Is it a good idea to reuse certificate issued by public CA for internal database client authentication?

Let’s say we have:

Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let’s Encrypt) with both server auth and client auth usages.
A database using mutual T… Continue reading Is it a good idea to reuse certificate issued by public CA for internal database client authentication?

Browsers don’t trust SSL certificates of network-local host signed by own CA

I’ve got a Mayan EDMS running on a computer on the local network. The Web App is exposed via HTTPS on the non-standard port 8001 and it uses an SSL certificate that is signed by our own CA.
The CA is installed in my browser, but my browse… Continue reading Browsers don’t trust SSL certificates of network-local host signed by own CA

Name Constraints, empty sets in permitted subtree (RFC 3280 vs RFC 5280)

I’m trying to understand the effect of empty sets in permittedSubtrees in both, RFC 5280 and RFC 3280. There is something that doesn’t compile in my head.
Scenario:
We have a CA certificate with the following Name Constraints setup:
Permit… Continue reading Name Constraints, empty sets in permitted subtree (RFC 3280 vs RFC 5280)

What is the best practice for relying parties to selectively trust certificates in a corporate pki hierarchy?

I have a pki infrastructure for internal company use.
In this pki there are multiple registration authorities whose responsibility is to.

receive certificate issuance requests
verify the identity of the user/device/entity requesting the c… Continue reading What is the best practice for relying parties to selectively trust certificates in a corporate pki hierarchy?

How to make 3 separate issuing Certificate Authorities aware when a certificate has been revoked on 1 Certificate Authority?

There is one offline Root CA. There are 3 issuing CAs, each on their own domain. There are domain trusts in place, but these domains are not in the same forest.
All 3 domains and CAs are managed by a different team.
These 3 issuing CAs w… Continue reading How to make 3 separate issuing Certificate Authorities aware when a certificate has been revoked on 1 Certificate Authority?

Is there a way to find out which certificates came preinstalled with Windows and which ones installed afterwards?

I’m looking for a way to find out which certificates, whether machine level or user level, came preinstalled with Windows (when using official Microsoft ISO file to clean install the OS) and which certificates were installed afterwards, by… Continue reading Is there a way to find out which certificates came preinstalled with Windows and which ones installed afterwards?

Evaluating the use of encryption across the world’s top one million sites

A new report from security researcher and TLS expert Scott Helme, evaluates the use of encryption across the world’s top one million sites over the last six months and reveals the need for a control plane to automate the management of machine identitie… Continue reading Evaluating the use of encryption across the world’s top one million sites

How can I request a certificate from an internal CA if my machine is Azure AD joined?

I’m using Ghostpak’s Certify to discover vulnerable certificate templates on an internal certificate authority named certauth.megacorp.local. I’ve found a vulnerable template and was successfully able to modify it to allow ENROLLEE_SUPPLIE… Continue reading How can I request a certificate from an internal CA if my machine is Azure AD joined?