Security
Linux kernel keyrings, container isolation and maybe some kerberos
On a recent project I've been stumbling on the case that kerberos tickets have been inadvertently shared across containers on a node - which obviously caught my attention as I'm not keen on sharing such secrets across workloads. This post describes why this happens and what to do to prevent this.
Create a TPM backed certificate request (on windows)
Certificates are everywhere - sometimes you want to keep them even more secure than just on the filesystem (or operating system store). This guide shows how to create TPM backed certificates on windows.
Use openssl to verify certificates
Certificates are essential for todays security needs. Sometimes it's required to revoke them, maybe because they are no longer needed or because they got even compromised. But how do you test manually if a certificate has been revoked?
pfsense - CRL has expired in openvpn server
A few days ago we ran into an issue where pfsense appliances started to refuse openvpn connections by showing "CRL has expired" error messages. As it shows the reason is an overflow a date.
Replace tls cert using commandline (netsh)
TLS endpoints on windows are often served by the operating system itself. Related certificate bindings can be managed using the command line easily. This guide shows how to replace a certificate using the commandline.
git on windows on CA's without crl (mostly pki)
If you're working with git and are using certificates without revocation lists on windows this article shows how you can disable ssl revocation checks on git client.
Docker - Hardening with firewalld
Containers are no virtual machines - yet we might want to treat hosts running container workloads like hypervisors and apply limitations on container networking. This guide describes a way to limit container networking on docker based container hosts using firewalld.
