Questions tagged [certificate-authority]
In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates.
805
questions
134
votes
7
answers
149k
views
Certification authority root certificate expiry and renewal
In 2004, I set up a small certification authority using OpenSSL on Linux and the simple management scripts provided with OpenVPN. In accordance with the guides I found at the time, I set the validity ...
- 2,025
73
votes
6
answers
21k
views
Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)?
I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma ...
- 887
65
votes
4
answers
24k
views
How to decide where to purchase a wildcard SSL certificate?
Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, ...
- 1,277
47
votes
7
answers
179k
views
How to update cURL CA bundle on RedHat?
I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL ...
- 3,473
41
votes
2
answers
62k
views
Error code: ssl_error_rx_record_too_long
I have nginx with the following setup:
server {
listen 80;
server_name site.com www.site.com;
root /home/site/public_html;
listen 443;
#...
- 6,681
36
votes
4
answers
83k
views
How to make Firefox trust system CA certificates?
Our network admin recently enabled HTTPS inspection on our firewall/router. For IE users this is fine because the certs have all been distributed via Active Directory for domain-joined machines. ...
- 1,922
34
votes
1
answer
2k
views
Trusting an untrustworthy CA - Can I restrict how system trusts it?
(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code).
I'm currently responsible for maintaining a system which connects to a third-...
- 2,290
32
votes
2
answers
32k
views
Difference between ca-bundle.crt and ca-bundle.trust.crt
On CentOS 6.5, in /etc/pki/tls/certs I have:
ca-bundle.crt
and
ca-bundle.trust.crt
With different file sizes. Which should I use as the trust path for nginx proxy_ssl_trusted_certificate.
- 5,388
29
votes
1
answer
142k
views
What does "tlsv1 alert unknown ca" mean?
I am trying to do a curl request using a client certificate like so:
curl -E my.pem https://some.site
And I get the following error message:
curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:...
- 401
26
votes
2
answers
6k
views
Can a server certificate expire after its issuer?
Most if not all server certificates that I work with expire before its issuer, but is it possible for a server certificate to expire after its issuer and does this apply to an intermediate certificate ...
- 381
25
votes
5
answers
9k
views
How to secure your CA's private key?
I'm about to implement my own Certification Authority (CA) for interal use only.
Now there is a problem, that the CA private should never ever be exploited. So right now the private key is encrypted.
...
- 1,463
22
votes
3
answers
45k
views
Can I create my own S/MIME certificate for email encryption? [closed]
I'm having a bit of an issue here. Bear with me as this may be a case of "not asking the right question".
Background: Using Apple Mail. Want to encrypt/decrypt email but GPGMail (and apparently ...
- 533
17
votes
2
answers
4k
views
Why not validate self signed certificates through DNS-record instead of letsencrypt
I was just wondering. We use a lot of SSL certificates. Nowadays, we almost exclusively use letsencrypt (thanks!). The bottom line of these certificates is, that proof of ownership of the domain name(...
- 321
16
votes
2
answers
8k
views
Can MS Certificate Services be a Subordinate to CA created with OpenSSL
I want to setup a enterprise certification authority for my domain. So I can issue certificates for various purposes. I would like to follow the best practice of having an offline CA as the root, ...
- 131k
15
votes
2
answers
37k
views
Is this SSL certificate chain broken and how to fix it?
For the SSL cert on the domain example.com, some tests tell me that the chain is incomplete and since Firefox keeps its own certificate store, it might fail on Mozilla (1, 2, 3). Others tell me it is ...
- 1,885
15
votes
1
answer
6k
views
Re-issuing self-signed root CA without invalidating certificates signed by it
I created a self-signed root Certificate Authority for a few internal services in our company, which I configured myself (mostly served over HTTPS). Then I created certificates for those services, ...
- 153
14
votes
3
answers
33k
views
Difference between Microsoft ADCS Standalone CA and Enterprise CA
This is a canonical question about the different types of Microsoft Certificate Authority
I'm looking for an information about difference between Microsoft ADCS Enterprise CA and Standalone CA?
When ...
- 149
14
votes
3
answers
52k
views
Where to get root CA certificates for Windows Server now that Microsoft no longer updates them?
