Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
1
vote
1 answer

How to import a CSR on a root CA into the Pending Requests queue and viewing the applied policy on the command line?

I have a standalone root CA base on Windows Server 2019 Core. I know that with certutil.exe -dump certificate.req I can inspect the CSR, but the root CA's policies may override the requested extension attributes. On the Desktop edition, after…
Daniel
  • 6,940
  • 6
  • 33
  • 64
1
vote
1 answer

Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates

I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019. The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to sign the SubCA's CSR, as shown in the pending…
Daniel
  • 6,940
  • 6
  • 33
  • 64
1
vote
1 answer

hashicorp vault - load pre-existing CA certificate into PKI engine

I'm looking to migrate a process that generates client certificates from a custom root CA into hashicorp vault. The root is already trusted by a lot of applications, so I'd like to import it (or an intermediate) into vault and emit the client…
André Fernandes
  • 969
  • 1
  • 10
  • 25
1
vote
0 answers

Enabling SSL on Tomcat 9

There are a few questions I have regarding setting up SSL on Tomcat 9 as some of the things I've read have some inconsistencies and I'm also new to PKI. Ultimately, there are two things I'm trying to accomplish: enable SSL on Tomcat 9 for a secure…
stripies
  • 25
  • 4
1
vote
0 answers

How to get the issuing certificate authority from an apple push notification certificate

I want to import the Apple push notification certificate into AWS ACM. So first, I had to convert it to pem. Using openssl pkcs12, I was able to get the Certificate and the Private Key. But when importing it into ACM, I get this error : "Provided…
Moadh
  • 11
  • 1
1
vote
1 answer

install additional Enterprise Subordinate CA

I have already set up a working two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (ROOT-CA) and one online Enterprise Subordinate CA (ISSUING-CA). For redundancy I would like to add an additional…
mokum
  • 23
  • 1
  • 5
1
vote
1 answer

802.1X Chicken or the Egg?

I'm reading about 802.1X and WPA-2 Enterprise and how to set up it. I've read briefly about the different EAPs and understand that EAP-TLS is the better method of authentication due to the use of client and server certificates. However I'm…
Synthetic Ascension
  • 13
  • 2
1
vote
1 answer

How to constrain ADCS Certificate template to user or computer type

How do I differentiate between a User or Computer certificate in my certificate templates? I currently have a template designed for a webserver SSL certificate, however, both users and computers can request it. I've tested this with the computer and…
kevin rennenberg
  • 73
  • 1
  • 13
1
vote
1 answer

How to properly generate an x509 certificate with restricted usage

I'm putting certificates into a repository that will not allow a successive certificate with more limited usage than the previous one. I need an initial dummy cert/key/chain to bootstrap the process whose usages are not more open than Let's Encrypt…
user1169420
  • 125
  • 4
1
vote
2 answers

Algo VPN strongSwan client "no issuer certificate found"

I set up an Algo VPN instance on AWS Lightsail using the official Ansible playbook. I can establish the VPN connection using Wireguard, however I cannot get it to work with strongSwan. I configured two different Ubuntu clients with according to…
jaj
  • 11
  • 3
1
vote
2 answers

FreeIPA Installation Failing During CA Restart

I'm trying to set up a simple vagrant box for testing with FreeIPA. I'm using the CentOS 7 image, and installing minimal extra things to the box, and using a very simple FreeIPA definition to start with. I've tried doing it using simple shell…
Dave McGinnis
  • 153
  • 1
  • 12
0
votes
1 answer

Incorrect Subject field in Certificate

I used the certreq command utility (certreq -new) to generate a csr from an .inf file which I sent to an intermediate CA to be signed, using certreq -submit. For some reason the "Issued to" field under the General tab, and the "Subject" field under…
redhatsamurai
  • 3
  • 7
0
votes
1 answer

2 Tier ADCS PKI what's different when using HSM's?

In the near future I will be tasked with building a Tier 2 ADCS PKI that uses HSM's, can anyone tell me what I have to do differently when building the PKI, and how the HSM fits into the whole PKI? (Win 2016 or Win 2019 Server) I have a lot of…
kevin rennenberg
  • 73
  • 1
  • 13
0
votes
1 answer

In a production Environment, how does Kubernetes manage TLS Certificates

I've put in place a master and some slaves, I've also generated some TLS certificates manually, and trusted those certificates all around the system. Now, I've installed an open source PKI, and I'd like to automatically manage the lifecycle of those…
TheByeByeMan
  • 101
  • 1
0
votes
1 answer

OCSP client certificate validation

For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific endpoints in this API, I want to protect the endpoints…
Roel
  • 3
  • 1
1 2 3
15 16