Questions tagged [pki]
pki is short for Public Key Infrastructure, a hierarchical system to create, distribute, and verify digital certificates
48
questions
11
votes
1
answer
19k
views
What is causing warning on a certificate's basicConstraints?
I created a self signed server certificate using OpenSSL's req -x509 command and a CONF file. The CONF file is shown below.
When I examine the certificate using Microsoft certificate viewer, its ...
- 12.2k
7
votes
1
answer
3k
views
Ubuntu on Windows 10 - Git complaining "Permissions are too open" for my private key
Some background information, I have my bash/vim settings versioned on github that I sync between machines. I have this setup in place and working on a Windows 10 PC. It's relevant to mention that all ...
- 171
7
votes
3
answers
12k
views
Oracle orapki - How to install?
I need the Oracle wallet manager/orapki tools to create wallets, but I'm unable to find an installation for them.
I want to install them on Ubuntu (but Windows or any linux would also be possible).
...
- 71
6
votes
2
answers
10k
views
Need a solution to verifying expired digital signatures
I use digital signatures for signing my invoices (required by law for digital invoicing in my country). The problem is, my local authority issues signing certificates that are only valid for a year (...
- 1,412
3
votes
2
answers
1k
views
How can I change the PKI certificate I'm using in Firefox?
I have a dozen or so PKI certificates installed on my computer that I use for testing a web app. They represent the "users" Andy Tester, Billy Tester, Cindy Tester, &c. Fairly frequently, I need ...
- 8,503
3
votes
1
answer
1k
views
P12 Certificate Authentication - what is the correct method
I've been able to successfully set up an IKEv2/IPSec VPN Server using certificate authentication. However, I have a general issue regarding the correct method of creating P12 user certificates.
I've ...
- 61
3
votes
1
answer
2k
views
How to verify indirect CRL?
I'm trying to make an example work with indirect CRL.
But when I try to verify it with the openssl verify command, I either get "unable to get certificate CRL" or "Different CRL scope".
The question ...
- 181
2
votes
1
answer
11k
views
openssl pkcs12 keeps removing the PEM passphrase from keystore's entry?
OpenSSL 1.0.1e 11 Feb 2013
Generating a self-signed certificate:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days
365
During the process a PEM passphrase is requested:
...
- 1,469
2
votes
2
answers
68
views
PKI - certificate impact on TLS protocol
I have been learning about the TLS protocol handshake process.
From my understanding the TLS version is decided purely by the clients OS\browser support.
And the chosen cipher suite is decided by the ...
- 123
2
votes
2
answers
3k
views
How can I find my machine's Private\Public Key? [closed]
Are they kept in the form of a file?
If so, is it accessible for me manually or is it used transparently only whenever there is a PKI handshake (please correct me if I am misusing the terminology)?
...
- 259
2
votes
1
answer
3k
views
OpenWrt: after restoring configuration backup, ssh pubkey authentication fails
After restoring configuration backup using Luci web interface, the ssh public key authentication stopped working:
$ ssh [email protected] -i ~/.ssh/id_rsa
[email protected]: Permission denied (...
- 2,157
2
votes
1
answer
816
views
What does renewing a certificate really mean?
Often one hears about "renewing an SSL certificate" or "renewing an X.509 certificate", but I wonder what this actually means. Usually, step #1 of the renewal process is "generate a new CSR". Doesn't ...
- 309
2
votes
0
answers
3k
views
What is the best way to set up an OCSP responder (pkicreate, OpenSSL, other)?
I set up a root and intermediate CAs with OpenSSL and started issuing server certificates. For MS RDP (RemoteApp) it required OCSP, so I also set up an OCSP responder with OpenSSL. Testing with ...
- 362
2
votes
0
answers
90
views
How can I allow a user to connect to my OpenVPN by knowing their public key?
Given the public key of a remote user, I would like to run OpenVPN and allow that user to connect to my network. I only need to be connected to one remote machine at a time.
The options outlined in ...
- 2,909
1
vote
5
answers
4k
views
CAC not working; Chrome gives "error 107"
One of my employees recently got a CAC card and a USB reader.
The reader works fine, and I can see the certificates if I open IE9 and go to Options > Content > Certificates > Personal.
When I go to ...
- 1,560
1
vote
1
answer
3k
views
client bases authentication via certificate signed by ROOT CA
I have generated a ROOT CA and can successfully use it for client based authentication:
openssl req -x509 -sha256 -newkey rsa:4096 -subj "$SUBJECT" -days 3650 -keyout root_ca.key -out ...
