Skip to main content

Questions tagged [x509]

X.509 is an ITU-T standard commonly used for public key infrastructure (PKI) and for privilege management infrastructure (PMI).

Filter by
Sorted by
Tagged with
65 votes
9 answers
147k views

How to split a PEM file

Note : This is not really a question because I already found the answer but since I didn't find it easily here I will post it so that it can benefit others. Question : How to read a concatenated PEM ...
Cerber's user avatar
  • 1,271
37 votes
3 answers
216k views

Import of PEM certificate chain and key to Java Keystore

There are plenty of resources out there about this topic, but none I found which covers this slightly special case. I have 4 files; privatekey.pem certificate.pem intermediate_rapidssl.pem ...
Trollbane's user avatar
  • 473
36 votes
2 answers
64k views

Save Remote SSL Certificate via Linux Command Line

Can you think of any linux command-line method for saving the certificate presented by a HTTPS server? Something along the lines of having curl/wget/openssl make a SSL connection and save the cert ...
user avatar
34 votes
1 answer
2k views

Trusting an untrustworthy CA - Can I restrict how system trusts it?

(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code). I'm currently responsible for maintaining a system which connects to a third-...
Dai's user avatar
  • 2,299
29 votes
5 answers
3k views

Is a Self Signed SSL Certificate a False Sense of Security?

Is a Self Signed SSL certificate a false sense of security? If you are being eavesdropped, the user will simply accept the certificate like he/she always does.
Andre's user avatar
  • 1,351
24 votes
9 answers
20k views

Can I be my own trusted CA via an signed intermediate certificate?

Can I get a certificate from a root CA that I can then use to sign my own web server certificates? I would, if possible, use a signed certificate as an intermediate to sign other certs. I know that I ...
Clint Miller's user avatar
  • 1,141
13 votes
1 answer
8k views

OCSP responder not present?

Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP....
Robert Weaver's user avatar
10 votes
1 answer
11k views

extracting raw ASN.1 parts from X.509 certificate

I'd like to extract raw hex ASN.1 data from X.509 certificate. I know, that I can do this by using DER format and hexdumping it. I'm interested in particular parts like "subject", "issuer" and their ...
mighq's user avatar
  • 395
9 votes
3 answers
19k views

How to configure IIS Express to ask for client certificate

Does anybody know how to configure IIS Express to require client certificate for access? I'm trying to debug a problematic ASP.NET application which uses client certificates for authentication.
Marko's user avatar
  • 341
8 votes
2 answers
3k views

Is it possible to generate openssl configuration file from an existing x509 certificate?

I am looking for a way to restore openssl configuration from an X509 certificate (or a csr). I know it's possible to look at the certificate and manually reconstruct the config file but it's ...
cyc115's user avatar
  • 183
7 votes
2 answers
2k views

Revoked SSL certificate

We're using Paypal SDK here: https://github.com/paypal/PayPal-NET-SDK To help handle our webhooks. We've started receiving the exceptions: PayPal.PayPalException: Unable to verify the certificate(s)...
Tom Gullen's user avatar
7 votes
2 answers
7k views

Limit on X509v3 Subject Alternative Name DNSname length

I have been searching through RFC 5280, 1034, and 1123 trying to figure out what a max string length is, but I can't find it. I'm wondering if any of you happen to know. For those of you who know ...
John Ruiz's user avatar
  • 343
6 votes
4 answers
3k views

When does this SSL certificate expire?

Below are the results from testing the SSL certificate at https://www.ssllabs.com/ssltest/analyze.html?d=bungalowsoftware.com It looks like we have two certificates. Am I reading that right? Does ...
Clay Nichols's user avatar
  • 1,523
6 votes
7 answers
24k views

OpenSSL x509 Purpose flag "Any Purpose" What is this?

Looking at the details of a certificate using the following: openssl x509 -noout -text -purpose -in mycert.pem I find a bunch of purpose flags (which I've discovered are set by the various ...
Nick's user avatar
  • 203
6 votes
1 answer
12k views

openssl certificate chain lost when converting from pem to der

I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem It has 2 certificates in the chain: keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l ...
ArticIceJuice's user avatar
6 votes
1 answer
2k views

X509 certificates - Are there any naming conventions?

What are the naming conventions when buying certificates, if any? When buying a cert for TLS/HTTPS for a particular Server, naturally I will default to the server's name. For example, if the server is ...
joedotnot's user avatar
  • 161
5 votes
2 answers
12k views

Can you generate a self signed certificate on Windows Server using CLI tools like certreq and certutil?

