Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
3
votes
1 answer

OpenVPN with a Windows Certificate Services PKI

has anyone tried using OpenVPN with certificates generated by Windows Certificate Services? In theory this should work. The provided easy-rsa PKI is not very comfortable to manage for many users. I do already have a ActiveDirectory set up and I'd…
Johannes Rudolph
  • 133
  • 1
  • 5
3
votes
2 answers

How secure is SFTP? Is there any benefit in encrypting traffic with PKI as well?

I am working with a client that requires the use of secureFTP for file transfer and is also advocating the use of sLift EZ Classic (command-line file encryption using PKI) on top of SFTP. Is this overkill?
Dan
  • 521
  • 4
  • 8
  • 18
3
votes
1 answer

Hierarchical certification authorities and CRLs

If I implement a PKI with multiple levels of CAs, do I need to have a CRL for each individual CA or can I just have one CRL for the entire hierarchy (i.e. point all certificates to a single CRL), or only a few at the upper levels of the hierarchy?
LawrenceC
  • 1,202
  • 7
  • 14
3
votes
3 answers

What books will help me learn everything I can about SSL/PKI?

Since SSL is the backbone of the internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it. I suppose I'll need to learn some math, some PKI books, crypto, and Sysadmin books as well. Since…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
3
votes
1 answer

Do I need Active Directory Certificate Services

I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug about online and I'm leaning towards "no". I do not…
The ITea Guy
  • 321
  • 1
  • 6
  • 16
3
votes
1 answer

Windows Server 2019 ADCS - Unable to Install Subordinate CA Certificate

I am setting up a two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (Server 2019) and an online Enterprise Subordinate CA (also Server 2019). I've configured the offline Root CA successfully (set CDP /…
kahuna09
  • 81
  • 1
  • 3
2
votes
1 answer

Automatically renew certificate: Old cert gets archived, but no new one is issued

We are using Active Directory Certificate Services (AD CS) to issue certificates for internal web applications. We can manually request a certificate from the CA and it gets issued without problems. The auto-enrollment group policy is configured…
powerzone3000
  • 81
  • 2
  • 8
2
votes
1 answer

OCSP Location error in pkiview.msc. But OCSP responders seem to work

I am currently setting up a new internal Windows PKI infrastructure in our organisation, to replace an old setup. Things are mostly fine, but the OCSP location has the status "Error" in the pkiview console. When I check a certificate with certutil…
Omnomnomnom
  • 659
  • 3
  • 10
  • 22
2
votes
2 answers

Explanation of new line in htaccess file: RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?

Recently I noticed that a new line was added in the htaccess file in several locations throughout the file. RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)? I don't understand what it does, and I would like clarification…
Kenneth Poveda Mata
  • 49
  • 2
  • 8
2
votes
1 answer

OpenVPN - trying to validate CRL on client certificate

I'm running OpenVPN on a hardware router running OpenWRT. Every time a client connects I get the following error in the logs: VERIFY WARNING: depth=0, unable to get certificate CRL I've got a 2 level CA with both levels publishing CRLs and the…
marius-O
  • 135
  • 1
  • 5
2
votes
1 answer

Disable SSH Public Key Login for a user when her Active Directory account is disabled

I have many users in my environment who deploy their public keys on the linux servers for password-less and secure login via SSH. All these users have accounts on our Active Directory, however, when a user leaves the company and we disable her…
Ahmed Tawfik
  • 131
  • 3
2
votes
3 answers

How to create cross certificates (or bridge CAs) in ADCS?

I'm trying to set up a trust between 2 untrusting forests, and I'd like to use either a cross-certificate or Bridge CA solution (not using AD trusts or CEP). I've found loads of advice saying that this can be done, but I can find anything on how to…
Jim ReesPotter
  • 308
  • 2
  • 10
2
votes
1 answer

Limiting power of a trusted certificate

I am creating a site with my own CA and signing client certs with it. The clients will need to add my CA as a trusted source, but for security reasons I don't want them to blindly trust everything that could be signed with the CA key, so I want to…
user1156544
  • 127
  • 6
2
votes
1 answer

Windows - Logging changes to Certificate Store

In Windows there is a Certificate Store, where users and admins (depending on the setup) can make their changes: add root CA, modify CRL, etc. It seems to be quite a critical place in system security. So I come to the question: Can Windows be set up…
Mikhail
  • 21
  • 1
  • 1
  • 3
2
votes
0 answers

Enroll on-behalf-of certificate using existing CSR file

Good day, I have a CSR (certificate signing request) file, which was generated on some remote non-domain station. I have created some AD user account. I have Enrollment Agent certificate signed for my own account. The question is: can I somehow…
Cat Mucius
  • 155
  • 1
  • 11
1 2 3
15 16