Summon provider without DAP follower certificate

Hi,

As part of the implementation guidelines, CONJUR_SSL_CERTIFICATE is one of the key parameters while configuring as environmental variables for the conjur using summon-provider, however we have tested without without providing the DAP follower certificates on VM’s, working without errors, so what is the role of DAP follower certificates and why it is working even when we removed it ?

export CONJUR_MAJOR_VERSION=5
export CONJUR_APPLIANCE_URL=https://abc.test
#export CONJUR_CERT_FILE=/home/xx/cert.cer
export CONJUR_ACCOUNT=abc
export CONJUR_AUTHN_LOGIN=host/abc/xys
export CONJUR_AUTHN_API_KEY=*******
   export SUMMON_PROVIDER=~/bin/summon-conjur
1 Like

Hey @gautamkanithi,
CONJUR_SSL_CERTIFICATE / CONJUR_CERT_FILE is used to set the certificate pool for the summon-conjur endpoint verification through the API module. When you use that variable, you are asserting that the presented certificate is signed by that certificate only. When you omit these variables, you are using the default system CA store and all of its root certificates to verify that one of those has signed your Conjur endpoint.

In essence:

  • When you use CONJUR_SSL_CERTIFICATE (or CONJUR_CERT_FILE):

    • Conjur endpoint server SSL certificate must be signed by this certificate (and other validity checks like NotAfter must pass).
    • If a certificate from Conjur endpoint server is not signed by this exact certificate or the validity conditions fail, connection will fail.
  • When you omit both CONJUR_SSL_CERTIFICATE and CONJUR_CERT_FILE:

    • Default SSL certificate store is used as a CA pool.
    • If Conjur endpoint server certificate is signed by one of those certificates (and other validity checks like NotAfter pass), connection will succeed. This means usually that if a browser will think that this is a valid certificate, summon-conjur will consider it valid too.
    • If a certificate from Conjur endpoint server is not signed by any of those root certificates or validity conditions fail, the connection will fail.

Hope that helps. Let us know if the behavior you see does not match the one I described here.

Srdjan

1 Like

Thank you for detailed explanation, its clear for me now.