x509 - Trusted root certificate is magically installed to Windows

On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again. I know about Authority...Read more

x509 - When .net says "certificate valid", what is it checking?

I'm using the SignedXml.CheckSignature(X509Certificate2, boolean) method. I would like to know what checks are performed when deciding the validity of the certificate. I have verified that the Current User/Not Trusted list is checked. The documentation says it will use the "address book" store, searching by subject key identifier, to build the certificate chain. I imagine this means the Local Machine and Current User certificate stores?Am I right to think that certificate revocation and signature timestamp are not checked? To do an OCSP check f...Read more

exchangewebservices - exchange web services x509 Certivicate

I am trying to connect to Exchange Web Services to send an email on behalf of a user through my own Web Service (ASP/WCF). My code works fine when running on a desktop PC able to connect to the exchange server but when operating over the internet the exchange server can not be accessed, thus I am trying to connect through my web server instead.I am looking for ways to login as another user without using Exchange Web Services impersonation (as I have been told to not use that unless there is absolutely no other way) and without the user providin...Read more

x509 - Is it ok to return certificate status without OCSP(Online Certificate Status Protocol)

I created the certificate authority server using Node.js and some cryptographic library supporting RSA sign, verification and generating X.509. When I added the certificate revocation feature with Online Certificate Status Protocol(OCSP), I thought of why I have to send a request and receive a response with OCSP because only what I want to know is not OCSP Request/Response object but just certificate status(Good or revoked.)Does it make sense requesting not OCSP response object(.PEM or something else) but the certificate status value like HTTP ...Read more

keytool - Import X509 certificate with subjectAltName (SAN) into JKS keystore

I'm using pyOpenSSL to create a X509 certifcate. I need to import this certificate into a Java JKS keystore to make it available to my Java application. This is working fine as long as I don't add a subjectAltName extension to the certificate. If the certificate has an alternative subject set, import into the JKS keystore fails:root@51561a8a1e01:~# /opt/oracle/java/jdk64-1.8.0_92/bin/keytool -keystore keystore -storepass changeit -noprompt -importcert -alias example -file certificate.crt -vkeytool error: java.lang.Exception: Input not an X.509 ...Read more

x509 - adding certificate to remote x509store miss the private key

The task is to import certificate to remote server (win2008 server web edition/ IIS7).certificate is in .pfx file.after installation I noticed the private key saved on the client server (from which script is running) (in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys), but not on destination server (where certificate is installed). Due this certificate can't be used for site binding with error: A specified logon session does not exist. It may be already have been terminated.So. I can see certificate is installed on the remote server but pri...Read more

phpseclib $X509->setDomain on CSR?

Is it possible to set x509 v3 extended attribute for subjectAltName on a CSR?I am able to successfully generate a CSR, and then pass that to a CA to sign.The CA is able to call functions like X509->setDomain("bob.com","*.bob.com","asdf.org"); and they appear in the final cert without issue (note: i am doing the sign, reload, set extensions, resign workaround for phpseclib).The CSR process calling the same functions $X509->setExtension("id-ce-subjectAltName",array("names","here") ) or $X509->setDomain("domain1","domain2"); does not appear to set...Read more

x509 - IIS 8.5 Ignoring revoked certificates in CRL and serving pages to certificates that are revoked

I am currently struggling with an issue which I am now led to believe is being caused by IIS.I am currently testing a self signed PKI setup with a Root CA (MyNewCA), two signed Client Certificates (certificate1, certificate2) and a Revocation list (revocationlist.crl) that is also signed by the CA.I have added certificate1 to the revocation list and published it to a http port 80 site that exists on our network. I have then created a fake site (testsite) that is secured via a TLS certificate.From a client machine, I have run the CertUtil comman...Read more

verify - Pkcs11 x509 chain verification

I am currently implementing a secure channel setup with an HSM.The protocol is proprietary but uses standard crypto mechanisms (rsa sha)At a securre channel setup we receive a stack of certificates, with the last one the remote device personal cert.This chain must be validated, in high level languages, no problem.But I could not find any example how this is done with the pkcs11 interface.I have the impression there is no cert chain verification method in pkcs11?Must I disect every cert and calculate the signature with the basic pkcs11 functions...Read more

x509 - x509v3 Authority Info Access

Is the AuthorityInfoAccess field mandatory in x509v3? I have some certificates, and I'm trying to do OCSP verification, but they don't seem to have this field when I doopenssl x509 -in file.cer -inform DER -text -nooutI was wondering if it's not in that output does that mean it's not there?...Read more

x509 - getting error while trying to convert pfx without password to jks

When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwardsWhen I do the same with an password protected pfx, then everything is fine.Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ? ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.EDITkeytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects\ceva.pfx" -srcstoretype pkcs12 -destkeyst...Read more

x509 - Sign XML document with .jks compatiblae key store

I am signing saml Response and assertion with x509 certificate. The response is posted to a java app, which throws error Signature length not correct…". I am asked to make sure that the xml doc is signed with certificate in JKS format and not pkcs12.Is there a way to sign xml document in jks format in c# and then post the saml response to java app?...Read more

How to properly include custom information into X509 certificates

I'm working on implementing a web service that uses X509 certificates for authentication and authorization of the caller.Is it proper to specify the entity type (i.e. "end user" or "device") as part of the subject name, with, say, OU RDN?Is it proper to specify the identity of the entity as part of the subject name, with CN RDN?Is the best place for the authorization tokens to be part of the X509.v3 extensions (I understand authorization info, like "have access to cookie jar", doesn't belong in subject name section)?If I am to include custom ex...Read more

ca - Correct x509 Extentions for an SSLserver certificate

I have a task to sign a SSLserver certificate request with my CA server.I have created the certificate request via the SSLservers private key. I have then proceeded to sign this request with the existing CA servers certificate. However, when submitting the generated SSLserver certificate I receive an error informing me that the SSLserver certifcate has the incorrect x509 extensions, (See below for the ones in the certificate). X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical K...Read more