Securing Enpass Hub connection with SSL Certificate Pinning

SSL Certificate Pinning is an added layer of security that can be set up during the Enpass Hub integration. It works by “pinning” an SSL certificate or public key to the Enpass app, so when the app connects with the server, it can make sure that server is not only secure, but has the correct and matching certificate the app is looking for.

When an Enpass app communicates with your Enpass Hub, the app looks for the server's certificate to match its own pinned certificate. If they match, the connection continues as usual. However, if they don't, the app will terminate the connection, preventing potential attackers from impersonating your server.

This feature enhances the security of the Enpass Hub's connections to the Enpass App, ensuring it communicates only with the server that matches the pinned certificate.

 

Identify Your Certificate

Before generating the pinning hash, you'll need to identify the SSL certificate you're using for your server. This could either be in a file stored on your server or it could be retrieved directly from your server.

Option 1: Certificate File

If you have the SSL certificate file handy, you can generate the pinning hash using the following command, replacing /path/to/your/certificate.pem with the actual path to your certificate file:

openssl x509 -pubkey  -noout -in "/path/to/your/certificate.pem"  | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Option 2: Retrieve Directly from Server

If you don't have the certificate file, but you have the server up and running with the certificate installed, you can retrieve the certificate directly from the server using the following command, replacing your-hub-hostname.tld with your server's hostname:

openssl s_client -connect your-hub-hostname.tld:443 < /dev/null 2>/dev/null | openssl x509 -pubkey  -noout -in /dev/stdin | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Enable SSL Pinning

You can provide this certificate hash in while integrating Enpass Hub in the Enpass Admin Console. Please note that certificate pinning adds an extra layer of security, but it also means that when your SSL certificate changes (e.g., when you renew), you'll need to generate a new pinning hash and update your Enpass configuration accordingly.

 

Related topics