Questions tagged [x509]
X.509 is an ITU-T standard commonly used for public key infrastructure (PKI) and for privilege management infrastructure (PMI).
115
questions
65
votes
9
answers
147k
views
How to split a PEM file
Note : This is not really a question because I already found the answer but since I didn't find it easily here I will post it so that it can benefit others.
Question : How to read a concatenated PEM ...
37
votes
3
answers
216k
views
Import of PEM certificate chain and key to Java Keystore
There are plenty of resources out there about this topic, but none I found which covers this slightly special case.
I have 4 files;
privatekey.pem
certificate.pem
intermediate_rapidssl.pem
...
36
votes
2
answers
64k
views
Save Remote SSL Certificate via Linux Command Line
Can you think of any linux command-line method for saving the certificate presented by a HTTPS server? Something along the lines of having curl/wget/openssl make a SSL connection and save the cert ...
34
votes
1
answer
2k
views
Trusting an untrustworthy CA - Can I restrict how system trusts it?
(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code).
I'm currently responsible for maintaining a system which connects to a third-...
29
votes
5
answers
3k
views
Is a Self Signed SSL Certificate a False Sense of Security?
Is a Self Signed SSL certificate a false sense of security?
If you are being eavesdropped, the user will simply accept the certificate like he/she always does.
24
votes
9
answers
20k
views
Can I be my own trusted CA via an signed intermediate certificate?
Can I get a certificate from a root CA that I can then use to sign my own web server certificates? I would, if possible, use a signed certificate as an intermediate to sign other certs.
I know that I ...
13
votes
1
answer
8k
views
OCSP responder not present?
Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP....
10
votes
1
answer
11k
views
extracting raw ASN.1 parts from X.509 certificate
I'd like to extract raw hex ASN.1 data from X.509 certificate. I know, that I can do this by using DER format and hexdumping it.
I'm interested in particular parts like "subject", "issuer" and their ...
9
votes
3
answers
19k
views
How to configure IIS Express to ask for client certificate
Does anybody know how to configure IIS Express to require client certificate for access?
I'm trying to debug a problematic ASP.NET application which uses client certificates for authentication.
8
votes
2
answers
3k
views
Is it possible to generate openssl configuration file from an existing x509 certificate?
I am looking for a way to restore openssl configuration from an X509 certificate (or a csr).
I know it's possible to look at the certificate and manually reconstruct the config file but it's ...
7
votes
2
answers
2k
views
Revoked SSL certificate
We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK
To help handle our webhooks. We've started receiving the exceptions:
PayPal.PayPalException: Unable to verify the certificate(s)...
7
votes
2
answers
7k
views
Limit on X509v3 Subject Alternative Name DNSname length
I have been searching through RFC 5280, 1034, and 1123 trying to figure out what a max string length is, but I can't find it. I'm wondering if any of you happen to know.
For those of you who know ...
6
votes
4
answers
3k
views
When does this SSL certificate expire?
Below are the results from testing the SSL certificate at https://www.ssllabs.com/ssltest/analyze.html?d=bungalowsoftware.com
It looks like we have two certificates. Am I reading that right?
Does ...
6
votes
7
answers
24k
views
OpenSSL x509 Purpose flag "Any Purpose" What is this?
Looking at the details of a certificate using the following:
openssl x509 -noout -text -purpose -in mycert.pem
I find a bunch of purpose flags (which I've discovered are set by the various ...
6
votes
1
answer
12k
views
openssl certificate chain lost when converting from pem to der
I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem
It has 2 certificates in the chain:
keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l
...
6
votes
1
answer
2k
views
X509 certificates - Are there any naming conventions?
What are the naming conventions when buying certificates, if any?
When buying a cert for TLS/HTTPS for a particular Server, naturally I will default to the server's name. For example, if the server is ...
5
votes
2
answers
12k
views
Can you generate a self signed certificate on Windows Server using CLI tools like certreq and certutil?
I need to quickly generate a self signed certificate on a Windows Server.
I'd like to use the standard CLI tools that ship with it.
I know I can use openssl.
