Collaborate Disseminate
I am reading about how certificates work in the context of X.509, SSL/TLS/HTTPS. According to Wikipedia, the client (e.g. a browser) is supposed to check the revocation status for each non-root certificate as a part of certification path v… Continue reading How is issuing a certificate revocation response different from re-issuing the certificate itself?
When I first generated my GPG key I created a revocation certificate for it as well. Now I’ve edited my key and its subkeys and updated their expiration. Do I need to generate a new revocation certificate?
Continue reading Is a revocation certificate still valid after updating GPG key’s expiration?
I have my own CA root certificate and I’ve been signing CSR (with this certificate) directly with openssl x509 -req (internal https, mqtts, etc). For a project I need to have revocation lists of the signed certificates and so I googled how… Continue reading The current crlnumber file is not being created [closed]
I’m new and I’m trying to understand default_crl_days. The default is 30 days thus does it mean after 30 days, the CRL list can no longer be trusted? If so, do we need to generate a new list before 30 days is up?
And what would be the reco… Continue reading What is default_crl_days in OpenSSL and recommended days?
For example, consider https://www.cloudflare.com/ssl/ where I can get a free SSL cert. If I create a cloudflare account and get an cert but delete my cloudflare account, is the cert auto-revoked? What happens to this cert now that my cloud… Continue reading Are certificates persistent outside of where it’s created?
A valid certificate cannot guarantee that I’m not being MITM’d right now, as either the private key or CA may have been compromised. For this reason, I have to contact a CA through CRL/OCSP to check if it’s been revoked. Best case, I can h… Continue reading What’s the point of certificates in SSL/TLS?
I’m learning for the first time the concept of revoking certificates. I created a certificate with openssl then I tried to revoke it. But my revoke command causes an error.
Here’s what I did
# generate key
openssl genrsa -out root.key 2… Continue reading openssl ca -revoke causes `Can’t open ./demoCA/cacert.pem`
CRL lists the revoked certificates of a CA by sending back to the user the Serial Number of each certificate, nothing related to the public key. I don’t know how it works for OCSP.
Is there a technical way on the CA side (beyond the organi… Continue reading How can I ensure that a CSR doesn’t rely on a revoked private key
I know that modern web browsers don’t check CRLs for certificates from CAs in the default trust store anymore.
I also know that there are some exceptions for certificate validation when it comes to corporation / enterprise PKIs. For exampl… Continue reading Do current browsers still validate CRLs in enterprise PKI environments
This question is specifically about certificates that should have had a long lifetime, but were revoked quickly.
Is every CRL issued by this CA guaranteed to include its revocation, as long as the original certificate would still be valid?… Continue reading Does a certificate revocation list (CRL) keep it’s entries at least as long as the certificate would have been valid?