Questions tagged [public-key-infrastructure]
A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). There are three main categories of PKI: Web / SSL certs, corporate networks, and Government ID / ePassport.
1,375 questions
1
vote
1
answer
52
views
What is the correct OCSP response for unknown issuer?
I have a hard time understanding the OCSP RFC 6960.
Two basic questions:
Simple: What is the canonically correct way of answering to
an OCSP request for an unknown (end-entity) certificate serial ...
- 18.3k
0
votes
2
answers
99
views
Does anything bad happen if someone breaks a key in a TLS certificate that is no longer in use?
Suppose I maintain a web server, which supports TLS with X.509 certificate #1.
Certificate #1 is getting close to expiration, so I get a new certificate #2 (with a different key pair, of course) and ...
- 396
1
vote
1
answer
75
views
Should a client be able to validate his own client certificate issues by a private CA for mTLS?
I am working for a company and we are investigating how mTLS should work. Since public ca's won't issue in the nearby future the client auth EKU, we have to look for alternatives.
When searching on ...
- 115
0
votes
2
answers
132
views
mTLS for clients who won't accept private certificates for API requests
I am working for a company who has to change the current mTLS setup because public CA's won't issue the client auth extension anymore, which is required to setup mTLS. We are currently demanding from ...
- 115
0
votes
2
answers
201
views
Does an expired intermediate CA invalidate device certificates that haven't expired yet?
I'm building a private PKI for IoT devices and want to understand certificate chain validation when an intermediate CA expires.
My CA Structure
Root CA: 30 years (2025-2055)
└── Intermediate CA: 7 ...
14
votes
3
answers
2k
views
Installing root certificates by government
The government of Kazakhstan, in order for citizens to use electronic government services (egov.kz), requires installing the NCALayer application on the computer for working with digital signatures. ...
- 143
1
vote
1
answer
369
views
mTLS with trust established through a chain of client certificates rather than a central CA
TL;DR: I want to forward-chain client certificates by including their successor public key as an extension. See Questions.
I am thinking about using client-side certificates in TLS (mTLS) as a more ...
- 11
3
votes
1
answer
1k
views
Can a public certificate provider impersonate an AD?
I do not know much about how MS Windows interprets client certificates but I was faced with a statement I have a hard time integrating.
The context: organization EXAMPLE has an Active Directory and an ...
- 9,248
3
votes
1
answer
4k
views
Are there any security concerns with this authentication flow?
I’m in the process of developing a native app and am currently trying to come up with a workflow to secure the communication between my app and the server.
I’ve done a lot of research and have not ...
- 41
0
votes
1
answer
155
views
Restrict gpg from decrypting a file encrypted by a subkey which is now expired or revoked [duplicate]
GPG allows file encryption for multiple recipients. I prefer to encrypt files:
Only to recipient subkeys shared with me by the intended recipients, like so:
$ gpg --encrypt --armor --recipient <...
2
votes
0
answers
185
views
Pros and Cons of implementing custom certificate provisioning for IoT devices
I`m working on a project for improving security of IoT devices by using per device X.509 certificate for authentication. The company uses IoT sensors, created inhouse, to gather data for analytics.
...
- 21
5
votes
5
answers
3k
views
How does a TLS client certificate prove the identity of the client?
About TLS Client Certificates
How does a TLS client certificate prove the identity of the client? Yes, only the client has the private key so a client-key handshake can be completed. But how does that ...
- 51
5
votes
2
answers
1k
views
When to use a CRL distribution point in a root certificate?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let's not consider that for the moment. Let's assume we have a root CA > ...
- 824
12
votes
3
answers
2k
views
Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?
With all currently ongoing global conflicts in the world, I was thinking about removing default trusted certificate authorities root certificates that are from countries that are (no longer) ...
- 7,733
2
votes
1
answer
291
views
How to manually test for invalid Route Origin Authorisation (ROA) and Route announcement validity?
Internet.nl checks a domain for some security settings among which:
Route Origin Authorisation existence and Route announcement validity for both the webserver and nameserver IP addresses.
They write:
...
- 7,733