5
votes
1
answer
17k
views
OPENSSL Save x509 certificate of a website
I can see the certificate with this command
openssl s_client -host {HOST} -port 443 -prexit -showcerts
How can I save the x509 cert of the website in a PEM - File?
5
votes
1
answer
12k
views
Apache not Forwarding Client x509 Certificate to Tomcat via mod_proxy
I am having difficulties getting a client x509 certificate to be forwarded to Tomcat from Apache using mod_proxy.
From observations and reading a few logs it does seem as though the client x509 ...
5
votes
1
answer
8k
views
MongoDB rs.initiate error: replSetInitiate quorum check failed because not all proposed set members responded affirmatively
I have to start my own replica set with internal authentication enabled using X.509 certificates, but I failed. Any advice is welcome.
MongoDB 3.2 x64 on Debian 8.2 x64.
It is a problem from the ...
4
votes
2
answers
2k
views
Can I restrict an intermediate CA to only sign client certificates?
I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate ...
4
votes
1
answer
357
views
x509 extensions: can the "extnValue" be empty?
I'm writing a script that parses x509 certificates. x509 v3 certificates have extensions which are an ASN.1 sequence containing an OID, a critical flag, and an octetString called extnValue.
For the ...
3
votes
2
answers
4k
views
Any open source web based X509 PKI tool? [closed]
Want to setup a CA, but it's hard to find a good web based X509 PKI tool, any recommend?
3
votes
1
answer
396
views
How does one change the certificate and key for https
We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ...
3
votes
1
answer
18k
views
x509 certificate not valid for any names when added IP address to openssl.cnf
A self-signed certificate works well while the command used to generate it on a ubuntu machine is:
openssl req -x509 -newkey rsa:4096 -keyout private.key -out cert.crt -days 365 -nodes
If the ...
3
votes
0
answers
2k
views
The revocation function was unable to check revocation for the certificate 0x80092012
Please help me to deal with self-signed revocation check
I've used makecert.exe to create root and client certificate
The problem is that certutil fails to check certificate with error
The ...
3
votes
0
answers
657
views
Is there an extension of host to host ipsec to a many-many configuration?
Having a typical host to host transport mode ipsec configuration,
conn appserver01-to-swift01
[email protected]
left=10.133.176.246
leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxx
...
3
votes
3
answers
420
views
Client-side certificates
My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works.
Now I'm required to ...
2
votes
2
answers
17k
views
Openssl Custom Extension
I know how to create x509 certificates with the openssl command line. But now I want to create one with a custom extension. How can I do this with openssl command line?
2
votes
2
answers
11k
views
Create DER certificate+key from PEM
I'm not sure if it's even possible. Also, OpenSSL is one ugly motherlover of an utility :/
I need top upload certificate+private key as DER to ESET Security Management Center (ESMC), at least ...
2
votes
2
answers
2k
views
DER encoded hash
according to the manpage of stunnel4
the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert (the first 4 bytes of the ...
2
votes
2
answers
7k
views
Can you re-use a SSL certificate across platforms?
Let's say I want to buy a wildcard SSL that I can use for web servers, spanning across a multitude of different servers and platform.
I could issue a CSR for each and every one of them, with their ...
2
votes
2
answers
2k
views
Why would Chrome ignore the X509v3 Subject Alternative Name in my cert?
I have a cert that include an X509v3 Subject Alternative setting, but Chrome 67.0.3396.99 is saying the Subject Alternative Name is missing even though it looks like it's included in the cert.
Here's ...
2
votes
1
answer
16k
views
Why can't I enter a PEM Pass Phrase in the prompt? [duplicate]
I am trying to install an SSL certificate on my WAMP server.
W:\wamp\bin\apache\apache2.2.22\bin>echo %OPENSSL_CONF%
w:\wamp\bin\apache\apache2.2.22\conf\openssl.cnf
W:\wamp\bin\apache\apache2.2....
2
votes
1
answer
82
views
How to make Certbot respect Debian standards for certificate deployment?
