Collaborate Disseminate
I noticed that on Windows systems many expired certificates are listed in the certificate store certmgr. Should they be deleted when expired and if so why or why not?
If they should be deleted why isn’t this done automatically by Windows? … Continue reading Should expired (root) certificates be deleted from the certificate store?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let’s not consider that for the moment. Let’s assume we have a root CA > intermediate CAs > and leaf certificates… Continue reading When to use a CRL distribution point in a root certificate?
I have an application where a device needs a signed message "UTC date&time at time of signature", signed by an authority that it trusts. This is simpler than an RFC 3161 timestamp, which is made on request and includes a requ… Continue reading Simple certified time format
Background
(Disclaimer: I know very little on this whole topic)
Let’s Encrypt has recently dropped some Certificate Authorities (the TLSv1.0?), which is an issue for Android 4 devices, since now they can’t connect to most things on the web… Continue reading Where can I get a list of trusted certificate authorities?
With all currently ongoing global conflicts in the world, I was thinking about removing default trusted certificate authorities root certificates that are from countries that are (no longer) considered trusted for example due to sanctions,… Continue reading Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?
While debugging yesterday’s Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here’s the relevant CA info,
❯ openssl x509 -noout -text -in ~/D… Continue reading Intermediate issuer field didn’t match its CA subject field
While debugging yesterday’s Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here’s the relevant CA info,
❯ openssl x509 -noout -text -in ~/D… Continue reading Intermediate issuer field didn’t match its CA subject field
I have to generate a PGP keypair and share the public key with an external provider. Based on how we already handle it with RSA keypair, we are using the concept of trusted CA which issues certificate to share with providers instead of sha… Continue reading Create a certificate for a PGP key pair [duplicate]
We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org’s root CA. For the container to run properly within our org, the root CA certificate need… Continue reading Should I house my organization’s root CA certificate in public github repostiory?
Inspired by Is LetsEncrypt activity Public?
Say I’ve got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might obviously get stolen.
Can I use *.mycomp… Continue reading Can a wildcard certificate act as CA for subdomains? [duplicate]