certificate-revocation – Page 8

GnuPG sub-keys revocation

Posted on August 5, 2018 by user3368561

My current GnuPG key schema is the one recommended in OpenPGP Best Practices and many other sources. It consists in one offline master key plus a set of sub-keys for day-to-day operations stored inside an smart card.

My ques… Continue reading GnuPG sub-keys revocation→

Do long lived TLS connections pose a security risk?

Posted on May 30, 2018 by jdgilday

I would like to better understand the implications of maintaining a long lived (hours, days) TLS connection with respect to certificate revocation. As I understand TLS, the client verifies the server’s certificate during the … Continue reading Do long lived TLS connections pose a security risk?→

User mail certificates policy: Is expiration+renewal better than no-expiration+revocation?

Posted on March 12, 2018 by Samuel

In our environment, we provide user certificates to sign or encrypt emails. This is an internal setting, meaning the CA is internal to our organization (not a public CA) and handled by our Active Directory PKI.

User certific… Continue reading User mail certificates policy: Is expiration+renewal better than no-expiration+revocation?→

Revoked cert not showing revoked in Chrome 64.0.3282.186

Posted on March 4, 2018 by Oli

As far as I can tell (ssllabs.com / ssldecoder.org) the certificate for www.sarahah.com has been revoked:

Serial C1:18:2F:1A:91:A9:0E:03

CRL – Revoked on CRL: http://crl.godaddy.com/gdig2s1-792.crl
Revocation date: Mar 1 1… Continue reading Revoked cert not showing revoked in Chrome 64.0.3282.186→

Certificate revocation with reason code removeFromCRL

Posted on February 7, 2018 by André Zúquete

RFC 5280 says:

“The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold.”

My question… Continue reading Certificate revocation with reason code removeFromCRL→

What is the status of Certificate Transparency?

Posted on January 25, 2018 by KojoUzochi

I am reading a bit on the certificate transparancy project initiazed by google. (More info at http://www.certificate-transparency.org), this technology tries to introduce transparency in the creation of CA certificates. Their… Continue reading What is the status of Certificate Transparency?→

Is the Offline Root CA Obsolete?

Posted on January 17, 2018 by user2320464

There are countless “how-to” articles and best practices recommending use of an offline root certificate authority (CA). Though as the title suggests, is this recommendation obsolete?

The context of my question is for small to medium ente… Continue reading Is the Offline Root CA Obsolete?→

Certificate and key abuse

Posted on January 17, 2018 by Lorensius W. L. T

I made a mistake several years ago by uploading OpenSSL certificate key (.pem and .pk8) into a blog post. The key was used to sign Android apk using SignApk.jar tool. Someone took it and used the key to sign malware apps and … Continue reading Certificate and key abuse→

Are all (or most) expired certificates issued by 3rd party certificate authorities also marked as revoked?

Posted on October 24, 2017 by Mike B

In a recent online course, an instructor stated:

Once you’ve created a certificate, eventually you are going to have to
revoke it, and even if that’s just to renew it, really, I mean if you
have created a certificate… Continue reading Are all (or most) expired certificates issued by 3rd party certificate authorities also marked as revoked?→

ways to check a certificate fingerprint against known logs

Posted on September 28, 2017 by jj_p

Suppose I have a certificate sha-256 fingerprint, which I can obtain say visiting the relevant domain in firefox or from a shell script using openssl, and i want to verify this fingerprint. one option is to look up the domain… Continue reading ways to check a certificate fingerprint against known logs→