Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?

With all currently ongoing global conflicts in the world, I was thinking about removing default trusted certificate authorities root certificates that are from countries that are (no longer) considered trusted for example due to sanctions,… Continue reading Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?

How to generate a p12 with javascript generated key pair and server side internal CA

I’m working on a client-certificate based authentication of users for a website.
The server configuration part is OK
(Apache server, keywords: SSLCACertificateFile / SSLVerifyDepth / SSLVerifyClient optional)
The server code part is OK too… Continue reading How to generate a p12 with javascript generated key pair and server side internal CA

Short-Lived Certificates Coming to Let’s Encrypt

Starting next year:

Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we’ve done so much to encourage automation over the past decade, most of our subscribers aren’t going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It’s not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day…

Continue reading Short-Lived Certificates Coming to Let’s Encrypt

How to determine hashing algorithm of a public key in the certificate?

The certificate has the fields Signature algorithm and Signature hash algorithm, which determine what algorithm the certificate was signed with, and Public key, which determines what algorithm the information will be signed with, but how c… Continue reading How to determine hashing algorithm of a public key in the certificate?