All Questions
Tagged with certificate-authority public-key-infrastructure
310 questions
4
votes
2
answers
559
views
When to use a CRL distribution point in a root certificate?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let's not consider that for the moment. Let's assume we have a root CA > ...
- 804
12
votes
3
answers
2k
views
Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?
With all currently ongoing global conflicts in the world, I was thinking about removing default trusted certificate authorities root certificates that are from countries that are (no longer) ...
- 7,657
1
vote
0
answers
101
views
Intermediate issuer field didn't match its CA subject field
While debugging yesterday's Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here's the relevant CA ...
- 139
1
vote
0
answers
412
views
SSL Certificates signed by our CA show as invalid in browser
We're experiencing an issue, where SSL server-certificates issued by our own internal PKI will show as invalid in the browser, when accessing the site.
The error is NET::ERR_CERT_INVALID (Tested in ...
0
votes
2
answers
277
views
Is there a tool for auditing my root certificates?
Is there any tool out there that will monitor my system's use of root CAs? So far I have not found anything, and so I am hoping that this community will know if such a tool exists.
For background, I ...
-1
votes
2
answers
490
views
What happens to the key pair once the CSR has been enrolled?
I have a key pair which I used to generate a CSR.
Once I enrolled that CSR PKCS10, I get from the PKI (or CA) a certificate signed with the PKI private key.
From here, I would like to know if my ...
- 21
0
votes
1
answer
188
views
Can we move a PKI-as-a-service to own managed PKI server? [closed]
I'm a noob in PKI stuff. But if we were to subscribe to a PKI cloud service, could we move our root CA and other PKI stuff to our own PKI infrastructure once I'm ready to manage it ourselves?
- 105
0
votes
1
answer
2k
views
How do TLS clients validate intermediate CA certificates?
I have read many posts related to the intermediate CA certificates and I do hope my question is not a duplication.
Where do TLS clients fetch intermediate CA certificates from?
In SSL server handshake,...
- 1,479
2
votes
1
answer
387
views
Can you use AD CS to generate certificates for service users with the computer name in the certificate details?
I am working on seeing if Active Directory Certificate Services can be used to manage the trust infrastructure for a data center environment. I have a series of different services that are run on web ...
- 42.3k
1
vote
2
answers
201
views
How does a CA-backed signature works?
I would like to understand how certificate-based signature works, I understand the standard asymmetric key signature where one party signs using their private key, and anyone else can validate this is ...
- 43
0
votes
1
answer
503
views
Over what fields is the X509 hash computed over? [duplicate]
Is this how X509 certificates are verified to be valid?
The receiver receives the certificate
Look at the issuer of the cert, and find the public key of that CA (its hardcoded in the application or ...
1
vote
1
answer
179
views
Does defining "a minimum path length" for certification validation have any security benefit?
As you may know, Common Criteria (AKA ISO/IEC15408: A standard for IT Security Evaluation) have provided some security base-line documents named "Protection Profile" for software developers ...
- 324
1
vote
1
answer
688
views
What problem does "max_path_length" attribute in certificates are going to solve?
I'm trying to understand the purpose of defining pathLenConstraint and max_path_length in RFC5280 (Internet X509 PKI Certificate and CRL Profile):
For pathLenConstraint The above mentioned RFC states:
...
- 324
2
votes
1
answer
421
views
Can an Intermediate CA extend its "Certificate Key Usage" by issuing a new certificate for itself?
I'm trying to understand the purpose of defining self-issued certificate concept in RFC5280 (Internet X509 PKI Certificate and CRL Profile):
Regarding this concept the RFC states:
This specification ...
- 324
1
vote
1
answer
902
views
Why installing a root certificate on the client opens a door for MitM attack?
Most internet communication is now end-end encrypted using TLS. In the TLS process, the TLS server sends a PKI certificate to the user which then gets authenticated using the CA's root certificate ...
- 13