- 73
1
vote
1
answer
5k
views
How does Chrome use .p12 certificates?
When I import a .p12 into Chrome, it requires a password. Once supplied, it is now stored in Chrome's key store and I never need to import my password again to use it.
How does Chrome manage this? ...
- 245
1
vote
1
answer
752
views
GlobalSign R1 not in default trust on CentOS. Why?
It seems GlobalSign's R1 root certificate is not in the default trust CA in CentOS 7.3.
I check the list of Trusted CA's like this:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)...
- 195
1
vote
1
answer
306
views
DocuSign, User Certificates, and eIDAS
Based on my understanding in order to by eIDAS compliant, signer's digital certificate is included in the PAdES envelope.
However when i sign a document with DocuSign and open it with Acrobat reader, ...
- 171
1
vote
1
answer
698
views
Hashicorp Vault PKI Intermediate request missing private key
I try to set up some PKI structure, but when I request an intermediate CSR from vault, no private key is sent back. Neither in Terraform where I try to implement it, nor via the API.
I tried:
The ...
1
vote
1
answer
172
views
What is difference between E signature (Electronic Signature) and Digital Signature?
I would like to understand difference between E Signature (Electronic Signature) and Digital Signature ? Can we replace digital signature with e signature ? what is benefit to use e signature over ...
- 151
1
vote
1
answer
399
views
A digital certificate contain only one public key?
If I know well, many digital certificate can contain a single public key. But I didn't see a certificate containing more public key.
I would like to know if it is completely impossible to a ...
- 11
1
vote
1
answer
12k
views
Firefox, "Secure Connection Failed" and client certificate
I have a client certificate for Satrtcom. I'm trying to authenticate to their service, but I'm receiving a "Secure Connection Failed" error with error code ssl_error_handshake_failure_alert:
The ...
- 12.2k
1
vote
1
answer
463
views
PKI Intermediate Certificate Trust
Lets say we have a business owned internal CA. Its certificate is trusted by one of the Trusted Roots that is present in all browsers.
With that CA, we issue a bunch of certificates for servers in ...
- 60.3k
1
vote
1
answer
34
views
HTTPS/PKI Server Public / Private keypair
In the HTTPS secure session handshake, I understand that the server presents its public key, and that the client encrypts a symmetric session key with the public key and returns it to the server.
My ...
1
vote
1
answer
503
views
Disable PIN caching for Virtual Smart Cards
We want to store digital certificates for PDF signing on Virtual Smart Cards. The default behavior for PIN entering is that the PIN is only entered once during a session. Is it possible to change this ...
- 11
1
vote
0
answers
601
views
"Error certificate signature failure getting chain" when combining certificates in a PKCS12 keystore
I got the above error when I tried to combine a server certificate, a private key and a certificate chain into a PCKS#12 keystore (step 3) prior to convert it to a JKS keystore.
Below are the steps I ...
- 183
1
vote
2
answers
304
views
PKI Certificate Authority private a keys and certificates
I'm trying to set up OpenVPN and I'm a bit confused about the terms.
From what I've read, a PKI consists of:
A separate certificate (also known as a public key)
A private key for the server and ...
- 125
1
vote
1
answer
189
views
Keypairs are stored securely on HSM. But during a smart card enrollment process, isn't the private key supposed to be injected into the smartcard?
I understand that in a PKI that utilises HSM, the key pairs are securely stored in the HSM. Applications that require encryption/decryption capabilities will communicate with the HSM via APIs.
...
- 11
0
votes
1
answer
4k
views
Extract parameters of CSR request from certificate (public key)
Is it possible to extract values used during creation of CSR (for example using openssl)?
In other words does public key (.crt file) contain the following data:
C=?, ST=?, L=?, O=?, OU=?, CN=?, name=?...
- 281
0
votes
1
answer
10k
views
PuTTY Private/Public Key Pair - Generate Certificate
I have generated a private/public key pair using Putty. I have a private key file with extension .pem and public key file with extension .pub.
Now I want to create a certificate from that and import ...
- 111
0
votes
2
answers
119
views
Is there a concept of trusting an SSL/TLS certificate to identify a single website but not to act as a CA for other certificates?
I regularly find myself dealing with poor certificates within my intranet (or on temporary servers without a properly-signed cert). I haven't run across an approach that lets me save the certificate ...
