Collaborate Disseminate
I’m working on a client-certificate based authentication of users for a website.
The server configuration part is OK
(Apache server, keywords: SSLCACertificateFile / SSLVerifyDepth / SSLVerifyClient optional)
The server code part is OK too… Continue reading How to generate a p12 with javascript generated key pair and server side internal CA
Starting next year:
Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.
Because we’ve done so much to encourage automation over the past decade, most of our subscribers aren’t going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It’s not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day…
Continue reading Short-Lived Certificates Coming to Let’s Encrypt
The certificate has the fields Signature algorithm and Signature hash algorithm, which determine what algorithm the certificate was signed with, and Public key, which determines what algorithm the information will be signed with, but how c… Continue reading How to determine hashing algorithm of a public key in the certificate?
This question’s answers do a pretty good job at explaining TLS certificate pinning, and this (external) article is the only source (I could find) that even briefly explains the differences between static and dynamic cert pinning.
But I sti… Continue reading Static vs dynamic certificate pinning
This question’s answers do a pretty good job at explaining TLS certificate pinning, and this (external) article is the only source (I could find) that even briefly explains the differences between static and dynamic cert pinning.
But I sti… Continue reading Static vs dynamic certificate pinning
TLS 1.2 clients and servers are typically configured to support a limited set of cipher suites. These suites include signature algorithms that are typically used for the ephemeral key exchanges during the handshake. Additionally, the Clien… Continue reading In TLS 1.2 why are certificate signature algorithms not limited by supported cipher suites?
In a bold move, Apple has published a draft ballot for commentary to GitHub to shorten Transport Layer Security (TLS) certificates down from 398 days to just 45 days by 2027. The Apple proposal will likely go up for a vote among Certification Authority… Continue reading Apple’s 45-day certificate proposal: A call to action
I have to generate a PGP keypair and share the public key with an external provider. Based on how we already handle it with RSA keypair, we are using the concept of trusted CA which issues certificate to share with providers instead of sha… Continue reading Create a certificate for a PGP key pair [duplicate]
We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org’s root CA. For the container to run properly within our org, the root CA certificate need… Continue reading Should I house my organization’s root CA certificate in public github repostiory?
Inspired by Is LetsEncrypt activity Public?
Say I’ve got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might obviously get stolen.
Can I use *.mycomp… Continue reading Can a wildcard certificate act as CA for subdomains? [duplicate]