Bigbank Certificate Authority

A CA (Certificate Authority) is a body that is trusted to issue cryptographically signed digital certificates. Notable globally trusted CA-s are DigiCert and Comodo. Bigbank has created its own CA for internal use by back-end systems and employees. Read more about CA-s

List of Bigbank Internal CA-s

Install and trust these Certificate Authorities in corporate workstations, applications and servers in order to properly utilize TLS and secure, verified communication. End-users should only install root CA-s, as intermediate certificates should be returned by servers as part of a certificate chain.

Name Issuer Not Before Not After
Bigbank AS Root CA 2016 Bigbank AS Root CA 2016 2016-04-07 2026-04-05
Bigbank AS miscellaneous intermediate CA 2020 Bigbank AS Root CA 2016 2020-04-07 2022-04-07
Bigbank AS miscellaneous intermediate CA 2016 Bigbank AS Root CA 2016 2016-04-07 2021-04-06
Bigbank AS OS3 intermediate CA 2016 Bigbank AS Root CA 2016 2017-04-27 2022-04-26
Bigbank AS webservers intermediate CA 2020 Bigbank AS Root CA 2016 2020-04-08 2022-04-08
Bigbank AS webservers intermediate CA 2016 Bigbank AS Root CA 2016 2016-04-07 2021-04-06
CA Bundle (all CA-s in a .zip file)

Verify CA-s: SHA256SUMS (txt) or SHA256SUMS (asice).

Test if your root CA has been installed correctly on test.ca.bigbank.eu, if you get no errors you did it correctly.

Install CA

Where are you installing CA-s to?

Docker Usage

RUN apk --update add openssl ca-certificates && \
    cd /etc/ssl/certs && \
    wget https://ca.bigbank.eu/certs/Bigbank_AS_Root_CA_2016.crt && \
    ( echo '4b8389df3abe1dbd3fcd3dacbff0fefc73313e1b13b9d0605a8b57b90f5852da  Bigbank_AS_Root_CA_2016.crt' | sha256sum -c || (echo 'Unable to verify CA, abort install and report this!' ; exit 1) ) && \
    update-ca-certificates && \
    apk del ca-certificates openssl && \
    rm -rf /var/cache/apk

As sudo, run the following:

yum -y install ca-certificates wget && \
    update-ca-trust enable && \
    cd /etc/pki/ca-trust/source/anchors/ && \
    wget https://ca.bigbank.eu/certs/Bigbank_AS_Root_CA_2016.crt && \
    ( echo '4b8389df3abe1dbd3fcd3dacbff0fefc73313e1b13b9d0605a8b57b90f5852da  Bigbank_AS_Root_CA_2016.crt' | sha256sum -c || (echo 'Unable to verify CA, abort install and report this!' ; exit 1) ) && \
    update-ca-trust extract

Docker Usage

When doing this in a Dockerfile, don’t forget to clean up afterwards.

RUN yum -y install wget && \
    update-ca-trust enable && \
    cd /etc/pki/ca-trust/source/anchors && \
    wget https://ca.bigbank.eu/certs/Bigbank_AS_Root_CA_2016.crt && \
    ( echo '4b8389df3abe1dbd3fcd3dacbff0fefc73313e1b13b9d0605a8b57b90f5852da  Bigbank_AS_Root_CA_2016.crt' | sha256sum -c || (echo 'Unable to verify CA, abort install and report this!' ; exit 1) ) && \
    update-ca-trust extract && \
    yum -y remove wget && \
    yum clean all

Linux Users

See third party guide.

Windows and Mac Users

Chrome uses the system certificate store - see the “Windows” or “Mac” tab or turn to IT support.

Firefox uses its own internal certificate store which is currently not centrally managed.

Turn to IT support.

Install Manually

firefox-install-instructions

CA-s in Mac machines are managed centrally - you should already have all needed certificates installed. If not, turn to IT support.

Install Manually

Open Safari (not Firefox) and navigate to ca.bigbank.eu.

Safari on ca.bigbank.eu

Choose a CA to install and download it.

Downloading a CA file

Open Keychain and unlock it with an administrator’s account credentials.

Unlock Keychain

Import the downloaded Bigbank root CA into the “System” Keychain.

Import a CA

Mark the CA as trusted by the system.

