Extract the public key for pinning

Support for public key pinning is introduced with Snow Inventory Server 6.0.7.

Public key pinning prevents man-in-the-middle attacks from occurring on the communication link between agents and Snow Inventory endpoints, such as Snow Inventory Server or a service gateway. It is recommended to enable the public key pinning feature by default to ensure security of data in transit and fully mitigate potential man-in-the-middle attacks.

During initial communication establishment between an agent and an endpoint, the agent checks whether the encoded hash key of the endpoint matches the expected key, which is stored as a hash value in the agent configuration file (default snowagent.config). If the values match, communication is established, and dropped otherwise. The key is a base64-encoded sha256-hash string.

For information on how to configure Snow Inventory Agent 6 to enable the public key pinning feature, read User Guide: Configuration for Snow Inventory Agents version 6 as available in the Snow Knowledgebase.

Caution

Take care when editing the Snow Inventory Server configuration file; erroneous configuration will stop the server and may require that you contact your local Snow Professional Services contact person.

The following guide can be used from any machine that has network access to the Snow Inventory Server.

The recommended steps, for example, by use with an OpenSSL client:

  1. Open a communication link with the endpoint

    openssl s_client -servername www.invserver.com -connect www.invserver.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.invserver.com.pem
  2. Extract the public key from the endpoint's certificate, which is often in the pem format

    openssl x509 -in www.invserver.com.pem -pubkey -noout > www.invserver.com.pubkey.pem
  3. Convert the public key from pem to the appropriate format for the local operating system

    openssl asn1parse -noout -inform pem -in www.invserver.com.pubkey.pem -out www.invserver.com.pubkey.der
  4. SHA 256-hash and base-64 encode the key in the local format

    openssl dgst -sha256 -binary www.invserver.com.pubkey.der | openssl base64