Collaborate Disseminate
My mind has been blown by my learning the last few days…it seems that browser handling of CA CRLs and OCSP checking has so much variation present. I’m experimenting with my own root CA, with intermediate CA, and server certificates (like… Continue reading practical applications and revoked intermediate/issuing CAs
Systems like Certificate Transparency and Key transparency store trees of keys/certificates. How would a user be able to remove a fraudulent/expired key or certificate? Do the trees stay the same and a separate list of revoked keys/certifi… Continue reading Certificate/key revocation
I am reading about how certificates work in the context of X.509, SSL/TLS/HTTPS. According to Wikipedia, the client (e.g. a browser) is supposed to check the revocation status for each non-root certificate as a part of certification path v… Continue reading How is issuing a certificate revocation response different from re-issuing the certificate itself?
When I first generated my GPG key I created a revocation certificate for it as well. Now I’ve edited my key and its subkeys and updated their expiration. Do I need to generate a new revocation certificate?
Continue reading Is a revocation certificate still valid after updating GPG key’s expiration?
I have my own CA root certificate and I’ve been signing CSR (with this certificate) directly with openssl x509 -req (internal https, mqtts, etc). For a project I need to have revocation lists of the signed certificates and so I googled how… Continue reading The current crlnumber file is not being created [closed]
I’m new and I’m trying to understand default_crl_days. The default is 30 days thus does it mean after 30 days, the CRL list can no longer be trusted? If so, do we need to generate a new list before 30 days is up?
And what would be the reco… Continue reading What is default_crl_days in OpenSSL and recommended days?
For example, consider https://www.cloudflare.com/ssl/ where I can get a free SSL cert. If I create a cloudflare account and get an cert but delete my cloudflare account, is the cert auto-revoked? What happens to this cert now that my cloud… Continue reading Are certificates persistent outside of where it’s created?
A valid certificate cannot guarantee that I’m not being MITM’d right now, as either the private key or CA may have been compromised. For this reason, I have to contact a CA through CRL/OCSP to check if it’s been revoked. Best case, I can h… Continue reading What’s the point of certificates in SSL/TLS?
I’m learning for the first time the concept of revoking certificates. I created a certificate with openssl then I tried to revoke it. But my revoke command causes an error.
Here’s what I did
# generate key
openssl genrsa -out root.key 2… Continue reading openssl ca -revoke causes `Can’t open ./demoCA/cacert.pem`
CRL lists the revoked certificates of a CA by sending back to the user the Serial Number of each certificate, nothing related to the public key. I don’t know how it works for OCSP.
Is there a technical way on the CA side (beyond the organi… Continue reading How can I ensure that a CSR doesn’t rely on a revoked private key