Collaborate Disseminate
I would like to implement kind of a trust-on-first-use (TOFU) scheme with TLS:
A client creates a key and a self-signed certificate.
The client connects to the server with this certificate.
The server accepts the connection… Continue reading Verify that a second TLS connection comes from the same client
Goal: Using Apache httpd to accept connections if the client’s leaf (end-entity) certificate is among a list of specified leaf certificates.
Ideally, I would be able to concatenate a limited number of client leaf certificates in SSLCACertificateFile and Apache would simply test if the connecting client is using one of the specified client certificates.
In one of Thomas Pornin’s answers he notes the following:
The server will need to validate the client certificate with regards to some trusted CA; you use SSLCACertificateFile or SSLCACertificatePath to configure these CA. It is possible to put a specific client certificate there directly, too (that’s called “direct trust”).
This seems to indicate that you can configure an Apache server to trust a specific certificate and not all certificates signed by the parent certificates. That is, if we have a chain: root -> A -> B -> leaf , then “direct trust” will only trust the leaf and not all leaf certificates signed by root.
I haven’t currently been successful in implementing this. If I set SSLVerifyClient require then placing only the leaf certficiate in SSLCACertificateFile results in the error unable to get local issuer certificate. SSLVerifyClient require essentially means that SSLCACertificateFile must include the certificate’s entire chain. If SSLVerifyClient optional_no_ca, then no validation happens at all. A client has the option of attaching a certificate but it is not validated against SSLCACertificateFile.
I’m in the process of implementing 802.1x WPA2 Enterprise Authentication using FreeRadius and EAP-TLS (Mutual TLS Cert Based Auth).
I am keen to understand how to actual protocols work together and how they keep our WiFi net… Continue reading WPA2 Enterprise EAP-TLS Key Exchange
I’m in the process of implementing 802.1x WPA2 Enterprise Authentication using FreeRadius and EAP-TLS (Mutual TLS Cert Based Auth).
I am keen to understand how to actual protocols work together and how they keep our WiFi net… Continue reading WPA2 Enterprise EAP-TLS Key Exchange
I am creating an API endpoint that receives payload from a third party. The third party is signing the request with there X509 Certificate(Private Key). I have been provided with their Public Certificate. How do I verify that… Continue reading Testing Digital signature on an incoming request via Apache
I am creating an API endpoint that receives payload from a third party. The third party is signing the request with there X509 Certificate(Private Key). I have been provided with their Public Certificate. How do I verify that… Continue reading Testing Digital signature on an incoming request via Apache
I’m trying to create an environment with cross-signed CAs, and verify a certificate issued against one of the CAs, all using openssl. The best I got so far is getting openssl into an endless loop while verifying (the loop is … Continue reading How to properly create and use cross-signed CAs and certificates
How can we identify which root CA client used when there are multiple root CAs on the server?
We can compare the public keys of the client certificate and the root certificate but if we have many root certificates this is an… Continue reading How to identify which root CA does the client certificate use?