Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [certificate]

Certificates are a Public Key and Identifying Information

Within public key cryptography (such as that used in SSL and TLS), you have both a private key (that you keep secret), and a public key (that you share widely).

In order to avoid MITM (Man In The Middle) attacks, rather than publishing just the raw public key, you normally share a Certificate. The Certificate contains your public key, along with information identifying you (such as the hostname of your website, and your organisation). The identifying information is authenticated by a Certificate Authority (CA), and can be used to ensure you're talking to the right person.

Certificates are normally issued by a Public Certificate Authority, but they can be self signed (the certificate is its own CA), or issued by a private CA.

1327 questions
8
votes
2 answers

Can Squid be used as "TLS termination proxy" to encrypt TCP connections using client certificates?

Abstract I need an encrypted TCP connection from multiple clients to a single port over the internet. Can this be realized with Squid? Concrete situation We use a monitoring and client management solution in our company which is accessible over…
marsh-wiggle
  • 2,145
  • 5
  • 29
  • 45
8
votes
1 answer

How to add an existing key to the certutil key database

I have created an SSL keypair with OpenSSL. I uploaded the Certificate Signing Request to my SSL Certificate provider and got my certificate files. I added my certificate and the required CA certificates to the certificate database using certutil.…
Steven Roose
  • 185
  • 1
  • 1
  • 6
8
votes
2 answers

OpenSSL always shows "unsupported" for all subjectAltName "otherName" UTF8 values

It seems like OpenSSL is broken when trying to read back subjectAltName/otherName/UTF8 values that were written by itself: The relevant openssl.cnf configuration (using an official but random OID): [alt_names] DNS.1 = www.foo.com DNS.2 =…
Dustin Oprea
  • 560
  • 2
  • 8
  • 19
8
votes
1 answer

Direct Access Certificates

I want to know if I can use a single certificate for all the direct access functionality. I am working at actually setting up DirectAccess on a relatively small network. Since this is a small network I am trying to find the minimum configuration…
Zoredache
  • 130,897
  • 41
  • 276
  • 420
8
votes
3 answers

openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server. Here's what I've done. 1) I do a test…
JoJoeDad
  • 231
  • 1
  • 2
  • 4
8
votes
2 answers

TLS: hostname does not match CN in peer certificate

im trying to connect LDAP over StartTLS but Im stuck with an issue. I've followed step by step this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls and LDAP it's working OK as well as "ldapsearch -xZZ -h…
borjamf
  • 89
  • 1
  • 1
  • 4
8
votes
2 answers

Configuring client certificate authentication in apache

I am trying to set up part of a Virtualhost in apache to require client authentication. The VirtualHost in question also acts as a reverse proxy for the actual web server. Here's what I have done: Created ca.crt, ca.csr, and ca.key on the server I…
DanielGibbs
  • 573
  • 5
  • 13
  • 32
8
votes
4 answers

Can I use Active Directory as a CA for creating test SSL certificates for IIS?

We have an internal test version of our website, which is available (via internal DNS zones) as www.mysite.com.test I'd like to create an SSL certificate for www.mysite.com.test, so that our testers don't get an invalid certificate warning (the…
Dylan Beattie
  • 576
  • 3
  • 9
  • 24
8
votes
3 answers

Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)

In order to implement SSO, I have been working with some IdP and a Shibboleth SP install without being able to answer this question. On the IdP side I have a few metadata files that describes some applications. Those files can contain a certificate,…
user72691
  • 181
  • 1
  • 1
  • 4
8
votes
2 answers

Certificate authority expiration

When a certificate authority expires, is it gone for good? Is there a way to renew it? Or should I just generate a new certificate? I don't really want to make a new one because this certificate authority is already trusted by many of our customers.…
Jay
  • 191
  • 1
  • 3
8
votes
2 answers

What is a good and safe way of sharing ssh-keypairs?

I have a few key-pairs, that are used as authentication, to ssh into my servers on the Amazon cloud. I rotate those certificates weekly, manually. My question is, I need to share the certificates with some colleagues, a few on the LAN, and a few in…
theTuxRacer
  • 549
  • 2
  • 9
  • 22
8
votes
1 answer

IIS7 Not sending Intermediate SSL Certificate

We have a GlobalSign Domain certificate for our domain. I've installed the certificate into IIS and added the GlobalSign Domain Intermediate certificate to the Intermediate certification authorities for the local computer It seems that IIS is not…
nullabletype
  • 271
  • 2
  • 7
8
votes
2 answers

SAN certificate with URI fragment

I need to generate a TLS certificate with a SAN URI where the URI has a fragment (has a hash '#'). But when I try to generate a certificate using openssl, the fragment gets stripped. # generate key and CSR for client certificate openssl req -nodes…
Rich Remer
  • 205
  • 1
  • 7
8
votes
4 answers

'Certificate types are not available' When creating computer certificate?

Environment Windows Server 2008 sp1 Xeon CPU E5430 @ 2.66 GHz 16.0 GB Ram 64-bit Operating System 1TB Disk Space Server Role: SQL Server Other Information: Joint to domain, Logged in user domain administrator Issue Steps that cause issue: Create a…
Anicho
  • 285
  • 2
  • 5
  • 11
7
votes
2 answers

Convert DER .cer format to Base64 .CER

I have exported my certificates in DER encodig (with the extension .cer). Is there a way to convert those certificates in Base-64 encoding (with the same extension)? Thanks
Warok
  • 185
  • 1
  • 2
  • 6
1 2 3
88 89