Questions tagged [pki]
Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.
236
questions
1811
votes
3
answers
2.1m
views
What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I Google for tutorials and beat away until it finally works.
However, in my searches ...
48
votes
4
answers
87k
views
How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?
I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able ...
25
votes
1
answer
63k
views
easyrsa vars options for PKI generation
I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file:
export KEY_COUNTRY=""
export KEY_PROVINCE=&...
16
votes
3
answers
5k
views
Is there reserved OID space for internal enterprise CAs?
When provisioning a PKI for internal use, is there a private OID space that can be used without having to pay and/or register your own OID range? Think RFC1918 addresses for OID ranges.
10
votes
2
answers
9k
views
Do web Servers send the certificate chain to the Web Client?
If my web server (latest Apache) has a valid (not expired or revoked) Verisign certificate chain (root -> intermediate -> leaf/my server), then does the server send the entire(?) chain to the client? ...
10
votes
2
answers
6k
views
Smart card authentication to a Cisco switch?
We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This ...
9
votes
2
answers
4k
views
Powershell Remotely Delete PKI Certificates
I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be ...
8
votes
2
answers
20k
views
How do I issue multiple certificates for the same Common Name?
I am creating a Certificate Authority for an intranet.
I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has ...
8
votes
2
answers
755
views
Windows PKI: How can I import, sign/issue and export a large number of CSRs?
I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure ...
7
votes
4
answers
33k
views
Why does OpenVPN give the error: "unsupported certificate purpose" for an intermediate certificate?
EDIT: I'm really sorry to have to say that the problem has magically fixed itself and I have no idea why. In response to one of the answers, I removed all EKU from the CA chain and it didn't work. ...
6
votes
1
answer
4k
views
SSH authentication sequence and key files : explain
As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and ...
6
votes
2
answers
10k
views
How to bundle intermediate certs into one file
I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from ...
5
votes
1
answer
4k
views
What is the purpose of a custom Certificate Trust List?
You can create and deploy a certificate trust list as detailed here, but I'm trying to understand the advantages of this over just deploying root and intermediate certs with group policy the normal ...
5
votes
3
answers
409
views
how to prevent a user using private key after leaving organization?
In the enterprise environment, each user was issue a key pair for using to encrypting/signing. Since they have the private key, that mean they can decrypt any file that encrypt for them, even after ...
5
votes
2
answers
1k
views
Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?
I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system.
Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?...
5
votes
2
answers
1k
views
How to tell if an (offline) SSL Certificate been revoked
I would like to know whether an SSL certificate was revoked. The website no longer serves up that certificate, I only have the domain name and the serial number.
The SSL certificate was replaced 5 ...
5
votes
1
answer
189
views
How does this 2048bit SSL requirement affect existing internal PKIs?
We have our own CA which we've used for years to create hundreds of server certs and thousands of client certs. The CA cert itself is 1024bit and the certs it signed are 1024bit
Symantec has been ...
5
votes
1
answer
472
views
Using an audio cable (or similar) to create unidirectional communication from a secure server
I'm interested in exploring how a semi-offline Root CA can be used to update CRLs to the sub CA's. This answer on Security.SE mentions using an audio cable for this purpose.
Doe anyone have details ...
5
votes
3
answers
381
views
PKI keys per service or per server?
We all have a lot of internal services that need encryption and authentication to be provided by some sort of PKI.
Do the security gains of using a different private/public key pair for each service ...
4
votes
1
answer
6k
views
Multiple CA's on Windows Server 2012
Is it possible to create multiple Certficate Authorities in Windows Server 2012?
Specifically: I'd like to create a standalone root CA which will have its private key in offline secure storage. The ...
4
votes
2
answers
2k
views
Can I restrict an intermediate CA to only sign client certificates?
I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate ...
4
votes
2
answers
2k
views
Windows PKI with offline root (maybe with OpenSSL) - Possible?
I'm trying to setup a two-tier PKI and I have a ton of questions.
Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I ...
4
votes
1
answer
1k
views
JRE fails to establish LDAPS connection with AD after RootCA cert imported to cacerts truststore
LDAPS is working through ldp.exe and through a number of other programs on windows and linux systems that do not appear to require the Root Cert. at all. Some programs which use JSSE fail to connect ...
4
votes
2
answers
1k
views
How can I view/export/determine the configuration of a Windows ADCS CA?
I'm in the process of setting up a new root ADCS (Active Directory Certificate Server) certificate authority for a child domain in a multi-forest environment that already has a number of existing CAs. ...
4
votes
1
answer
4k
views
How should I configure a CAA DNS record for use with the AWS Certificate Manager
AWS Route 53 now allows the creation of CAA records to restrict the certificate authorities that may issue a certificate for a domain. I'd like to use an issue directive to restrict the issue of ...
4
votes
2
answers
4k
views
Why might Windows falsely claim a self-signed root CA certificate is revoked?
I created a self-signed root CA cert for internal test use, using openssl. This has been successfully installed and used as a trusted CA on a number of machines and platforms (Windows, Linux, various ...
4
votes
1
answer
2k
views
Why does Windows CA Server issue multiple certificates for the same user?
I am currently implementing an EAP/TLS WIFI implementation to replace our EAP/MSCHAP2 wifi implementation. I am using Windows Server 2008 and I've installed a certificate authority. User certificates ...
4
votes
1
answer
5k
views
Windows Server 2019 ADCS - Unable to Install Subordinate CA Certificate
I am setting up a two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (Server 2019) and an online Enterprise Subordinate CA (also Server 2019).
I've ...
