x509

问题 My company has written an API to expose our application data to our clients. We've completed the endpoints and now want to secure the API. The API will only be used by pre-approved clients so no anonymous access is needed. I've been told that we can use an x.509 certificate that we generate to identify and authenticate each client. By identifying, I mean embedding a client code in the certificate that we issue to each client (is this even possible?). As you can probably tell I have little

问题 I'm using Spring Security (v3.1.3) for X.509 authentication in my web-application. Users and roles are stored in the Database, but I don't actually need to do it, as CNs of client certificates conform to "[ROLE] - [USERNAME]" schema, which means I already have username and role from the certificate itself. So how to eliminate the database without too much effort? Should I write my own implementation of user-service, which will populate UserDetails, or is there more graceful method? 回答1: Yes,

问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

问题 I thought I understood, but it is not working! I read among others http://binblog.info/2010/02/02/lengthy-chains/ which is the cleanest explanation I found. Background: Comodo's cheap PositiveSSL server certificate came with a root and two intermediate CA certificates (I replaced my FQDN with myserver.com): $ unzip ../myserver_com.commodo.certificate.zip Archive: ../myserver_com.commodo.certificate.zip extracting: AddTrustExternalCARoot.crt extracting: COMODORSAAddTrustCA.crt extracting:

问题 On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage,

问题 On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage,

问题 Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential() , but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that. How do I create a signing certificate and use it in IdentityServer4 in production? 回答1: Create certificate and add to machine's certificate store I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a

问题 I'm using the keys available in mongodb docs for a self-signed certificate using X509 authentication with a Node.js Driver. When trying to connect to the database I get the following error: MongoNetworkError: failed to connect to server [pedro.com:57040] on first connect [MongoNetworkError: unable to verify the first certificate] Despite that error, I am sure that the connection works as I am using Studio 3T and everything is up and running by using the same certificates. So my question is...