Questions tagged [pki]
pki is short for Public Key Infrastructure, a hierarchical system to create, distribute, and verify digital certificates
48
questions
3
votes
1
answer
1k
views
P12 Certificate Authentication - what is the correct method
I've been able to successfully set up an IKEv2/IPSec VPN Server using certificate authentication. However, I have a general issue regarding the correct method of creating P12 user certificates.
I've ...
0
votes
1
answer
942
views
Installing an internal website certificate in a domain controller?
The context is a Windows domain. My end goal here is to have an internal website (Website server is domain-joined) show as "trusted" when I visit it from my domain workstation.
Currently (in ...
0
votes
0
answers
963
views
Create a Root CA self-signed certificate using the command line
I have Microsoft Server 2019 offline Root CA
I want to renew the Root CA certificate, but I do not want it to be used immediately (as I want to push out the new Root CA certificate to key stores on ...
0
votes
0
answers
161
views
NameConstraints format for UPN values
I'm in the middle of building a new PKI and we are adding name constraints to our issuing CAs with all the usual suspects like DNS, IP, e-mails, directory names etc.
We have a potential smart card ...
1
vote
1
answer
311
views
DocuSign, User Certificates, and eIDAS
Based on my understanding in order to by eIDAS compliant, signer's digital certificate is included in the PAdES envelope.
However when i sign a document with DocuSign and open it with Acrobat reader, ...
1
vote
1
answer
3k
views
client bases authentication via certificate signed by ROOT CA
I have generated a ROOT CA and can successfully use it for client based authentication:
openssl req -x509 -sha256 -newkey rsa:4096 -subj "$SUBJECT" -days 3650 -keyout root_ca.key -out ...
0
votes
1
answer
10k
views
PuTTY Private/Public Key Pair - Generate Certificate
I have generated a private/public key pair using Putty. I have a private key file with extension .pem and public key file with extension .pub.
Now I want to create a certificate from that and import ...
1
vote
1
answer
5k
views
How does Chrome use .p12 certificates?
When I import a .p12 into Chrome, it requires a password. Once supplied, it is now stored in Chrome's key store and I never need to import my password again to use it.
How does Chrome manage this? ...
2
votes
2
answers
68
views
PKI - certificate impact on TLS protocol
I have been learning about the TLS protocol handshake process.
From my understanding the TLS version is decided purely by the clients OS\browser support.
And the chosen cipher suite is decided by the ...
0
votes
1
answer
684
views
Private keys extracted from .pfx and from separate encoded key file look different but both do work
I have a CertAndKey.pfx file and corresponding EncryptedKey.pem - both provided from CA.
The following commands result with 2 different decrypted key files key1.pem and key2.pem:
openssl rsa -in ...
0
votes
1
answer
369
views
Mutual TLS Authentication with partner : why are they asking for our certificate?
So we are on this project with a partner that should use one of our API. The bosses decided the communication should use TLS mutual authentication.
On the server hosting the API, we installed long ...
1
vote
1
answer
35
views
HTTPS/PKI Server Public / Private keypair
In the HTTPS secure session handshake, I understand that the server presents its public key, and that the client encrypts a symmetric session key with the public key and returns it to the server.
My ...
1
vote
1
answer
710
views
Hashicorp Vault PKI Intermediate request missing private key
I try to set up some PKI structure, but when I request an intermediate CSR from vault, no private key is sent back. Neither in Terraform where I try to implement it, nor via the API.
I tried:
The ...
1
vote
1
answer
513
views
Disable PIN caching for Virtual Smart Cards
We want to store digital certificates for PDF signing on Virtual Smart Cards. The default behavior for PIN entering is that the PIN is only entered once during a session. Is it possible to change this ...
2
votes
0
answers
3k
views
What is the best way to set up an OCSP responder (pkicreate, OpenSSL, other)?
I set up a root and intermediate CAs with OpenSSL and started issuing server certificates. For MS RDP (RemoteApp) it required OCSP, so I also set up an OCSP responder with OpenSSL. Testing with ...