Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
5
votes
1 answer

How does this 2048bit SSL requirement affect existing internal PKIs?

We have our own CA which we've used for years to create hundreds of server certs and thousands of client certs. The CA cert itself is 1024bit and the certs it signed are 1024bit Symantec has been sending out emails to us regarding this "change now…
jhaar
  • 181
  • 1
  • 1
  • 5
5
votes
1 answer

Using an audio cable (or similar) to create unidirectional communication from a secure server

I'm interested in exploring how a semi-offline Root CA can be used to update CRLs to the sub CA's. This answer on Security.SE mentions using an audio cable for this purpose. Doe anyone have details on how an Audio cable (or similar) can be used to…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
5
votes
3 answers

PKI keys per service or per server?

We all have a lot of internal services that need encryption and authentication to be provided by some sort of PKI. Do the security gains of using a different private/public key pair for each service justify the extra work entailed? Or is using a…
sh-beta
  • 6,838
  • 7
  • 47
  • 66
5
votes
3 answers

how to prevent a user using private key after leaving organization?

In the enterprise environment, each user was issue a key pair for using to encrypting/signing. Since they have the private key, that mean they can decrypt any file that encrypt for them, even after leaving organization and their certificate was…
David
4
votes
1 answer

JRE fails to establish LDAPS connection with AD after RootCA cert imported to cacerts truststore

LDAPS is working through ldp.exe and through a number of other programs on windows and linux systems that do not appear to require the Root Cert. at all. Some programs which use JSSE fail to connect after importing the root and intermediate CA into…
Phatmandrake
  • 91
  • 9
4
votes
1 answer

How should I configure a CAA DNS record for use with the AWS Certificate Manager

AWS Route 53 now allows the creation of CAA records to restrict the certificate authorities that may issue a certificate for a domain. I'd like to use an issue directive to restrict the issue of certificates for my domain like in the following…
simpleigh
  • 155
  • 1
  • 5
4
votes
0 answers

Active Directory Certificate Services cannot publish revocation list after renewal with new private Key

In summary: I had a working offline root CA and an AD integrated CA working fine I renewed the certificate with the same private key and all was good I then renewed the certificate with a new private key and and I can no longer publish the…
Ross
  • 133
  • 1
  • 11
4
votes
2 answers

Can I restrict an intermediate CA to only sign client certificates?

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by…
Roel Harbers
  • 143
  • 4
4
votes
2 answers

How can I view/export/determine the configuration of a Windows ADCS CA?

I'm in the process of setting up a new root ADCS (Active Directory Certificate Server) certificate authority for a child domain in a multi-forest environment that already has a number of existing CAs. I would very much like to not repeat what the…
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
4
votes
1 answer

Why does Windows CA Server issue multiple certificates for the same user?

I am currently implementing an EAP/TLS WIFI implementation to replace our EAP/MSCHAP2 wifi implementation. I am using Windows Server 2008 and I've installed a certificate authority. User certificates are pushed using group policy. A wireless network…
gerwout
  • 43
  • 4
4
votes
2 answers

Windows PKI with offline root (maybe with OpenSSL) - Possible?

I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct? The setup I was considering was one Root CA…
rebasing
  • 43
  • 3
4
votes
1 answer

Multiple CA's on Windows Server 2012

Is it possible to create multiple Certficate Authorities in Windows Server 2012? Specifically: I'd like to create a standalone root CA which will have its private key in offline secure storage. The main issuing (Enterprise) CA should have a…
dtech
  • 633
  • 2
  • 10
  • 27
4
votes
1 answer

Windows 2003 x32 CA to Windows 2008 x64 CA migration

In the following period I have to migrate the AD over to 2008 schema level. I currently have a x64 Windows 2008 R2 domain controller and one x32 Windows Server 2003 domain controller. The x32 server is a old machine which doesn't even support the…
Alex H
  • 1,814
  • 11
  • 18
4
votes
2 answers

Why might Windows falsely claim a self-signed root CA certificate is revoked?

I created a self-signed root CA cert for internal test use, using openssl. This has been successfully installed and used as a trusted CA on a number of machines and platforms (Windows, Linux, various Java/.NET/browser clients) without issue. One…
Kieran Tully
  • 152
  • 1
  • 8
3
votes
1 answer

Template issues certificate with longer validity than CA Certiicate, what happens?

I am wonder what will happen as a certificate template with a 2 years validity period (for example) will issue a certificate when the CA certificate expires in 1 year. I can think of 2 things that could possible happen, but this is just guessing,…
kevin rennenberg
  • 73
  • 1
  • 13
1
2
3
15 16