Collaborate Disseminate
While debugging yesterday’s Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here’s the relevant CA info,
❯ openssl x509 -noout -text -in ~/D… Continue reading Intermediate issuer field didn’t match its CA subject field
While debugging yesterday’s Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here’s the relevant CA info,
❯ openssl x509 -noout -text -in ~/D… Continue reading Intermediate issuer field didn’t match its CA subject field
I have to generate a PGP keypair and share the public key with an external provider. Based on how we already handle it with RSA keypair, we are using the concept of trusted CA which issues certificate to share with providers instead of sha… Continue reading Create a certificate for a PGP key pair [duplicate]
We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org’s root CA. For the container to run properly within our org, the root CA certificate need… Continue reading Should I house my organization’s root CA certificate in public github repostiory?
Inspired by Is LetsEncrypt activity Public?
Say I’ve got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might obviously get stolen.
Can I use *.mycomp… Continue reading Can a wildcard certificate act as CA for subdomains? [duplicate]
My mind has been blown by my learning the last few days…it seems that browser handling of CA CRLs and OCSP checking has so much variation present. I’m experimenting with my own root CA, with intermediate CA, and server certificates (like… Continue reading practical applications and revoked intermediate/issuing CAs
I was setting up a private docker repository and by mistake, I included the server certificate without a full certificate chain.
I can access the repository (https://privserver1.64hosts.com:5004/) with Chrome, and Chrome reports the SSL ce… Continue reading Why do some SSL clients need a full certificate chain and others don’t? [duplicate]
I’ve heard numerous times that Few CAs offer IP-based SSL/TLS certificates.
This question seems extremely similar, but what the accepted answer says is:
Usual commercial CA won’t accept to encode IP addresses in certificates, in particula… Continue reading Is there a security reason why few CAs offer IP-based SSL/TLS certificates?
Suppose that my certificate authority issues private certificates using the same chain for all of their customers. Does this mean that a malicious actor who happens to be another one of their customers can easily perform an MiTM without a … Continue reading Are my internal systems susceptible to MitM if the root/chain is shared amongst all customers?
Right up front – I am aware of this question here.
But this is not about browsers, for now.
I checked the certificate with openssl, which tells me GTS Root R1 is the root ca.
Same result in Chrome and by utilizing openssl cli from my Windo… Continue reading Why can’t I find google’s Root CA in my trust store? [closed]