I need to quickly generate a self signed certificate on a Windows Server. I'd like to use the standard CLI tools that ship with it. I know I can use openssl.
Marinus's user avatar
  • 237
5 votes
1 answer
17k views

OPENSSL Save x509 certificate of a website

I can see the certificate with this command openssl s_client -host {HOST} -port 443 -prexit -showcerts How can I save the x509 cert of the website in a PEM - File?
user3653164's user avatar
5 votes
1 answer
12k views

Apache not Forwarding Client x509 Certificate to Tomcat via mod_proxy

I am having difficulties getting a client x509 certificate to be forwarded to Tomcat from Apache using mod_proxy. From observations and reading a few logs it does seem as though the client x509 ...
hooknc's user avatar
  • 245
5 votes
1 answer
8k views

MongoDB rs.initiate error: replSetInitiate quorum check failed because not all proposed set members responded affirmatively

I have to start my own replica set with internal authentication enabled using X.509 certificates, but I failed. Any advice is welcome. MongoDB 3.2 x64 on Debian 8.2 x64. It is a problem from the ...
Evgeni Nabokov's user avatar
4 votes
2 answers
2k views

Can I restrict an intermediate CA to only sign client certificates?

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate ...
Roel Harbers's user avatar
4 votes
1 answer
357 views

x509 extensions: can the "extnValue" be empty?

I'm writing a script that parses x509 certificates. x509 v3 certificates have extensions which are an ASN.1 sequence containing an OID, a critical flag, and an octetString called extnValue. For the ...
pinhead's user avatar
  • 143
3 votes
2 answers
4k views

Any open source web based X509 PKI tool? [closed]

Want to setup a CA, but it's hard to find a good web based X509 PKI tool, any recommend?
timy's user avatar
  • 729
3 votes
1 answer
396 views

How does one change the certificate and key for https

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ...
James B. Byrne's user avatar
3 votes
1 answer
18k views

x509 certificate not valid for any names when added IP address to openssl.cnf

A self-signed certificate works well while the command used to generate it on a ubuntu machine is: openssl req -x509 -newkey rsa:4096 -keyout private.key -out cert.crt -days 365 -nodes If the ...
minghua's user avatar
  • 181
3 votes
0 answers
2k views

The revocation function was unable to check revocation for the certificate 0x80092012

Please help me to deal with self-signed revocation check I've used makecert.exe to create root and client certificate The problem is that certutil fails to check certificate with error The ...
oleksa's user avatar
  • 130
3 votes
0 answers
657 views

Is there an extension of host to host ipsec to a many-many configuration?

Having a typical host to host transport mode ipsec configuration, conn appserver01-to-swift01 [email protected] left=10.133.176.246 leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxx ...
user22866's user avatar
  • 151
3 votes
3 answers
420 views

Client-side certificates

My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works. Now I'm required to ...
walshms's user avatar
  • 55
2 votes
2 answers
17k views

Openssl Custom Extension

I know how to create x509 certificates with the openssl command line. But now I want to create one with a custom extension. How can I do this with openssl command line?
user93353's user avatar
  • 285
2 votes
2 answers
11k views

Create DER certificate+key from PEM

I'm not sure if it's even possible. Also, OpenSSL is one ugly motherlover of an utility :/ I need top upload certificate+private key as DER to ESET Security Management Center (ESMC), at least ...
StanTastic's user avatar
2 votes
2 answers
2k views

DER encoded hash

according to the manpage of stunnel4 the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert (the first 4 bytes of the ...
exeral's user avatar
  • 1,892
2 votes
2 answers
7k views

Can you re-use a SSL certificate across platforms?

Let's say I want to buy a wildcard SSL that I can use for web servers, spanning across a multitude of different servers and platform. I could issue a CSR for each and every one of them, with their ...
jishi's user avatar
  • 888
2 votes
2 answers
2k views

Why would Chrome ignore the X509v3 Subject Alternative Name in my cert?

I have a cert that include an X509v3 Subject Alternative setting, but Chrome 67.0.3396.99 is saying the Subject Alternative Name is missing even though it looks like it's included in the cert. Here's ...
pwan's user avatar
  • 257
2 votes
1 answer
16k views

Why can't I enter a PEM Pass Phrase in the prompt? [duplicate]

I am trying to install an SSL certificate on my WAMP server. W:\wamp\bin\apache\apache2.2.22\bin>echo %OPENSSL_CONF% w:\wamp\bin\apache\apache2.2.22\conf\openssl.cnf W:\wamp\bin\apache\apache2.2....
ShoeLace1291's user avatar
2 votes
1 answer
82 views

How to make Certbot respect Debian standards for certificate deployment?

