub clients: trusted certificate exceptions are stored in <default_pemdir>/trusted_certs.pem. This file will be updated automatically when you instruct CodeSonar to trust an otherwise untrusted certificate. You can also edit it manually.
C is presented along with a trust chain from some certificate that the client trusts.

Certificate Revocation

CodeSonar does not use certificate revocation lists (CRLs). Instead, user certificates represent a whitelist-based approach to certificate authentication for users. If you determine at any point that a particular certificate is no longer appropriate for user authentication, revoke it from the User Certificates page for the corresponding user.

If your organization has existing certificate-based authentication infrastructure that includes a CRL and you wish to also apply this to the CodeSonar hub, follow the instructions below, ensuring that you revoke any existing user certificates on the hub in step 4.

Browser Warnings and Self-Signed Certificates

Web browsers and other HTTPS clients maintain lists of trusted certificates, and are typically configured to issue warnings when a site presents a certificate that is not trusted (and doesn't have a trust chain to a trusted certificate).

If you generate a self-signed server certificate or client authentication certificate for your hub, it will not initially be trusted by HTTPS clients. You and other hub users are therefore likely to encounter these warnings until you specify that the certificate should be trusted. There are several options, summarized in approximate order of security in the following table.

Approach		Additional Cost?	Need to Configure Exceptions?
Approach		Additional Cost?	Web Browsers	CodeSonar Installation
Don't use the functionality for generating a self-signed certificate, but instead...
	... purchase a certificate authority certificate from a company such as VeriSign, GlobalSign, or Thawte, and upload it to the hub. You will probably need to use a wildcard certificate (*.example.com): authorities will not issue certificates for internal server names such as somelanmachine.example.com.	YES	no	no
	...if your organization has its own internal Certificate Authority infrastructure, use that to generate a suitable certificate and then upload it to the hub. [*] In this case, web browsers within your organization will likely already trust certificates issued by the internal authority: if they don't, you will need to configure them to do so.	no	no [*]	YES
	...arrange for a third party vendor to create internal certificates for you - essentially an outsourced version of the previous option. Companies who offer this service typically refer to it as intranet SSL or similar. You may prefer this option if there are no in-house resources to devote to certificate generation and management, or if you do believe that one of these companies will be able to provide better protections for your root private key than you can yourself. [**] Note that the company is not acting as a trusted authority in this case, so web browsers and other HTTPS clients will not already trust the resulting certificates.	YES	YES [**]	YES
Use the functionality for generating a self-signed certificate...
	...and explicitly configure HTTPS clients to recognize the certificate.	no	YES	YES
	...and let your users set up their own security exceptions when they encounter HTTPS warnings. This is the least-preferable approach. Your users may be confused by the warning and believe they are unable to access the hub at all; conversely they may become accustomed to ignoring certificate warnings, largely negating the security advantages of using HTTPS.	no	no	no

Configuring clients to trust certificates

If you are using a certificate is not already trusted by web browsers on your system, or by CodeSonar, you can configure these clients to trust the certificate so that they do not issue warnings.

Web Browser	Web browsers manage their own trusted certificate exception lists: consult browser documentation for details. Note that you will need to configure browsers on all machines that access the hub.
CodeSonar Installation	If your local CodeSonar installation does not trust the hub's server certificate or client authentication certificate, you will encounter warnings when you attempt to perform operations such as building and analyzing a project. You can instruct the CodeSonar installation to trust the certificate as follows. Edit $CSONAR/gtr/cacerts.pem to include an entry for the certificate. If any of your users have created per-user files <default_pemdir>/cacerts.pem, edit those files to each include an entry for the certificate. (If users have not created these files, you do not need to do anything.) Note that these files will only accept root certificates (that is, certificates that are themselves self-signed).

Web Browser

Web browsers manage their own trusted certificate exception lists: consult browser documentation for details. Note that you will need to configure browsers on all machines that access the hub.

CodeSonar Installation

If your local CodeSonar installation does not trust the hub's server certificate or client authentication certificate, you will encounter warnings when you attempt to perform operations such as building and analyzing a project. You can instruct the CodeSonar installation to trust the certificate as follows.

Edit $CSONAR/gtr/cacerts.pem to include an entry for the certificate.
If any of your users have created per-user files <default_pemdir>/cacerts.pem, edit those files to each include an entry for the certificate.
(If users have not created these files, you do not need to do anything.)

Note that these files will only accept root certificates (that is, certificates that are themselves self-signed).

Plug-Ins for Existing Certificate Infrastructure

If all the users at your company already have client certificates and you manage these in a centralized database, you can use these for CodeSonar hub authentication by creating and installing a CodeSonar authentication plug-in.

The general method will be as follows.

Create a custom hub authentication plug-in to integrate your existing authentication functionality with CodeSonar. Note that the plug-in must implement the get_user_from_cert() method to support certificate-based authentication.
Install the plug-in on the hub.
Enable HTTPS on the hub, and configure a suitable client authentication certificate.
Optional: Revoke all existing user certificates for all users from their User Certificates pages.
If there are no user certificates, all certificate-based authentication will be handled by your authentication plug-in (or plug-ins, if you have more than one).
Make sure that G_SIGN_IN and G_SIGN_IN_CERTIFICATE permissions apply to all users that you want to be able to sign in through the new plug-in.

More Information

The following manual sections provide further information about various aspects of TLS certificate use in CodeSonar.

GUI Pages
Configure HTTPS	Configure the hub's server certificate and client authentication certificate.
Sign In	Sign in to a hub user account, with option to use a user certificate for authentication.
User Certificates	Manage the user certificates for a single hub user account.
Other Manual Sections
The codesonar Command: generate-hub-cert
Starting a Hub (see options -tls-server-certkey and -tls-client-certkey)
Custom Hub Authentication Plug-Ins
Hub User Accounts
Hub Authentication

For more information about TLS certificates, see:

The relevant RFCs:
- TLS version 1.2: RFC 5246
- TLS version 1.1: RFC 4346
- TLS version 1.0: RFC 2246
- X.509: RFC 5280
- ASN.1: RFC 6025
The documentation for your local HTTPS clients and TLS/SSL implementations.

To report problems with this documentation, please visit https://support.codesecure.com/.