Aviation Security: Why your airline shouldn't use self-signed certificates
To make it short, and beyond basic IT related reasons: because IT security for an airline is directly linked to Aviation security and passengers safety.
What are the risks associated with self-signed certificates? Mainly:
- Leave the door open for various attacks, intercepting or corrupting information
- Train users to be less secure
More reading: Self-signed certificate — Wikipedia, or search for «risk self signed certificate».
There are multiple ways to solve this. Let’s focus on one applied to Windows running Wildfly — free, easy to implement, using automatic renewal. A few steps that will put your operation back to an acceptable level of security using Let’s Encrypt free SSL/TLS certificates.
Note: the self-signed certificate is just one aspect among others. If you skipped this one, it would be very wise to discuss privately about other potential vulnerability aspects. Contact us: contact@feel.aero
Pass these steps to your EFB admin or IT department.
1. Download the binary build of win-acme for Windows: https://www.win-acme.com/
Current version at time of writing: 2.1.12 64-bit
2. Unzip and move the folder to C:\Program Files\win-acme
3. Modify Scripts\ImportJKS.ps1:
- Specify the correct Java path for your installation
- Add
-deststoretype pkcs12to both keytool calls
The default keystore password airbus is left unchanged for ease of setup, but change it based on the documentation, as well as the default port 8443, which is subject to frequent scans.
4. Place cert-fsa.bat in the win-acme folder. It stops the Wildfly service, moves the .jks, creates or renews the certificate, and starts the service again.
5. The first launch must be executed manually “as an administrator” (it’s interactive). Accept all options.
6. In Task Scheduler, modify the generated task:
- Set the trigger to 60 days (Let’s Encrypt recommends this; certs are valid for 90 days)
- Change the action to launch
C:\Program Files\win-acme\cert-fsa.bat
cert-fsa.bat
@echo off
set HOST=fsa.yourdomain.com
set KEYSTORE=C:\Airbus\Wildfly\standalone\configuration\fsa-keystore.jks
set KEYSTOREPASS=airbus
sc stop wildfly
:loop
sc query wildfly | find "STOPPED"
if errorlevel 1 (
timeout 1
goto loop
)
move /Y %KEYSTORE% %KEYSTORE%.old
wacs.exe ^
--target manual ^
--host %HOST% ^
--store none ^
--installation script ^
--script "Scripts\ImportJKS.ps1" ^
--scriptparameters "\"{CacheFile}\" \"{CachePassword}\" \"%KEYSTORE%\" %KEYSTOREPASS% %KEYSTOREPASS%"
if not exist %KEYSTORE% (
move /Y %KEYSTORE%.old %KEYSTORE%
)
sc start wildflyScripts/ImportJKS.ps1
param(
[Parameter(Mandatory=$true)]
[string]
$PfxFile,
[Parameter(Mandatory=$true)]
[string]
$PfxPassword,
[Parameter(Mandatory=$true)]
[string]
$KeyStoreFile,
[Parameter(Mandatory=$true)]
[string]
$KeyStorePassword,
[Parameter(Mandatory=$false)]
[string]
$KeyStoreKeyPassword
)
Set-Alias keytool "C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe"
echo "Keystore $KeyStorePassword"
if ([string]::IsNullOrEmpty($KeyStoreKeyPassword))
{
keytool `
-v `
-noprompt `
-importkeystore `
-srckeystore "$PfxFile" `
-srcstoretype PKCS12 `
-srcstorepass "$PfxPassword" `
-destkeystore "$KeyStoreFile" `
-deststorepass "$KeyStorePassword" `
-deststoretype pkcs12
}
else
{
keytool `
-v `
-noprompt `
-importkeystore `
-srckeystore "$PfxFile" `
-srcstoretype PKCS12 `
-srcstorepass "$PfxPassword" `
-destkeystore "$KeyStoreFile" `
-deststorepass "$KeyStorePassword" `
-destkeypass "$KeyStoreKeyPassword" `
-deststoretype pkcs12
}