certificate-authority

“Error opening CA private key” on Windows

随声附和 提交于 2019-12-10 11:01:29
问题 I am running on Windows Server 2003 , and installed Win64 OpenSSL v1.0.1i Light No matter what guide I follow to set it up, I always end up with the following error when trying to actually sign a certificate openssl ca -in my.csr -out my.cert.pem Using configuration from C:\OpenSSL-Win64\bin\openssl.cfg Loading 'screen' into random state - done Error opening CA private key ./myCA/private/myCA.key.pem 1776:error:02001003:system library:fopen: No such process:.\crypto\bio\bss_file.c:398:fopen('

Does a truststore need the sub-ca certificate?

ぐ巨炮叔叔 提交于 2019-12-08 16:57:08
问题 I'm trying to setup a hierarchical PKI. Can I create a truststore containing only the root ca certificate, and will that mean my application trusts certificates signed by a sub-ca certificate which is in turn signed by the root ca? As an aside, it seems that you must provide an entire certificate chain, including the root ca certificate. Surely if the root ca is trusted, the certificate shouldn't need to be sent? We just want to check if the next certificate down is signed by it. 回答1: The

Openssl verify with chained CA and chained Cert

十年热恋 提交于 2019-12-08 12:59:49
问题 I have a certificate chain as: root CA -> intermediate CA -> org CA -> client Cert When I verify the client cert with CA as root CA -> intermediate CA -> org CA , it works: $ cat org_1_ca/ca_crt.pem intermediate_ca/ca_crt.pem root_ca/ca_crt.pem > /tmp/test123.pem $ openssl verify -CAfile /tmp/test123.pem client/client_crt.pem client_crt.pem: OK But when I chained my client cert with org CA ( org CA -> client Cert ), and have the rest of the chain as CA ( root CA -> intermediate CA ), it doesn

Solutions to web service client certificates/auth best practices

亡梦爱人 提交于 2019-12-06 03:49:18
问题 I have a simple web service that has an API third party developers are allowed to access. The API mostly follows REST principles. I'm interested in solutions to make the API more secure by requiring developers to use client certificates. Is there any open source solutions or other implementation advice any of you have that would assist in REST based APIs using user level certificates for auth? 回答1: My generic advice would be to keep your API separate from your authentication routines. Your

How to resolve “enter the password for credential storage” issue?

我怕爱的太早我们不能终老 提交于 2019-12-04 17:59:21
问题 So I am playing around with fiddler web proxy. I need to decrypt https traffic. So I am trying to put the fiddler root CA cert in my device trust store. But it keeps asking me "Enter the password for credential storage" . If i enter anything and click enter I see an Toast message saying Credential storage has been erased and the password prompt comes again. This goes on in a loop. For the record I have selected "Wifi" as the Credential use instead of "App n VPN" (not sure of that matters).

Can a SSL certificate be signed by multiple certificate authorities?

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-04 08:56:03
问题 It would be nice to spread the trust around a bit, so we don't have to rely on just one root in any instance. Is it possible to have a single certificate signed by more than one CA? 回答1: No, the X509 certificate format up to version 3 is designed to contain exactly one signature. 回答2: Yes, it is possible. You can find an example here: http://www.confusedamused.com/notebook/fixing-verisign-certificates-on-windows-servers/ 回答3: Can a SSL certificate be signed by multiple certificate authorities

Solutions to web service client certificates/auth best practices

两盒软妹~` 提交于 2019-12-04 07:21:14
I have a simple web service that has an API third party developers are allowed to access. The API mostly follows REST principles. I'm interested in solutions to make the API more secure by requiring developers to use client certificates. Is there any open source solutions or other implementation advice any of you have that would assist in REST based APIs using user level certificates for auth? My generic advice would be to keep your API separate from your authentication routines. Your web server should handle the interaction for you. Solutions for your side of the client-certificate scenario

Advanced SSL: Intermediate Certificate Authority and deploying embedded boxes

眉间皱痕 提交于 2019-12-03 13:07:49
问题 Ok Advanced SSL gals and guys - I'll be adding a bounty to this after the two-day period as I think it's a complex subject that deserves a reward for anyone who thoughtfully answers. Some of the assumptions here are simply that: assumptions, or more precisely hopeful guesses. Consider this a brain-teaser, simply saying 'This isn't possible' is missing the point. Alternative and partial solutions are welcome, personal experience if you've done something 'similar'. I want to learn something

Advanced SSL: Intermediate Certificate Authority and deploying embedded boxes

拟墨画扇 提交于 2019-12-03 04:18:00
Ok Advanced SSL gals and guys - I'll be adding a bounty to this after the two-day period as I think it's a complex subject that deserves a reward for anyone who thoughtfully answers. Some of the assumptions here are simply that: assumptions, or more precisely hopeful guesses. Consider this a brain-teaser, simply saying 'This isn't possible' is missing the point. Alternative and partial solutions are welcome, personal experience if you've done something 'similar'. I want to learn something from this even if my entire plan is flawed. Here's the scenario: I'm developing on an embedded Linux

Multiple computers with a standard iPhone developer program

倾然丶 夕夏残阳落幕 提交于 2019-12-03 03:55:44
问题 I have enrolled on the standard iPhone Developer Program and I've successfully created a provisioning profile for my iMac. But I also have a MacBook Pro that I use to work while I'm traveling. But with the standard iPhone Developer Program there seems to be no way to have 2 computers to work, unless I spend time revoking and re-creating/re-validating certification authorities when switching machines. Am I right? Or is there some way to use the same CA across multiple machines? 回答1: Just copy
订阅 certificate-authority