4
votes
1
answer
2k
views
Windows 2003 x32 CA to Windows 2008 x64 CA migration
In the following period I have to migrate the AD over to 2008 schema level.
I currently have a x64 Windows 2008 R2 domain controller and one x32 Windows Server 2003 domain controller. The x32 server ...
4
votes
0
answers
5k
views
Active Directory Certificate Services cannot publish revocation list after renewal with new private Key
In summary:
I had a working offline root CA and an AD integrated CA working fine
I renewed the certificate with the same private key and all was good
I then renewed the certificate with a new ...
3
votes
3
answers
1k
views
Server ssh certificate chain against MITM attacks?
During first contact with a server via ssh, the server's public key of the chosen key algorithm is presented to the user to validate it. After validation, the result is usually saved into the ~/.ssh/...
3
votes
2
answers
31k
views
How secure is SFTP? Is there any benefit in encrypting traffic with PKI as well?
I am working with a client that requires the use of secureFTP for file transfer and is also advocating the use of sLift EZ Classic (command-line file encryption using PKI) on top of SFTP.
Is this ...
3
votes
2
answers
806
views
Can I find local ssh private key from remote fingerprint? [duplicate]
Possibly I am missing something obvious but after getting fed up with 5 key limitation of ssh-agent I start looking for ways for a better ssh key management.
If I create a new ssh key pair using ssh-...
3
votes
2
answers
180
views
Certificate distribution and management
I am planning to setup PKI for our organization as we're fed up with all of these security warnings when using self-signed certs. I want an offline root CA and two issuing CAs and I want to set that ...
3
votes
3
answers
3k
views
What books will help me learn everything I can about SSL/PKI? [closed]
Since SSL is the backbone of the internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it.
I suppose I'll need to learn some math, some PKI ...
3
votes
1
answer
354
views
Hierarchical certification authorities and CRLs
If I implement a PKI with multiple levels of CAs, do I need to have a CRL for each individual CA or can I just have one CRL for the entire hierarchy (i.e. point all certificates to a single CRL), or ...
3
votes
1
answer
2k
views
Wildcard cert for local SSL Certificate Authority?
This seems like it should work, but PKI is complicated and I'd like to ask people who can give an authoritative answer.
BACKGROUND:
I am the network engineer for a company; for sake of argument we'...
3
votes
1
answer
6k
views
Removing LDAP from CDP & AIA in a Microsoft PKI
A default installation of a Microsoft PKI running Windows 2012 R2 includes LDAP URL's within CRL distribution points (CDP's) and Authority Information Access (AIA).
I want to issue certificates ...
3
votes
1
answer
5k
views
802.1x certificates, EAP-TLS, RADIUS and Windows machines
When using 802.1x certificate-based authentication on Windows machines, should I use different certificate for each machine?
There is RADIUS server running in the network, the machines use EAP-TLS to ...
3
votes
1
answer
49k
views
Revocation status of DC can't be verified
A Domain Controller within my forest was working fine (as the story usually goes).
Then, suddenly, I can't logon with my smart card. Instead, I'm greeted with the following message:
The system ...
3
votes
1
answer
19k
views
Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012
I have the following AD configuration:
rootca (standalone not domain connected)
mydom.local
dc1.mydom.local
svr1.mydom.local
subca.mydom.local(enterprise subordinate CA)
other.mydom.local
dc1....
3
votes
1
answer
2k
views
Template issues certificate with longer validity than CA Certiicate, what happens? [duplicate]
I am wonder what will happen as a certificate template with a 2 years validity period (for example) will issue a certificate when the CA certificate expires in 1 year.
I can think of 2 things that ...
3
votes
1
answer
3k
views
How can I make OpenVPN use my CA's CRL Distribution Points when verifying certificates?
I have an existing PKI into which I am trying to integrate an OpenVPN server. I have included CRL Distribution Points into each CA certificate in my chain and I publish the CRLs at a location that is ...
3
votes
1
answer
3k
views
Microsoft Certificate Authority Provider Compatibilty
So we are a mid-size enterprise refreshing our Microsoft PKI and looking to leverage it heavily across ther org for many things. ie Server to Server/Workstation encryption, Wireless TLS Encryption/...
3
votes
1
answer
6k
views
SSL chain verification problems - Barracuda load balancer
I've installed a new SSL certificate using SHA1 hashing. Im user a security certificate by GeoTrust SSL CA - G2 but With WebServices communications I'm getting a PKIX error.
The follow page:
https://...
3
votes
1
answer
7k
views
OpenVPN with a Windows Certificate Services PKI
has anyone tried using OpenVPN with certificates generated by Windows Certificate Services?
In theory this should work.
The provided easy-rsa PKI is not very comfortable to manage for many users. I do ...
3
votes
1
answer
2k
views
Do I need Active Directory Certificate Services
I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug ...
3
votes
1
answer
118
views
Smart Card removal behavior and card renewal
My customer is planning to introduce new Policy regarding smart card removal in their Windows Environment, most probably session break since it's a Citrix environment. Microsoft documentation on the ...
3
votes
0
answers
829
views
PKI Authentication in HTTPD using Active Directory (LDAP)
In my environment, an external entity provides a Root CA & Intermediate CA(s). They issue thousands of smartcards with PKI certificates for authentication. They provide the Client Authentication ...
3
votes
0
answers
74
views
Creating a CA signing chain when there wasn't one before
Here is the problem...
3 years ago we created a multi-datacenter setup, with as little cross-DC resource dependencies as we could make. Different AD sites. Different puppetmasters. Different syslog ...