Certbot seems to manage X.509 certificates and private keys in its own directory structure in /etc/letsencrypt.
On Debian-based systems (including Ubuntu, Linux Mint and others) X.509 certificates are ...
2
votes
4
answers
315
views
Is there a provider that offers free SSL certificates that don't give a warning in Firefox 4?
I am looking to install SSL certificates for frequently used https services. I used to use StartSSL for this, but they "temporarily" stopped offering their services.
I wonder if there are any other ...
2
votes
1
answer
3k
views
Client-side certificates (Apache, Linux, OpenSSL)
My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works.
Now I'm required to ...
2
votes
3
answers
3k
views
Forwarding logs from rsyslog to graylog over tls
I'm trying to forward logs from rsyslog to graylog over tls.
rsyslog configuration:
# make gtls driver the default
$DefaultNetstreamDriver gtls
#
# # certificate files
$DefaultNetstreamDriverCAFile /...
2
votes
1
answer
899
views
How to setup a reverse proxy to enable HTTP access with basic authentication to an internal HTTPS server that requires a certificate
We have an internal server that requires x509-based authentication, but I've been requested to open it up with a basic user/password authentication.
I've been trying to setup a reverse proxy in ...
2
votes
2
answers
1k
views
Can I restrict SSL access to Tomcat by Extended Key Usage?
I'd like to restrict the SSL access to a Tomcat instance using certificates, and not relying on any "user" accounts.
I have a CA which is being used to sign the certificates, but if I configure ...
2
votes
1
answer
113
views
What happens if the startdate of a CA is later that the startdate of a X509 certificate signed by it?
I am in the process of extending the lifetime of a private CA creating a new certificate with the same name, serial number, private/public keys, etc. The only change would be the "startdate" ...
2
votes
1
answer
3k
views
Finding out if a certificate is due for renewal without triggering the actual renewal with Certbot
I am trying to use Certbot to allow for semi-automated certificate updates. I don't want fully-automated updates to avoid automatic certificate replacements that could interrupt business and ensure ...
2
votes
1
answer
858
views
Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?
tl;dr
For buypass DV certs fetched by certbot I need to explicitly tell NGINX to trust buypass root cert to enable OCSP stapling. This is not the case for Let's Encrypt certificates and I cannot ...
2
votes
1
answer
450
views
Limiting power of a trusted certificate
I am creating a site with my own CA and signing client certs with it. The clients will need to add my CA as a trusted source, but for security reasons I don't want them to blindly trust everything ...
2
votes
1
answer
4k
views
REMOTE_USER = SSL_CLIENT_S_DN_CN under x509 with +FakeBasicAuth in Apache. Is it possible?
Hi I'm trying to incorporate a software to our intranet services (BackupPc)
This Software uses the environment variable REMOTE_USER to get the username. Placed under an Apache 2.2 server with Client ...
2
votes
0
answers
28
views
Client certificates and custom revoked html
I can configure Apache to authenticate users with client certificate and validate them via OCSP. Do you know how can I redirect the user to a custom html page if the certificate is revoked? The ...
2
votes
0
answers
856
views
OpenSSL - Create Cross Intermediate Certificate from 2 Root CAs
Good evening all,
I have 2 servers running in different datacenters which are both connected using OpenVPN.
Both servers have their own ca-server who is able to sign new certificates using ...
2
votes
0
answers
211
views
Trust certificate for OCSP, but not for client certs?
According to the nginx docs, you can specify certificates to be trusted for both OCSP response and client certificate verification:
ssl_trusted_certificate / ssl_client_certificate
Specifies a ...
2
votes
0
answers
303
views
Tomcat 7: how to log x509 cert dn with AccessLogValve
I have Tomcat7 running on RHEL6 with mutual authentication using x509 certificates for the entire container.
From the user point of view in the browser, everything seems to work fine with a cert ...
2
votes
1
answer
393
views
Alternatives to a Trusted Root certificate
Given a SSL-protected site that was formerly whitelisted (Allow from x.x.x.x etc), and and a requirement from a customer to change the way authentication works, to use X.509 HTTPS Client verification. ...