We would like to limit access to our web servers (and eventually other services on the computer) to individuals that have been authorized access. Of course we don't trust passwords so we think certificates are the right answer.
There are hundreds of these servers. Access to any one server should NOT provide access to any other server. The access should be to only the single server. (Access will also be time-limited for additional security).
Other relevant requirements
- The server is remotely installed and may not have good or any internet access.
- The server should be capable of stand-alone operations (ie not relying on much external infrastructure)
- Other protocols will be involved besides HTTPS (e.g. MQTT). Features that require specific support from servers may be difficult.
- The server will be accessed by attaching a computer to a port directly on the device. (Ie Internet (or intranet) optional).
How can we implement these security requirements?
We are currently on a path that would involve creating individual CAs for each server. The server would require mutual authentication for the server and client. The server and client certs would be signed by the unique CA for each server.
Added "Why 1-1"
Why 1-1 CA to Server?
The fundamental behavior of certificates is trust. Any certificate signed by a trusted CA is likewise trusted.
Consider two server certificates are signed by the same CA. If a user (client?) certificate is also signed by the same CA then that certificate can be used to authenticate to the either server. The requirement is that the user is only authorized to access one server, not the other.
Is there additional information that can be included in a user certificate that would further enforce the use of the certificate for a single server and rejection on any another server?
I've seen that additional information can be added to the certificate. Is there something inherent to certificates that allows enforcement that the certificate is only useful to one server?
Is there an alternative? Perhaps one that does not involve creating many CAs?
FYI -- The servers are all running Linux.