Skip to main content

Questions tagged [pki]

pki is short for Public Key Infrastructure, a hierarchical system to create, distribute, and verify digital certificates

Filter by
Sorted by
Tagged with
11 votes
1 answer
19k views

What is causing warning on a certificate's basicConstraints?

I created a self signed server certificate using OpenSSL's req -x509 command and a CONF file. The CONF file is shown below. When I examine the certificate using Microsoft certificate viewer, its ...
jww's user avatar
  • 12.2k
7 votes
1 answer
3k views

Ubuntu on Windows 10 - Git complaining "Permissions are too open" for my private key

Some background information, I have my bash/vim settings versioned on github that I sync between machines. I have this setup in place and working on a Windows 10 PC. It's relevant to mention that all ...
Mayuresh K's user avatar
7 votes
3 answers
12k views

Oracle orapki - How to install?

I need the Oracle wallet manager/orapki tools to create wallets, but I'm unable to find an installation for them. I want to install them on Ubuntu (but Windows or any linux would also be possible). ...
user27693's user avatar
6 votes
2 answers
10k views

Need a solution to verifying expired digital signatures

I use digital signatures for signing my invoices (required by law for digital invoicing in my country). The problem is, my local authority issues signing certificates that are only valid for a year (...
Petr Skocik's user avatar
  • 1,412
3 votes
2 answers
1k views

How can I change the PKI certificate I'm using in Firefox?

I have a dozen or so PKI certificates installed on my computer that I use for testing a web app. They represent the "users" Andy Tester, Billy Tester, Cindy Tester, &c. Fairly frequently, I need ...
Pops's user avatar
  • 8,503
3 votes
1 answer
1k views

P12 Certificate Authentication - what is the correct method

I've been able to successfully set up an IKEv2/IPSec VPN Server using certificate authentication. However, I have a general issue regarding the correct method of creating P12 user certificates. I've ...
Tom Thorp's user avatar
3 votes
1 answer
2k views

How to verify indirect CRL?

I'm trying to make an example work with indirect CRL. But when I try to verify it with the openssl verify command, I either get "unable to get certificate CRL" or "Different CRL scope". The question ...
mjspier's user avatar
  • 181
2 votes
1 answer
11k views

openssl pkcs12 keeps removing the PEM passphrase from keystore's entry?

OpenSSL 1.0.1e 11 Feb 2013 Generating a self-signed certificate: openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 365 During the process a PEM passphrase is requested: ...
XXL's user avatar
  • 1,469
2 votes
2 answers
68 views

PKI - certificate impact on TLS protocol

I have been learning about the TLS protocol handshake process. From my understanding the TLS version is decided purely by the clients OS\browser support. And the chosen cipher suite is decided by the ...
GKman's user avatar
  • 123
2 votes
2 answers
3k views

How can I find my machine's Private\Public Key? [closed]

Are they kept in the form of a file? If so, is it accessible for me manually or is it used transparently only whenever there is a PKI handshake (please correct me if I am misusing the terminology)? ...
user6004's user avatar
  • 259
2 votes
1 answer
3k views

OpenWrt: after restoring configuration backup, ssh pubkey authentication fails

After restoring configuration backup using Luci web interface, the ssh public key authentication stopped working: $ ssh [email protected] -i ~/.ssh/id_rsa [email protected]: Permission denied (...
drew1kun's user avatar
  • 2,157
2 votes
1 answer
816 views

What does renewing a certificate really mean?

Often one hears about "renewing an SSL certificate" or "renewing an X.509 certificate", but I wonder what this actually means. Usually, step #1 of the renewal process is "generate a new CSR". Doesn't ...
Mark's user avatar
  • 309
2 votes
0 answers
3k views

What is the best way to set up an OCSP responder (pkicreate, OpenSSL, other)?

I set up a root and intermediate CAs with OpenSSL and started issuing server certificates. For MS RDP (RemoteApp) it required OCSP, so I also set up an OCSP responder with OpenSSL. Testing with ...
Adriano_pinaffo's user avatar
2 votes
0 answers
90 views

How can I allow a user to connect to my OpenVPN by knowing their public key?

Given the public key of a remote user, I would like to run OpenVPN and allow that user to connect to my network. I only need to be connected to one remote machine at a time. The options outlined in ...
Peeja's user avatar
  • 2,909
1 vote
5 answers
4k views

CAC not working; Chrome gives "error 107"

One of my employees recently got a CAC card and a USB reader. The reader works fine, and I can see the certificates if I open IE9 and go to Options > Content > Certificates > Personal. When I go to ...
Crash893's user avatar
  • 1,560
1 vote
1 answer
3k views

client bases authentication via certificate signed by ROOT CA

I have generated a ROOT CA and can successfully use it for client based authentication: openssl req -x509 -sha256 -newkey rsa:4096 -subj "$SUBJECT" -days 3650 -keyout root_ca.key -out ...
LeifSec's user avatar
  • 73
1 vote
1 answer
5k views

How does Chrome use .p12 certificates?

