Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
2
votes
2 answers

PKI infrastructure and usage question

I work in a small software solutions company (50 employees) and I was recently tasked with experimenting with web services. Since we mainly offer solutions for Windows, I started toying around with Microsoft's WCF 4 (.NET 4.0). Basically, these web…
BenjiZombie
  • 23
  • 2
2
votes
1 answer

Changing the OU for a Windows Subordinate CA

We have a Subordinate CA that is servicing our AD domain. For reasons of tidiness, we want to change the OU that the Sub CA is in. I know that you can't do things like change the name of the Sub CA or change its IP address. Has anyone successfully…
northshorefiend
  • 23
  • 2
2
votes
1 answer

openssl - cross sign certificate

I want to cross-sign a third-party root ca (third-party-ca) with my own root ca (r1). (Background: restricting usage) To do this, I use openssl x509-in third-party-ca.crt -CA /etc/pki/r1/ca.crt -CAkey /etc/pki/r1/private/ca.key -out…
Zulakis
  • 4,153
  • 14
  • 48
  • 76
2
votes
1 answer

Finding out if a certificate is due for renewal without triggering the actual renewal with Certbot

I am trying to use Certbot to allow for semi-automated certificate updates. I don't want fully-automated updates to avoid automatic certificate replacements that could interrupt business and ensure that a sentient administrator is available when the…
aef
  • 1,745
  • 4
  • 25
  • 43
2
votes
1 answer

NGINX unable to get issuer certificate

I am using NGINX web server. Configured my site with a setting where user will be challenged to present his certificate when he makes first request to the site by using following setting: ssl_client_certificate /path/to/ca/cert/ca.crt; …
SharpCoder
  • 121
  • 1
  • 2
2
votes
0 answers

Vault invalid certificate or no client certificate supplied - cert auth method

I have created a CA in Vault to handle my certificate creation. I've followed this guide here: https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine I am trying to generate a client certificate using the pki secrets engine in Vault and…
Charles Wood
  • 21
  • 2
2
votes
1 answer

Certbot: Issuing a certfiicate for internal IP address with my own PKI?

I am running my own ACME CA server that allows issuing of certificates to IP addresses. I have installed the root certificate into all the devices in my LAN. Let's say that I am running the server at https://ca.internal/acme. Now, I would like to…
huanglx
  • 213
  • 1
  • 3
  • 6
1
vote
1 answer

Add certificate from Microsoft Azure Key Vault for LDAP/S

The only method I can seem to find to add a certificate for secure LDAP (LDAP/S) for Azure Active Directory Domain Services is to upload the certificate from my local computer. This seems like a very poor key management solution when Microsoft Azure…
Scott
  • 60
  • 1
  • 9
1
vote
1 answer

Why do I have to distribute my CA signed code signing certificate with GPO?

I have an enterprise PKI. My issuing CA is part of my Active Directory. For the Windows Package Publisher I issued a code signing certificate, which should normally be valid inside my whole AD structure (it is signed by my issuing CA). Still I have…
SaV
  • 113
  • 6
1
vote
1 answer

ADCS PKI - AIA Location when using OCSP

My question is wheter or not I still need to configure the following AIA location on my subordinate CA when I'm using OCSP: http://SERVERFQN/DIRECTORY/_.crt With the flag "include in AIA of issued…
kevin rennenberg
  • 73
  • 1
  • 13
1
vote
0 answers

Optional TPM Key Attestation in AD Certificate Services

We have a range of Windows 10 computers in our estate - some with no TPM chip, some with TPM 1.2, and some with TPM 2.0. I want to configure a certificate template to optionally perform TPM Key Attestation if the client is capable, to enable clients…
aw9274
  • 11
  • 1
1
vote
2 answers

Digital Signatures Using Entreprise PKI

We are a global entreprise with thousands of employees worldwide. We have our own PKI infrastructure which is trusted internally by our systems but unknown externally. We sign contrats with our clients. There is an ongoing "paperless" project which…
lisa1987
  • 881
  • 1
  • 9
  • 17
1
vote
1 answer

How to distribute RDP certificates from ADCS to non-domain members?

I have a few hundred systems that are not AD-joined, for which I'd like to issue RDP certificates from an internal hierarchy (built with ADCS). I can do it manually, by generating CSRs, then signing with ADCS CA, then installing certs - easy, but…
StanTastic
  • 860
  • 1
  • 8
  • 25
1
vote
1 answer

Migrate to two-tier PKI (Microsoft)

Currently, I have one online enterprise root-ca (and issuing certificates - default templates) that installed on DC (yes, yes I know - worst case scenario). I set another offline not joined to a domain server, 2 IIS servers under LB and 2 enterprise…
user491190
  • 11
  • 1
1
vote
2 answers

HKPK Public Key Pinning - Auto add bash script

I recently started using HKPK Public Key Pinning. I have an automated script that generates my csr, certificate, and installs into apache2 on opensuse leap 42.3 I'm looking for a way to add spki fingerprints to the Public Key Pin header in my…
Bennett
  • 11
  • 2
1 2 3
15 16