Questions tagged [certificates]
A piece of data used in public key cryptography (specifically public key infrastructures) that contains identifying information (i.e. email address or web address), a hash of a public key, and a digital signature that authenticates the data in the certificate. For questions specifically about [x509], [certificate-authority], or [public-key-infrastructure], please use those tags.
2,920 questions
9
votes
1
answer
2k
views
Where are CA root certificates being hidden?
When I go to the website using Edge on Windows 11:
https://www.hongkongpost.gov.hk/
and click on the https icon, then look at the certificate chain, it shows the trusted root CA is named Hongkong Post ...
- 191
1
vote
1
answer
52
views
What is the correct OCSP response for unknown issuer?
I have a hard time understanding the OCSP RFC 6960.
Two basic questions:
Simple: What is the canonically correct way of answering to
an OCSP request for an unknown (end-entity) certificate serial ...
- 18.3k
-1
votes
2
answers
59
views
How to convert ASN1 readout to DER programmatically? [closed]
RFC 5280 has an ASN1 ASCII readout (is there a better/official name for this format?) on page 144.
How do I convert this to DER programmatically? (I don't want to do it by hand.)
0 910: SEQUENCE {
...
- 18.3k
0
votes
1
answer
78
views
Self-signed SSL certs for database authentication in a closed environment?
The systems are all in a 10.x.y.z LAN.
Connectivity is between Postgresql clients (Linux and Windows) and servers (all Linux).
No web browsers or servers involved.
Some of the Postgresql servers are &...
- 115
1
vote
1
answer
60
views
What is the difference between a Private Root Certificate and a Self-Signed Certificate [duplicate]
This may be simply a difference of terminology, but I want to be absolutely sure. The reference material I have for my API only uses the phrase "Private Root Certificate." But all the ...
- 111
1
vote
1
answer
75
views
Should a client be able to validate his own client certificate issues by a private CA for mTLS?
I am working for a company and we are investigating how mTLS should work. Since public ca's won't issue in the nearby future the client auth EKU, we have to look for alternatives.
When searching on ...
- 115
0
votes
2
answers
132
views
mTLS for clients who won't accept private certificates for API requests
I am working for a company who has to change the current mTLS setup because public CA's won't issue the client auth extension anymore, which is required to setup mTLS. We are currently demanding from ...
- 115
0
votes
1
answer
60
views
Would signing the key authorization with the ACME private key increase security?
My understanding after reading about HTTP-01 with Let's Encrypt and Certbot is as follows:
Certbot creates a request for a new order of a certificate, signed with the ACME account private key (using ...
- 537
0
votes
1
answer
166
views
It seems all Azure domains under *.azurewebsites.net use the same wildcard certificate. How is that secure?
If you run a website on Microsoft Azure, you can get a domain under azurewebsites.net, such as https://demo.azurewebsites.net/ .
These websites can be accessed via HTTPS, but they all use the same ...
- 2,029
0
votes
1
answer
50
views
Correct Certificate Type for JWKS & Barclays [closed]
Barclays Bank enforce API developers to have a Authority provided Digital Certificate to be presented via a JWKS file - see here and the key section of their help page states;
Client certificates can ...
- 103
0
votes
2
answers
324
views
Understanding of Client Authentication Certificates for mTLS
A third party supplier of an mTLS protected service gave us the following requirement:
We were to obtain & share with them a client authentication certificate so their service can authenticate us
...
- 205
1
vote
0
answers
59
views
Eduroam certificate - is it safe? [duplicate]
I am trying to use wifi at the university and the only option is to use eduroam. When connecting to eduroam it requires trusting a certificate first. I wonder, how safe is trusting this certificate ...
- 11
2
votes
2
answers
303
views
how should one interpret a cert who's Issuer is different from the DirName of the X509v3 Authority Key Identifier extension?
Consider this cert:
-----BEGIN CERTIFICATE-----
MIIBPTCB5aADAgECAhRsj+Y2sjp/9e7RVvV46i7EEvF2RjAKBggqhkjOPQQDAjAO
MQwwCgYDVQQKDANBQUEwHhcNMjUwODIyMjIwMzExWhcNMjYwODIyMjIwMzExWjAO
...
- 1,840
3
votes
1
answer
562
views
What EXACTLY makes an X.509 certificate "end entity"?
Suppose you were writing a certificate display or formatting program and wanted to be able to say "this certificate is [or is not] usable as an end-entity certificate"? What exactly would ...
- 133
7
votes
2
answers
2k
views
how to define when a key (or a secret in general) has become too old?
I will illustrate my question by looking at SSL certificates:
In general, we can expect a SSL/TLS certificate to be using, at least, a 2048-bit RSA key. Now, as long as quantum computers are not a ...
- 81