When I import a .p12 into Chrome, it requires a password. Once supplied, it is now stored in Chrome's key store and I never need to import my password again to use it. How does Chrome manage this? ...
pstatix's user avatar
  • 245
1 vote
1 answer
752 views

GlobalSign R1 not in default trust on CentOS. Why?

It seems GlobalSign's R1 root certificate is not in the default trust CA in CentOS 7.3. I check the list of Trusted CA's like this: awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)...
Rob Audenaerde's user avatar
1 vote
1 answer
306 views

DocuSign, User Certificates, and eIDAS

Based on my understanding in order to by eIDAS compliant, signer's digital certificate is included in the PAdES envelope. However when i sign a document with DocuSign and open it with Acrobat reader, ...
user1912383's user avatar
1 vote
1 answer
698 views

Hashicorp Vault PKI Intermediate request missing private key

I try to set up some PKI structure, but when I request an intermediate CSR from vault, no private key is sent back. Neither in Terraform where I try to implement it, nor via the API. I tried: The ...
Franco Arendholz's user avatar
1 vote
1 answer
172 views

What is difference between E signature (Electronic Signature) and Digital Signature?

I would like to understand difference between E Signature (Electronic Signature) and Digital Signature ? Can we replace digital signature with e signature ? what is benefit to use e signature over ...
Ashish Patel's user avatar
1 vote
1 answer
399 views

A digital certificate contain only one public key?

If I know well, many digital certificate can contain a single public key. But I didn't see a certificate containing more public key. I would like to know if it is completely impossible to a ...
Kroy's user avatar
  • 11
1 vote
1 answer
12k views

Firefox, "Secure Connection Failed" and client certificate

I have a client certificate for Satrtcom. I'm trying to authenticate to their service, but I'm receiving a "Secure Connection Failed" error with error code ssl_error_handshake_failure_alert: The ...
jww's user avatar
  • 12.2k
1 vote
1 answer
463 views

PKI Intermediate Certificate Trust

Lets say we have a business owned internal CA. Its certificate is trusted by one of the Trusted Roots that is present in all browsers. With that CA, we issue a bunch of certificates for servers in ...
Paul's user avatar
  • 60.3k
1 vote
1 answer
34 views

HTTPS/PKI Server Public / Private keypair

In the HTTPS secure session handshake, I understand that the server presents its public key, and that the client encrypts a symmetric session key with the public key and returns it to the server. My ...
Richard Schmitt's user avatar
1 vote
1 answer
503 views

Disable PIN caching for Virtual Smart Cards

We want to store digital certificates for PDF signing on Virtual Smart Cards. The default behavior for PIN entering is that the PIN is only entered once during a session. Is it possible to change this ...
user975868's user avatar
1 vote
0 answers
601 views

"Error certificate signature failure getting chain" when combining certificates in a PKCS12 keystore

I got the above error when I tried to combine a server certificate, a private key and a certificate chain into a PCKS#12 keystore (step 3) prior to convert it to a JKS keystore. Below are the steps I ...
techie11's user avatar
  • 183
1 vote
2 answers
304 views

PKI Certificate Authority private a keys and certificates

I'm trying to set up OpenVPN and I'm a bit confused about the terms. From what I've read, a PKI consists of: A separate certificate (also known as a public key) A private key for the server and ...
johnramsden's user avatar
1 vote
1 answer
189 views

Keypairs are stored securely on HSM. But during a smart card enrollment process, isn't the private key supposed to be injected into the smartcard?

I understand that in a PKI that utilises HSM, the key pairs are securely stored in the HSM. Applications that require encryption/decryption capabilities will communicate with the HSM via APIs. ...
Onion's user avatar
  • 11
0 votes
1 answer
4k views

Extract parameters of CSR request from certificate (public key)

Is it possible to extract values used during creation of CSR (for example using openssl)? In other words does public key (.crt file) contain the following data: C=?, ST=?, L=?, O=?, OU=?, CN=?, name=?...
Maxim's user avatar
  • 281
0 votes
1 answer
10k views

PuTTY Private/Public Key Pair - Generate Certificate

I have generated a private/public key pair using Putty. I have a private key file with extension .pem and public key file with extension .pub. Now I want to create a certificate from that and import ...
Varun Sharma's user avatar
0 votes
2 answers
119 views

Is there a concept of trusting an SSL/TLS certificate to identify a single website but not to act as a CA for other certificates?

