Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
3
votes
3 answers

Server ssh certificate chain against MITM attacks?

During first contact with a server via ssh, the server's public key of the chosen key algorithm is presented to the user to validate it. After validation, the result is usually saved into the ~/.ssh/known_hosts file to counter later MITM attacks…
Lars
  • 486
  • 5
  • 21
3
votes
1 answer

Smart Card removal behavior and card renewal

My customer is planning to introduce new Policy regarding smart card removal in their Windows Environment, most probably session break since it's a Citrix environment. Microsoft documentation on the policy I've provided them with a third party PKI…
nethero
  • 238
  • 1
  • 9
3
votes
0 answers

PKI Authentication in HTTPD using Active Directory (LDAP)

In my environment, an external entity provides a Root CA & Intermediate CA(s). They issue thousands of smartcards with PKI certificates for authentication. They provide the Client Authentication (OID 1.3.6.1.5.5.7.3.2) inside the extended key…
ruckc
  • 131
  • 3
3
votes
1 answer

How can I make OpenVPN use my CA's CRL Distribution Points when verifying certificates?

I have an existing PKI into which I am trying to integrate an OpenVPN server. I have included CRL Distribution Points into each CA certificate in my chain and I publish the CRLs at a location that is reachable from my OpenVPN server. The problem is…
succulent_headcrab
  • 387
  • 2
  • 6
  • 12
3
votes
2 answers

Can I find local ssh private key from remote fingerprint?

Possibly I am missing something obvious but after getting fed up with 5 key limitation of ssh-agent I start looking for ways for a better ssh key management. If I create a new ssh key pair using ssh-keygen -t rsa, I can then use ssh-keygen -lf to…
Charles
  • 133
  • 5
3
votes
1 answer

Microsoft Certificate Authority Provider Compatibilty

So we are a mid-size enterprise refreshing our Microsoft PKI and looking to leverage it heavily across ther org for many things. ie Server to Server/Workstation encryption, Wireless TLS Encryption/Authentication ( Aruba ), Internal SSL Web Services,…
BIllC
  • 31
  • 3
3
votes
1 answer

Removing LDAP from CDP & AIA in a Microsoft PKI

A default installation of a Microsoft PKI running Windows 2012 R2 includes LDAP URL's within CRL distribution points (CDP's) and Authority Information Access (AIA). I want to issue certificates outside of my organization but I don't want an internal…
medos
  • 123
  • 2
  • 8
3
votes
1 answer

Wildcard cert for local SSL Certificate Authority?

This seems like it should work, but PKI is complicated and I'd like to ask people who can give an authoritative answer. BACKGROUND: I am the network engineer for a company; for sake of argument we'll call our domain thatcompany.com. I authenticate…
Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
3
votes
0 answers

Creating a CA signing chain when there wasn't one before

Here is the problem... 3 years ago we created a multi-datacenter setup, with as little cross-DC resource dependencies as we could make. Different AD sites. Different puppetmasters. Different syslog servers. Different egress firewalls. Different DNS…
Blue Warrior NFB
  • 621
  • 6
  • 17
3
votes
2 answers

Certificate distribution and management

I am planning to setup PKI for our organization as we're fed up with all of these security warnings when using self-signed certs. I want an offline root CA and two issuing CAs and I want to set that up on Linux systems. How can I easily distribute…
Alex
  • 516
  • 1
  • 7
  • 18
3
votes
1 answer

SSL chain verification problems - Barracuda load balancer

I've installed a new SSL certificate using SHA1 hashing. Im user a security certificate by GeoTrust SSL CA - G2 but With WebServices communications I'm getting a PKIX error. The follow page: https://www.geocerts.com/ssl_checker It's getting me the…
Miguel Resendiz
  • 133
  • 1
  • 3
3
votes
1 answer

802.1x certificates, EAP-TLS, RADIUS and Windows machines

When using 802.1x certificate-based authentication on Windows machines, should I use different certificate for each machine? There is RADIUS server running in the network, the machines use EAP-TLS to talk to the network switch. If I should, how do I…
David
  • 387
  • 1
  • 7
  • 16
3
votes
0 answers

Windows Sub CA not issuing certificates

I set up a fresh 2-tier PKI to try and replace an old broken PKI with a CA that was no longer available. Everything seems to be working between the offline root and online issuing CAs, but now I'm trying to move my DCs Domain Controller certs from…
fwrawx
  • 187
  • 3
  • 11
3
votes
1 answer

Revocation status of DC can't be verified

A Domain Controller within my forest was working fine (as the story usually goes). Then, suddenly, I can't logon with my smart card. Instead, I'm greeted with the following message: The system could not log you on. The revocation status of the…
Federer
  • 211
  • 2
  • 5
  • 11
3
votes
1 answer

Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012

I have the following AD configuration: rootca (standalone not domain connected) mydom.local dc1.mydom.local svr1.mydom.local subca.mydom.local(enterprise subordinate CA) other.mydom.local dc1.other.mydom.local svr1.other.mydom.local I can…
morleyc
  • 1,150
  • 13
  • 47
  • 89
1 2
3
15 16