Public Key Infrastructure
PKI is a technical and/or organizational way to bind public keys with an identity. The most common types of PKI uses X.509 certificates (and in particular the IETF PKIX profiles).
Questions tagged [pki]
823 questions
13
votes
2 answers
Use python to access a site with PKI security
I have a site that has PKI security enabled. Each client used either a card reader to load their certificate, or the certificate is installed in the IE certificate storage on their box.
So my question are:
How can I use either the card reader…
code base 5000
- 3,812
- 13
- 44
- 73
13
votes
1 answer
How to check expiration date of crl file
I have a problem with certificate revocation list for ssl certificates.
How can I check expiration date of a crl file ?
How can I validate a crl file ?
bastiat
- 1,799
- 2
- 19
- 38
13
votes
1 answer
Java X509 Certificate parsing and validating
I'm trying to process X509 certificates in several steps and running into a couple of problems. I'm new to JCE so I not completely up to date on everything yet.
We want to be able to parse several different X509 certificates based on different…
Driss Amri
- 1,805
- 2
- 20
- 28
12
votes
5 answers
RSA and prime-generator algorithms
OK, my understanding of the mathematical workings of RSA may not be as deep as it should, so feel free to slap me over the head if this is stupid:
To generate a private key, we need two random big primes. There is no algorithm that can do that…
JCCyC
- 16,140
- 11
- 48
- 75
12
votes
5 answers
Signing JSON objects
I have to exchange JSON objects between different platforms and implementations of a service and make its integrity verifiable via digital signatures. So a platform A would create such an object and create a digital signature. Said signature is then…
Xenonite
- 1,823
- 4
- 26
- 39
11
votes
7 answers
DOD Common Access Card (CAC) Authentication
I have figured out all the necessary steps to get DOD CAC card based client certificate authentication working in Apache, but am now struggling to pull a good GUID for the user from the certificate I am receiving. Is there a GUID available on the…
Jim
11
votes
2 answers
iOS hardware-backed key attestation
In android there is a way of knowing if the public key from a key pair was generated inside TEE and is, therefore, hardware-backed (https://source.android.com/security/keystore/attestation). I cannot find a way to do that in iOS. Does anyone know if…
arnau
- 410
- 5
- 12
11
votes
1 answer
OpenSSL ECDSA signatures longer than expected
I am attempting to generate "raw", unencoded ECDSA signatures for use with a cryptographic chip. The goal is to sign something on the host pc, then send it to the chip to be validated. However, I am running into a little problem. My understanding is…
f41lurizer
- 133
- 1
- 6
11
votes
2 answers
Poco + OpenSSL + CA PEM : "Unacceptable certificate" error for 1 out of 2 identical sites
I am trying to do a SSL handshake with www1.filemail.com. I am using cURL's cacert.pem, but I am getting this error:
Unacceptable certificate from 188.138.81.30: application verification failure
Making the handshake against any other HTTPS website…
Njål Arne Gjermundshaug
- 1,036
- 10
- 23
11
votes
1 answer
How to get Information from a security token with C#
I need to enable my applications' users to sign their approvals with their personal USB security token.
I've managed to sign data but I haven't been able to get the information of who's token has been used to do so.
Here is the code I have so…
daniloquio
- 3,822
- 2
- 36
- 56
10
votes
2 answers
What happens if I have expired additional certificate in the chain with alternate trust path?
I have a certificate, issued by Sectigo (former Comodo Positive SSL product). It's in good condition and expires in 1 year and 7 months. This certificate issued by Sectigo RSA Domain Validation Secure Server CA. There are two intermediate…
Vadim Rybalko
- 342
- 2
- 12
10
votes
2 answers
CORS with client https certificates
I have a site with two https servers. One (frontend) serves up a UI made of static pages. The other (backend) serves up a microservice. Both of them happen to be using the same (test) X509 certificate to identify themselves. Individually, I can…
Rob
- 1,387
- 1
- 13
- 18
10
votes
1 answer
How to programmatically create a Certificate Signing Request (CSR)?
How to implement it in C?
openssl req -new -key cert.key -out cert.csr
openssl x509 -req -in cert.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out cert.crt -days 5000
Andrey Egorov
- 391
- 1
- 4
- 15
10
votes
3 answers
How do you present a different PKI client certificate to a server once you have already presented one, in Firefox?
When I visit a website that requires PKI client certificates Firefox will allow the user to select which certificate to present.
How do you present a different PKI client certificate to a server once you have already presented one, in Firefox?
atom88
- 1,449
- 3
- 22
- 32
10
votes
2 answers
How does Android's app/signature verification work?
I want to preface this question with two things so I can narrow down where my actual question is:
a) I've done software dev before, though never for android
b) I'm familiar with PKI and encryptions and hashing and digital signatures and blah blah…
Fewmitz
- 487
- 1
- 5
- 21