All Questions
Tagged with tls public-key-infrastructure
339
questions
0
votes
1
answer
63
views
mTLS set up - Does it require any offline certificates exchange?
My company is exposing a few APIs to one of our partner systems (external).
We're looking at mTLS authentication here than any credentials based Auth schemes.
My understanding is,
My system (server) ...
- 101
1
vote
2
answers
100
views
Web Browser and server using ECDHE_RSA cypher suite, then what is the use of X.509 certificate public key for?
User Crover has given a very great explanation for this question:
RSA or ECDHE for x.509 certificates-what does each do?
I have one question to Crover and/or any other member.
What I understand from ...
- 11
1
vote
0
answers
300
views
SSL Certificates signed by our CA show as invalid in browser
We're experiencing an issue, where SSL server-certificates issued by our own internal PKI will show as invalid in the browser, when accessing the site.
The error is NET::ERR_CERT_INVALID (Tested in ...
0
votes
0
answers
127
views
Can I Use an OpenPGP Smart Card to Sign a TLS Certificate?
I've been looking around for smart cards with support for Ed25519. More specifically, I'd like to have a TLS CA with the private key on a YubiKey. The latest YubiKey 5 supports secp256k1, secp384r1, ...
- 6,823
1
vote
2
answers
510
views
Is a digital signature really needed?
I'm trying to understand the goal of a digital signature in PKI/TLS. I understand that digital signature provide us Data integrity, Authentication and Non-repudiation.
But, why is it necessary to use ...
- 11
0
votes
1
answer
160
views
Unable to verify certificate chain
I'm trying to set-up a certificate chain (CA root -> Intermediate CA -> Server certificate)
Here's my attempt:
Creating CA Root:
##!/usr/bin/env bash
set -xeuo pipefail
CA_DIR=server/generated/...
- 101
0
votes
0
answers
82
views
Can you sign a TLS root certificate that already exists? [duplicate]
Alice and Bob have TLS certificate authorities. My device trusts Alice's CA, and connects to servers that present a certificate rooted at Alice's CA. It does not explicitly trust Bob's CA, or the ...
- 373
0
votes
1
answer
849
views
How do TLS clients validate intermediate CA certificates?
I have read many posts related to the intermediate CA certificates and I do hope my question is not a duplication.
Where do TLS clients fetch intermediate CA certificates from?
In SSL server handshake,...
- 1,469
0
votes
0
answers
151
views
Brute force copy of PKI root certificates
If an attacker wants to create a phishing website with a fake TLS certificate, to my noob mind, there is a way to do this:
Create the fake website certificate
Create the hash for this certificate
...
- 51
0
votes
0
answers
256
views
SSL/x509 certificate/public key expiration [duplicate]
I would like to know the process of how public keys/certificates are renewed for a website. I understand the concept of CA (Certificate Authority) chains, and how the public key/certificate for a site ...
- 1
0
votes
1
answer
392
views
Over what fields is the X509 hash computed over? [duplicate]
Is this how X509 certificates are verified to be valid?
The receiver receives the certificate
Look at the issuer of the cert, and find the public key of that CA (its hardcoded in the application or ...
0
votes
0
answers
109
views
View public key(s) exchange during https handshake from the command line
It is possible to view the entire HTTPS session from start to end? Any command line I can run?
I am interested in understanding more about the exchange of the public key(s) in order to establish a ...
- 101
1
vote
1
answer
690
views
Why installing a root certificate on the client opens a door for MitM attack?
Most internet communication is now end-end encrypted using TLS. In the TLS process, the TLS server sends a PKI certificate to the user which then gets authenticated using the CA's root certificate ...
- 13
0
votes
2
answers
129
views
Trust segregation in PKI
I am designing a cloud based PKI infrastructure which issues and manages TLS certificates for telemetry devices and data server. Each customer will install multiple telemetry devices and a data server ...
- 191
0
votes
1
answer
119
views
Man in the middle attack on response from server [duplicate]
Let's assume that I am logging into my Gmail account from my browser using my username and password. I know that my input will be encrypted using Google's private key and the only one who can decrypt ...
- 111