- 434
0
votes
1
answer
6k
views
Go Daddy's intermediate CA certificate missing
An unaffected PC (Windows 10 Pro connected to AD DS domain)
Affected PCs (Windows 10 Pro standalones)
What could cause intermediate but not root CA certificates to be missing?
I've ...
- 1,171
0
votes
1
answer
908
views
Installing an internal website certificate in a domain controller?
The context is a Windows domain. My end goal here is to have an internal website (Website server is domain-joined) show as "trusted" when I visit it from my domain workstation.
Currently (in ...
- 427
0
votes
1
answer
676
views
Private keys extracted from .pfx and from separate encoded key file look different but both do work
I have a CertAndKey.pfx file and corresponding EncryptedKey.pem - both provided from CA.
The following commands result with 2 different decrypted key files key1.pem and key2.pem:
openssl rsa -in ...
- 1
0
votes
1
answer
367
views
Mutual TLS Authentication with partner : why are they asking for our certificate?
So we are on this project with a partner that should use one of our API. The bosses decided the communication should use TLS mutual authentication.
On the server hosting the API, we installed long ...
- 1,906
0
votes
1
answer
691
views
What is FireFox's Device Manager used for?
In FireFox, there is a Device Manager (Options->Advanced->Certificates->Security Devices) that allows you to import middle-ware for cryptographic tokens (as far as can tell).
Can someone tell me ...
- 103
0
votes
0
answers
952
views
Create a Root CA self-signed certificate using the command line
I have Microsoft Server 2019 offline Root CA
I want to renew the Root CA certificate, but I do not want it to be used immediately (as I want to push out the new Root CA certificate to key stores on ...
- 1
0
votes
0
answers
159
views
NameConstraints format for UPN values
I'm in the middle of building a new PKI and we are adding name constraints to our issuing CAs with all the usual suspects like DNS, IP, e-mails, directory names etc.
We have a potential smart card ...
- 1
0
votes
3
answers
5k
views
When I try to log in with SSH, why am I getting the error, Permission denied (publickey)
This has dogged me for years.
Two IDENTICAL servers. Logged in to both as 'bob'.
Try to ssh from bob@server1 to bob@server2.
Permission denied (publickey).
On BOTH servers:
rm -r ~/.ssh
On server1:
...
- 109
0
votes
1
answer
2k
views
CertUtil | How CertUtil -verifykeys works internally?
I have a CA certificate in Local Machine Certificate Store.
When I run this command - enter code here
certutil -verifyKeys gives Key "KEYNAME" verifies as the public key for Certificate "KEYNAME" ...
- 103
0
votes
1
answer
1k
views
Unable to start Apache on CentOS SSL Issue
I am unable to start Apache on a CentOS Server with SELinux. The error log gives.
[root@server httpd]# cat test-error_log
[Wed Nov 15 05:42:34 2017] [error] Init: Private key not found
[Wed Nov 15 05:...
0
votes
1
answer
210
views
Client to Client Communication in OpenVpn
In client to client communication in OpenVpn, can server be separated from the network once the authentication is done?
- 5
0
votes
2
answers
2k
views
Windows can't find the issuer of a client certificate
Hello and sorry about my bad english. I have a problem about a PKI which I did on Ubuntu using OpenSSL: when I installed the root certificate on Windows (it's a simple hierarchy: ROOT -> Intermediate -...
0
votes
1
answer
2k
views
Certification Authority migration - cannot install Web Enrollment role
I used this to migrate a certificate authority my root CA from a Win2003 AD server oldserver to a Win2008R2 member server newserver (with different name). After completing this task, I wanted to ...
- 618
0
votes
1
answer
2k
views
Microsoft PKI + Samba AD
Have you ever tried to build Samba as Active directory domain controller in order to install Active Directory Certificate Services?
The purpose is to have an enterprise ca with samba ad instead of ...
- 1
0
votes
1
answer
6k
views
How to properly install SCR3500 card reader on mac - Mac OS X 10.6.8?
I am trying to login into some secured site and I am required to use SCR3500 card reader. I found and installed some drivers - http://support.identive-group.com/download_scm/download_scm.php?lang=en. ...
- 121
0
votes
1
answer
3k
views
Windows certificate manager restore private key somehow
This is may sounds very strange but let me explain a situation:
I was using my PKI Private Key installed at Windows Certificate Storage I get token, so I decided to load them to token and delete them ...
- 17