Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [certificate-authority]

In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates.

The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

CAs are characteristic of many public key infrastructure (PKI) schemes. Commercial CAs charge to issue certificates that will automatically be trusted by most web browsers.

785 questions
134
votes
7 answers

Certification authority root certificate expiry and renewal

In 2004, I set up a small certification authority using OpenSSL on Linux and the simple management scripts provided with OpenVPN. In accordance with the guides I found at the time, I set the validity period for the root CA certificate to 10 years.…
Remy Blank
  • 1,995
  • 3
  • 15
  • 11
73
votes
6 answers

Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)?

I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma SSL shop" is fine for the uttermost top secured…
131
  • 887
  • 1
  • 6
  • 10
65
votes
4 answers

How to decide where to purchase a wildcard SSL certificate?

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a…
user664833
  • 1,277
  • 1
  • 11
  • 13
47
votes
7 answers

How to update cURL CA bundle on RedHat?

I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated. curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate…
Andrew
  • 3,453
  • 9
  • 33
  • 36
41
votes
2 answers

Error code: ssl_error_rx_record_too_long

I have nginx with the following setup: server { listen 80; server_name site.com www.site.com; root /home/site/public_html; listen 443; #server_name site.com www.site.com; #root…
Tiffany Walker
  • 6,681
  • 14
  • 56
  • 82
35
votes
4 answers

How to make Firefox trust system CA certificates?

Our network admin recently enabled HTTPS inspection on our firewall/router. For IE users this is fine because the certs have all been distributed via Active Directory for domain-joined machines. However, we have a number of Firefox users that are…
Wes Sayeed
  • 1,902
  • 6
  • 28
  • 43
34
votes
1 answer

Trusting an untrustworthy CA - Can I restrict how system trusts it?

(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code). I'm currently responsible for maintaining a system which connects to a third-party webservice. This webservice requires client…
Dai
  • 2,290
  • 8
  • 27
  • 43
32
votes
2 answers

Difference between ca-bundle.crt and ca-bundle.trust.crt

On CentOS 6.5, in /etc/pki/tls/certs I have: ca-bundle.crt and ca-bundle.trust.crt With different file sizes. Which should I use as the trust path for nginx proxy_ssl_trusted_certificate.
Justin
  • 5,328
  • 19
  • 64
  • 84
29
votes
1 answer

What does "tlsv1 alert unknown ca" mean?

I am trying to do a curl request using a client certificate like so: curl -E my.pem https://some.site And I get the following error message: curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca What does this mean? Is…
grasevski
  • 401
  • 1
  • 4
  • 5
26
votes
2 answers

Can a server certificate expire after its issuer?

Most if not all server certificates that I work with expire before its issuer, but is it possible for a server certificate to expire after its issuer and does this apply to an intermediate certificate as well (expire after the root certificate)? If…
Tumelo Galenos
  • 381
  • 4
  • 8
25
votes
5 answers

How to secure your CA's private key?

I'm about to implement my own Certification Authority (CA) for interal use only. Now there is a problem, that the CA private should never ever be exploited. So right now the private key is encrypted. What else could be done to enhance the security…
JMW
  • 1,463
  • 4
  • 19
  • 27
22
votes
3 answers

Can I create my own S/MIME certificate for email encryption?

I'm having a bit of an issue here. Bear with me as this may be a case of "not asking the right question". Background: Using Apple Mail. Want to encrypt/decrypt email but GPGMail (and apparently PGP) isn't supported with Snow Leopard. Basically I…
humble_coder
  • 533
  • 2
  • 6
  • 14
17
votes
2 answers

Why not validate self signed certificates through DNS-record instead of letsencrypt

I was just wondering. We use a lot of SSL certificates. Nowadays, we almost exclusively use letsencrypt (thanks!). The bottom line of these certificates is, that proof of ownership of the domain name(s) on the certificate comes from the power to…
Jelmer Jellema
  • 321
  • 2
  • 8
16
votes
2 answers

Can MS Certificate Services be a Subordinate to CA created with OpenSSL

I want to setup a enterprise certification authority for my domain. So I can issue certificates for various purposes. I would like to follow the best practice of having an offline CA as the root, and setup my enterprise CA as a subordinate. But…
Zoredache
  • 130,897
  • 41
  • 276
  • 420
15
votes
2 answers

Is this SSL certificate chain broken and how to fix it?

For the SSL cert on the domain example.com, some tests tell me that the chain is incomplete and since Firefox keeps its own certificate store, it might fail on Mozilla (1, 2, 3). Others tell me it is fine, as does Firefox 36, which tells me that the…
Gaia
  • 1,855
  • 5
  • 34
  • 60
1
2 3
52 53