Microsoft removed root CA updates from WSUS in January 2013. I now have some fresh installs of Windows Server 2012 that have an insufficient set of root CAs (basically just Microsoft's own CAs). This ...
- 351
14
votes
3
answers
6k
views
Windows 2008 R2 CA and auto-enrollment: how to get rid of >100,000 issued certificates?
The basic problem I'm having is that I have >100,000 useless machine certificates cluttering up my CA, and I'd like to delete them, without deleting all certs, or time jumping the server ahead, and ...
- 53.9k
13
votes
1
answer
10k
views
What happens to code sign certificates when when root CA expires?
So far clear for me:
If the code sign certificate itself expires, signed code will be verified/accepted in case it was signed with a time stamp. If not, the signed code is expired too.
But what ...
- 131
13
votes
2
answers
6k
views
Cost of getting in-house certificate authority trusted
My company has an in-house certificate authority that is currently self-signed. Since we want to start using it for external SSL and secure email to our customers, we need to get it trusted.
Does ...
- 551
12
votes
3
answers
3k
views
Why issue a SSL certificate that expires in 2037?
In Firefox, if I view the Verisign Universal Root Certificate Authority, I notice that it expires in 2037.
(Settings tab -> advanced -> view certificates -> VeriSign Universal Root Certification ...
- 131
12
votes
2
answers
4k
views
Should a root certificate be included in a CA bundle?
I recently visited the Qualys SSL Server Test to confirm that a Namecheap certificate was installed properly. Everything looked fine except for one chain issue ("Contains anchor"):
It seems that I ...
- 281
12
votes
4
answers
33k
views
Enable Certificate Enrollment Policy and Request a Cert using PowerShell
Right now, I'm doing the following to request a cert from a CEP server:
Open gpedit.msc
Under Computer Configuration > Windows Settings > Security Settings > Public Key Policies, double click "...
- 609
11
votes
6
answers
2k
views
Replacing sick NTP server source and re-synching (with internal time currently 2 minutes late)
One of the external NTP servers (the primary one--currently) we're using as source seems to not be responding to NTP calls. Unfortunately, on our core router (Cisco 6509), the NTP functionality hasn'...
- 12k
11
votes
1
answer
72k
views
apache ssl - unable to get local issuer certificate
Somehow just today suddenly my seafile client throwed this error. I don't believe its a seafile issue, because my openssl throws the exact same error:
user@nb-user:~$ echo |openssl s_client -connect ...
- 223
11
votes
4
answers
51k
views
Importing ca-certificate chain (.crt) - RHEL7
I am fairly new to this but I've done some internet research the last 2 days and I couldn't find an suitable answer.
I have been given a ca-certificate chain (cacertchain.crt) which I need to import ...
- 331
11
votes
2
answers
34k
views
Install a root certificate in CentOS 6
I know it has been already asked, but despite many hours of research I couldn't find a working solution.
I am trying to install my root certificate in my server, so internal service can bind to each ...
- 246
11
votes
2
answers
1k
views
How can I set up Certificate Transparency if my CA doesn't support it?
I think many of you have actually heard of Google's Certificate Transparency initiative. Now the initiave involves a public log of all certificates issued by some CA. As this is some amount of work, ...
- 367
10
votes
2
answers
9k
views
Do web Servers send the certificate chain to the Web Client?
If my web server (latest Apache) has a valid (not expired or revoked) Verisign certificate chain (root -> intermediate -> leaf/my server), then does the server send the entire(?) chain to the client? ...
- 441
10
votes
1
answer
21k
views
SSL certificate: unable to get local issuer certificate [closed]
I'm running Debian (Lenny).
When I run this:
curl --ssl https://www.google.com
I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http:/...
- 203
10
votes
2
answers
11k
views
Trusted root certificate being automatically removed from store
I have a trusted third party's root certificate. I install this to the 'Trusted Root Certification Authorities' certificate store in Windows Server 2008, but it disappears from the certificate store ...
- 281
10
votes
1
answer
19k
views
Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome
I am creating https server side that I am using to practice OAuth to Instagram which requires https.
I generated a certificate using ssl by running the script from the following link: https://gist....
