OAuth2 is very rapidly becoming the de-facto standard for securing APIs.
An OAuth2 JWT token is a signed JSON snippet containing fields (claims) that are needed to make a decision about granting access.
It is important to understand the inherent risks of OAuth2/JWT and make sure that the right mechanisms are in place to mitigate them.
A JWT token is similar to an X509 certificate. If a certificate is signed by a CA we trust (and if it is not expired, the signature is valid, etc.), we will trust the TLS client (or our browser will trust the server using this certificate). A JWT token is signed by an authorization server as opposed to a CA, so we have to trust the authorization server in order to authorize the client.
Self-signed certificates are widely used for testing/development and sometimes in production for internal websites.
Self-signed certificates are created without any CA, thus they don't have a parent. The issuer is also the subject of the certificate.
In general, the use of self-signed certificates must be discouraged as they present an inherent security risk. For example, there is no way to revoke a self-signed cert. Using an internal CA for issuing all internal certificates is a much better option, we will cover it in a future post.
Self-signed certs come at a substantial maintenance cost -- issuing a cert for a long period of time is unsecure, but the short validity adds to the certificate renewal/distribution overhead.
The following best practices will help to make self-signed and internally-issued certificates more secure:
Certificate validation errors are a frequent cause of issues when dealing with APIs and Web services calls, especially when self-signed certificates are used.
The error message is usually
javax.net.ssl.SSLHandshakeException: PKIX path building failed.
A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore/truststore management is extremely important for application security.
We’ve compiled a list of keystore-related best practices in our keystore management document.
Here is a brief summary of the document:
For more details, please refer to our certificate management document.
Best practices list:
We're incorporating more security reporting/compliance features into DPBuddy and we're also working on a new product related to certificate management.
As part of this work, we're attempting to compile and aggregate best practices related to certificates and key management.