Mark CA as trusted

As sudo, run the following:

apt-get update && \
    apt-get install -y ca-certificates wget && \
    cd /usr/local/share/ca-certificates && \
    wget https://ca.bigbank.eu/certs/Bigbank_AS_Root_CA_2016.crt && \
    ( echo '4b8389df3abe1dbd3fcd3dacbff0fefc73313e1b13b9d0605a8b57b90f5852da  Bigbank_AS_Root_CA_2016.crt' | sha256sum -c || (echo 'Unable to verify CA, abort install and report this!' ; exit 1) ) && \
    update-ca-certificates

Docker Usage

When doing this in a Dockerfile, don’t forget to clean up afterwards.

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y ca-certificates wget && \
    cd /usr/local/share/ca-certificates && \
    wget https://ca.bigbank.eu/certs/Bigbank_AS_Root_CA_2016.crt && \
    ( echo '4b8389df3abe1dbd3fcd3dacbff0fefc73313e1b13b9d0605a8b57b90f5852da  Bigbank_AS_Root_CA_2016.crt' | sha256sum -c || (echo 'Unable to verify CA, abort install and report this!' ; exit 1) ) && \
    update-ca-certificates && \
    apt-get remove -y ca-certificates wget curl && \
    apt-get clean -y && \
    rm -rf /var/lib/apt/lists/*

CA-s in Windows machines are managed centrally - you should already have all needed certificates installed. If not, turn to IT support.

Get A Certificate

You have your new domain name and now you want to add certificates and HTTPS to it. Here's how to request a new certificate and set it up.

Specify Domain Name

Specify A Domain Name

Enter the domain name for which you want a certificate for.

?

Enter the FQDN (Fully Qualified Domain Name) for which you want a certificate for. This will be used as the CN (Common Name) field in your CSR (Certificate Signing Request).

Generate a CSR

Generate a CSR

Run the following commands to create a new private key and a CSR files.

openssl genrsa -out kittens.sre.dev.key 4096
openssl req -new -key kittens.sre.dev.key -out kittens.sre.dev.csr -subj "/C=EE/ST=Tartumaa/L=Tartu/O=Bigbank AS/CN=kittens.sre.dev"
openssl req -in kittens.sre.dev.csr -text -noout

The .key file is your private key and MUST be kept safe.

  • Do not commit it to VCS (Git)
  • Securely delete it from your machine (man shred) or hold it in encrypted form
  • In servers, make sure only the webserver user or root has permissions to read the file (chmod o-rwx *.key)
  • Do not send the plain-text key over an insecure channel (email)

The .csr file is your request for a new certificate, you will need it in the next step.

Next

Request A Certificate

Request A Certificate

To obtain the certificate, you need to forward your CSR file to a person who is authorized to sign it using either our internal CA (for local domains) or our partner CA, who issues globally trusted Extended Validation Certificates.

Please refer to our internal Knowledge Base article titled "Bigbank Certificate Authority (CA)", subsection "How Do I Request A New Certificate" for instructions how to do it.

You should get back a .crt file. You can inspect it with 

openssl x509  -text -noout -in mycert.crt
Next

Install the Certificate

Install the Certificate

Once you have your private key and a certificate, it is time to install them to your web server or cloud environment. Generic setup instructions are linked below:

Next

Add HTTP Security Headers

Add HTTP Security Headers

You requested a certificate to enable secure communications - HTTPS. This alone does not guarantee private communications; for example there is still the initial HTTP -> HTTPS redirect that an attacker might intercept to redirect your user to somewhere else.

Let us fix that by adding HTTP Security Headers: modify your web server to return the following HTTP headers.