- 101
10
votes
1
answer
1k
views
Utilizing an alternate CA (Like Microsoft Certificate Services) with Puppet
I'm investigating whether I can somehow make the puppet ecosystem utilize our existing Microsoft Enterprise CA rather than being its own CA.
Since puppet touts that all of the system is "standard SSL"...
- 3,456
9
votes
2
answers
3k
views
Creating sub certificates from a root certificate (SSL) [duplicate]
If I purchase a signed certificate for example.com, can I then produce sub-certificates for a.example.com and b.example.com?
These sub-certificates would have PEM files whose privacy cannot be ...
- 2,609
9
votes
2
answers
33k
views
How do you configure Apache/Tomcat to trust internal Certificate Authorities for server-to-server https requests
I need to perform web service calls from within my own web server running on Apache/Tomcat. Apache/Tomcat running on Linux needs to make calls out to a Microsoft server running IIS over HTTPS that ...
- 593
9
votes
2
answers
4k
views
Powershell Remotely Delete PKI Certificates
I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be ...
- 747
8
votes
2
answers
20k
views
How do I issue multiple certificates for the same Common Name?
I am creating a Certificate Authority for an intranet.
I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has ...
- 549
8
votes
1
answer
13k
views
My GoDaddy! certificate is not trusted by iOS devices but it is trusted by Android and Windows devices
I’ve deployed some Radius servers (Windows Server 2012 R2 with NPS).
They use PEAP-MSCHAP-V2 for authentication with a SAN Go Daddy Certificate. They are deployed in order to handle Wi-Fi connections....
- 83
8
votes
2
answers
7k
views
How does IE/Chrome know which Intermediate CA to use when not part of chain?
A server on my network is signed with a certificate issued by RapidSSL CA but does not supply to complete issuer chain (RapidSSL CA's certificate is issued by GeoTrust CA which is a trusted root ...
- 183
8
votes
1
answer
23k
views
Publish root CA and sub ca certificate to the Trusted root certificate store
I have a root CA which is standalone and I have subordinate CA which is domain joined. I recently renewed the certificate of my root CA and sub CA. How do I push these certificates in the trusted root ...
- 81
8
votes
4
answers
3k
views
Man In The Middle Attacks vs. SSL Certificate Authorities
What stops someone from MITM-attacking the request to the certificate authority to verify the certificate? Does the browser come pre-loaded with the public keys of the trusted certificate authorities (...
- 83
8
votes
3
answers
4k
views
Windows 2012R2 seems to automatically download and install intermediate root certificates
Whilst preparing a new Windows 2012R2 server for production I needed to install a (GlobalSign Domain) SSL certificate for the website powering our application. I did this by generating a certificate ...
- 7,887
8
votes
2
answers
26k
views
Configuring client certificate authentication in apache
I am trying to set up part of a Virtualhost in apache to require client authentication. The VirtualHost in question also acts as a reverse proxy for the actual web server. Here's what I have done:
...
- 573
8
votes
1
answer
2k
views
What happens to encrypted mails when CA certificate expires in my Windows Domain
does anybody know what will happen to encrypted /signed mails when a root authority certificate expires in my domain network? Can the certificate still be validated from the clients and will the ...
- 107
8
votes
2
answers
5k
views
IIS no longer trusts any CAs for client authentication
Yesterday the IIS on our build server (running Windows Server 2012) started refusing our clients' certificates. The certificates are signed using our own self-signed CA cert that has been added to ...
- 230
8
votes
1
answer
2k
views
Deploy internal CA to linux clients
I have a large number of workstations that run RedHat Enterprise Linux 5 and 6. I'd like to deploy our new internal CA (Active Directory) to these machines. I can manually import the certificate ...
- 9,733
8
votes
2
answers
755
views
Windows PKI: How can I import, sign/issue and export a large number of CSRs?
I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure ...
- 81
7
votes
4
answers
8k
views
In theory, could a CA make a certificate that is valid for arbitrarily long?
In other words, could a CA issue a certificate that expires in 2 millennia, for example?
- 173
7
votes
2
answers
28k
views
Can't make httpd use correct SSL
I have a signed CA, issued by my university. I generated my CSR using their public key file as so:
openssl genrsa -out myservername.key 2048 (new key)
openssl req -new -key myservername.key -out ...
- 167