I regularly find myself dealing with poor certificates within my intranet (or on temporary servers without a properly-signed cert). I haven't run across an approach that lets me save the certificate ...
Ethan T's user avatar
  • 434
0 votes
1 answer
6k views

Go Daddy's intermediate CA certificate missing

An unaffected PC (Windows 10 Pro connected to AD DS domain)   Affected PCs (Windows 10 Pro standalones)   What could cause intermediate but not root CA certificates to be missing? I've ...
mythofechelon's user avatar
0 votes
1 answer
908 views

Installing an internal website certificate in a domain controller?

The context is a Windows domain. My end goal here is to have an internal website (Website server is domain-joined) show as "trusted" when I visit it from my domain workstation. Currently (in ...
bluesquare's user avatar
0 votes
1 answer
676 views

Private keys extracted from .pfx and from separate encoded key file look different but both do work

I have a CertAndKey.pfx file and corresponding EncryptedKey.pem - both provided from CA. The following commands result with 2 different decrypted key files key1.pem and key2.pem: openssl rsa -in ...
Mikhail's user avatar
0 votes
1 answer
367 views

Mutual TLS Authentication with partner : why are they asking for our certificate?

So we are on this project with a partner that should use one of our API. The bosses decided the communication should use TLS mutual authentication. On the server hosting the API, we installed long ...
Ob1lan's user avatar
  • 1,906
0 votes
1 answer
691 views

What is FireFox's Device Manager used for?

In FireFox, there is a Device Manager (Options->Advanced->Certificates->Security Devices) that allows you to import middle-ware for cryptographic tokens (as far as can tell). Can someone tell me ...
user2173353's user avatar
0 votes
0 answers
952 views

Create a Root CA self-signed certificate using the command line

I have Microsoft Server 2019 offline Root CA I want to renew the Root CA certificate, but I do not want it to be used immediately (as I want to push out the new Root CA certificate to key stores on ...
AUser's user avatar
  • 1
0 votes
0 answers
159 views

NameConstraints format for UPN values

I'm in the middle of building a new PKI and we are adding name constraints to our issuing CAs with all the usual suspects like DNS, IP, e-mails, directory names etc. We have a potential smart card ...
nrb's user avatar
  • 1
0 votes
3 answers
5k views

When I try to log in with SSH, why am I getting the error, Permission denied (publickey)

This has dogged me for years. Two IDENTICAL servers. Logged in to both as 'bob'. Try to ssh from bob@server1 to bob@server2. Permission denied (publickey). On BOTH servers: rm -r ~/.ssh On server1: ...
user4893295's user avatar
0 votes
1 answer
2k views

CertUtil | How CertUtil -verifykeys works internally?

I have a CA certificate in Local Machine Certificate Store. When I run this command - enter code here certutil -verifyKeys gives Key "KEYNAME" verifies as the public key for Certificate "KEYNAME" ...
User1234's user avatar
  • 103
0 votes
1 answer
1k views

Unable to start Apache on CentOS SSL Issue

I am unable to start Apache on a CentOS Server with SELinux. The error log gives. [root@server httpd]# cat test-error_log [Wed Nov 15 05:42:34 2017] [error] Init: Private key not found [Wed Nov 15 05:...
MarshawxLynch's user avatar
0 votes
1 answer
210 views

Client to Client Communication in OpenVpn

In client to client communication in OpenVpn, can server be separated from the network once the authentication is done?
Corsair's user avatar
0 votes
2 answers
2k views

Windows can't find the issuer of a client certificate

Hello and sorry about my bad english. I have a problem about a PKI which I did on Ubuntu using OpenSSL: when I installed the root certificate on Windows (it's a simple hierarchy: ROOT -> Intermediate -...
Aldo Astupillo's user avatar
0 votes
1 answer
2k views

Certification Authority migration - cannot install Web Enrollment role

I used this to migrate a certificate authority my root CA from a Win2003 AD server oldserver to a Win2008R2 member server newserver (with different name). After completing this task, I wanted to ...
Hagen von Eitzen's user avatar
0 votes
1 answer
2k views

Microsoft PKI + Samba AD

Have you ever tried to build Samba as Active directory domain controller in order to install Active Directory Certificate Services? The purpose is to have an enterprise ca with samba ad instead of ...
p3030128's user avatar
0 votes
1 answer
6k views

How to properly install SCR3500 card reader on mac - Mac OS X 10.6.8?

I am trying to login into some secured site and I am required to use SCR3500 card reader. I found and installed some drivers - http://support.identive-group.com/download_scm/download_scm.php?lang=en. ...
Ascorpio's user avatar
  • 121
0 votes
1 answer
3k views

Windows certificate manager restore private key somehow

This is may sounds very strange but let me explain a situation: I was using my PKI Private Key installed at Windows Certificate Storage I get token, so I decided to load them to token and delete them ...
Ency's user avatar
  • 17