Collaborate Disseminate
When I try to connect to the site https://api-mte.itespp.org with OpenSSL (openssl s_client -connect api-mte.itespp.org:443 -brief), it complains that the DH key is too small. But when I analyze its certificate, it says the RSA key is 2048… Continue reading Why do I get the error "dh key too small" when the RSA key is 2048 bits?
I have my own CA root certificate and I’ve been signing CSR (with this certificate) directly with openssl x509 -req (internal https, mqtts, etc). For a project I need to have revocation lists of the signed certificates and so I googled how… Continue reading The current crlnumber file is not being created [closed]
I’m trying to understand the difference between generating a private key using openssl genrsa and adding -newkey to req.
I found a 2014 answer saying the underlying code is the same, one from 2015 saying the encryption is different, and a … Continue reading openssl: genrsa vs req -newkey private keys. What’s the difference?
I’m trying to set positive trust attributes to a certificate, however, in openssl’s documenation there is no information about how to set them:
From the OpenSSL perspective, a trust anchor is a certificate that should be augmented with an… Continue reading How to set/modify "positive trust attributes" in a certificate for openssl
We have a service running as a container for which there some reported vulnerabilities in OpenSSL. Our service is behind the Application Load Balancer, which ideally should terminate the traffic at the load balancer before decrypting the t… Continue reading Can OpenSSL vulnerabilities be mitigated by Load Balancer service from Cloud Providers
I read a lot of articles about self signed certificates and I’m not exactly sure if I’m getting near to what I want to actually achieve.
I’m trying to implement a self signed certificate so that the end users will not be seeing the "n… Continue reading self signed certificate
I’m new and I’m trying to understand default_crl_days. The default is 30 days thus does it mean after 30 days, the CRL list can no longer be trusted? If so, do we need to generate a new list before 30 days is up?
And what would be the reco… Continue reading What is default_crl_days in OpenSSL and recommended days?
I’m reading this and it has the below (excerpt).
# Certificate Authority Section
[ ca ]
default_ca = CA_default # The default CA section
# Default CA configuration to sign a Certificate (Public Key)
[ CA_def… Continue reading Are sections in openssl config file case sensitive?
Per the OpenSSL 3.1 documentation for the x509 subcommand, the -sigopt flag allows one to pass signing options. The documentation for that flag currently states:
-sigopt nm:v
Pass options to the signature algorithm during sign operations… Continue reading openssl x509 -sigopt algorithms and options list?
I’m trying to set-up a certificate chain (CA root -> Intermediate CA -> Server certificate)
Here’s my attempt:
Creating CA Root:
##!/usr/bin/env bash
set -xeuo pipefail
CA_DIR=server/generated/ca-root
REQ_DIR=server/requests