Nginx Example

server {
    # Truncated config for brevity

    # Expect-CT header will block the connection, if the certificate issueance was not publiced to
    # a public CT log. Only use this for certificates signed by a public CA.
    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
    add_header Expect-CT 'enforce, max-age=2592000, report-uri="https://report-uri.bigbank.eu/ct';

    # Specify that this site should always be loaded over HTTPS
    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
}
Next

Clean Up

Clean Up

  • Check that the certificate has been correctly installed and is trusted with

    $ echo 'Q' | openssl s_client -connect mydomain.dev:443 -servername mydomain.dev 2>/dev/null
...
Verify return code: 0 (ok)
  • Make a secure backup of your .crt and .key files
  • Securely delete the files from your workstation with shred and rm

Common Commands

Debugging

Inspect a local X509 .crt or .pem file contents

openssl x509 -in bigbank.eu.crt -text -noout

Inspect the certificate chain returned by a remote server

openssl s_client -connect bigbank.ee:443 -servername bigbank.ee

Inspect the server certificate of a remote server

openssl s_client -connect bigbank.ee:443 -servername bigbank.ee | openssl x509 -text -noout

Verify that a private key is for a certificate file (hashes must match)

openssl rsa -modulus -noout -in bigbank.eu.key | openssl md5
openssl x509 -modulus -noout -in bigbank.eu.crt | openssl md5

CSR

Generate a new private key + CSR

openssl req -out bigbank.eu.csr -new -newkey rsa:4096 -nodes -keyout bigbank.eu.key

Inspect a .csr file

openssl req -noout -text -in bigbank.eu.csr

Frequently Asked Questions

Which certificate authorities must I install to my machine?

Only install Root Certificate Authorities. Intermediate Certificate Authorities should not be installed to machines, they are installed to web servers.

I get certificate errors in web-browser, what is wrong?

Check that you have Root CA-s installed. Also check that the web server you connect to returns a valid certificate chain (including intermediate certificates).

I get certificate errors in program code, what is wrong?

When connecting against a HTTPS endpoint using Java, Python, PHP (etc), requests might fail with a “the certificate of the server is untrusted” style of error. In order to resolve this, you need to install Root CA-s to your system. Sometimes this is not enough and you need to explicitly define the root CA file to use in client code.

The following example demonstrates how to tell Python to use a trusted CA file to validate the remote certificate.

import requests
requests.get('https://bigbank.ee' verify='/etc/ssl/bigbank_root.crt')

Can I disable SSL verification?

Please don’t. A hippopotamus is kidnapped every time you do this.

When should I use HTTPS? What sites can be served without HTTPS?

All sites should be served over HTTPS, always, regardless of content. Only exceptions to this are thought-out technical reasons, for example, to enable caching of non-sensitive information (but the integrity of the data is guaranteed with signatures).

Who is responsible for installing or monitoring my team’s certificates?

Your team.

What are some of the common mistakes?

  • ● Installing Intermediate Certificates
  • ● Not including Intermediate Certs in server Cert Chain
  • ● Including Root CA in the server cert chain
  • ● Disabling TLS verification
  • ● Proceeding past certificate verification errors
  • ● Generating keys with bit size of 2048
  • ● Committing private keys to VCS
  • ● Not having a backup of the certificate / key
  • ● Not using HSTS

What happens if my private key leaks?

The certificate must be revoked.

Revocation can be tested here.

What are some common reasons for certificate errors?

  • ● Intermediate Certificate not part of a Certificate Chain
  • ● Certificate has expired
  • ● Certificate is missing a SAN field
  • ● Certificate issued by untrusted CA
  • ● CN/SAN on the cert does not match the domain name
  • ● Client does not trust the root CA
  • ● Wrong intermediate / CA certificate in Certificate Chain
  • ● You are being attacked (malicious man in the middle)
  • ● The order of certificates in the server's certificate chain is wrong

Where do I hold certificates and keys?

In the place that needs them - the webserver filesystem. When using a PaaS, in the PaaS-s load balancer config. Certificates are public and can go into VCS, private keys MUST NOT.

When storing the private key in a webserver’s filesystem, make sure the permissions of the file are such that only the webserver user can read the file.

Have a backup of certificates and keys in a secure location. A developer’s workstation is not a secure location.

What certificates must I serve from the webserver?

The webserver must serve the Server Certificate as well as any Intermediate Certificates (the Issuer of the Server Certificate). You do not need to serve the Root Certificate.

The following certificate chain shows a correct certificate chain: the Server Certificate, followed immediately by it’s issuing Intermediate Certificate. The order of the certificates is important.

 Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=EE/serialNumber=10183757/C=EE/L=Tartu/O=Bigbank AS/CN=bigbank.ee
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA


 
 
 
  
  
 
  Download .crt file 
 
 
 
 
 
 
 
 
Managed by Bigbank Security Team <ytiruces@bigbank.eu>