Certbot seems to manage X.509 certificates and private keys in its own directory structure in /etc/letsencrypt. On Debian-based systems (including Ubuntu, Linux Mint and others) X.509 certificates are ...
aef's user avatar
  • 1,785
2 votes
4 answers
315 views

Is there a provider that offers free SSL certificates that don't give a warning in Firefox 4?

I am looking to install SSL certificates for frequently used https services. I used to use StartSSL for this, but they "temporarily" stopped offering their services. I wonder if there are any other ...
ujjain's user avatar
  • 4,043
2 votes
1 answer
3k views

Client-side certificates (Apache, Linux, OpenSSL)

My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works. Now I'm required to ...
walshms's user avatar
  • 55
2 votes
3 answers
3k views

Forwarding logs from rsyslog to graylog over tls

I'm trying to forward logs from rsyslog to graylog over tls. rsyslog configuration: # make gtls driver the default $DefaultNetstreamDriver gtls # # # certificate files $DefaultNetstreamDriverCAFile /...
Zombaya's user avatar
  • 123
2 votes
1 answer
899 views

How to setup a reverse proxy to enable HTTP access with basic authentication to an internal HTTPS server that requires a certificate

We have an internal server that requires x509-based authentication, but I've been requested to open it up with a basic user/password authentication. I've been trying to setup a reverse proxy in ...
RogerFC's user avatar
  • 344
2 votes
2 answers
1k views

Can I restrict SSL access to Tomcat by Extended Key Usage?

I'd like to restrict the SSL access to a Tomcat instance using certificates, and not relying on any "user" accounts. I have a CA which is being used to sign the certificates, but if I configure ...
Zac Thompson's user avatar
  • 1,043
2 votes
1 answer
113 views

What happens if the startdate of a CA is later that the startdate of a X509 certificate signed by it?

I am in the process of extending the lifetime of a private CA creating a new certificate with the same name, serial number, private/public keys, etc. The only change would be the "startdate" ...
jcea's user avatar
  • 273
2 votes
1 answer
3k views

Finding out if a certificate is due for renewal without triggering the actual renewal with Certbot

I am trying to use Certbot to allow for semi-automated certificate updates. I don't want fully-automated updates to avoid automatic certificate replacements that could interrupt business and ensure ...
aef's user avatar
  • 1,785
2 votes
1 answer
858 views

Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?

tl;dr For buypass DV certs fetched by certbot I need to explicitly tell NGINX to trust buypass root cert to enable OCSP stapling. This is not the case for Let's Encrypt certificates and I cannot ...
Yan Foto's user avatar
  • 131
2 votes
1 answer
450 views

Limiting power of a trusted certificate

I am creating a site with my own CA and signing client certs with it. The clients will need to add my CA as a trusted source, but for security reasons I don't want them to blindly trust everything ...
user1156544's user avatar
2 votes
1 answer
4k views

REMOTE_USER = SSL_CLIENT_S_DN_CN under x509 with +FakeBasicAuth in Apache. Is it possible?

Hi I'm trying to incorporate a software to our intranet services (BackupPc) This Software uses the environment variable REMOTE_USER to get the username. Placed under an Apache 2.2 server with Client ...
theist's user avatar
  • 1,249
2 votes
0 answers
28 views

Client certificates and custom revoked html

I can configure Apache to authenticate users with client certificate and validate them via OCSP. Do you know how can I redirect the user to a custom html page if the certificate is revoked? The ...
Tibor's user avatar
  • 121
2 votes
0 answers
856 views

OpenSSL - Create Cross Intermediate Certificate from 2 Root CAs

Good evening all, I have 2 servers running in different datacenters which are both connected using OpenVPN. Both servers have their own ca-server who is able to sign new certificates using ...
Genpc's user avatar
  • 21
2 votes
0 answers
211 views

Trust certificate for OCSP, but not for client certs?

According to the nginx docs, you can specify certificates to be trusted for both OCSP response and client certificate verification: ssl_trusted_certificate / ssl_client_certificate Specifies a ...
dst's user avatar
  • 146
2 votes
0 answers
303 views

Tomcat 7: how to log x509 cert dn with AccessLogValve

I have Tomcat7 running on RHEL6 with mutual authentication using x509 certificates for the entire container. From the user point of view in the browser, everything seems to work fine with a cert ...
user330855's user avatar
2 votes
1 answer
393 views

Alternatives to a Trusted Root certificate

Given a SSL-protected site that was formerly whitelisted (Allow from x.x.x.x etc), and and a requirement from a customer to change the way authentication works, to use X.509 HTTPS Client verification. ...
Tom O'Connor's user avatar
  • 27.5k