I have tried Google Certificate-Transparent-Go to build up a CT-Log server, but can not build successfully.
Every CT-Log server do NOT support to post a SSL cert signed by a self-signed CA.
Is there have any plans to support CT in unauthoritative CA?
Related
I have a certificate chain comprised of the root certificate, intermediate certificate, and server certificate. The root certificate is installed on my local machine. The intermediate certificate and server certificate are installed on my tomcat server.
I am unable to find instructions anywhere on how to create an intermediate certificate such that it is standards compliant. This is the error that I am receiving:
Here are the details of the "inter" certificate, according to KeyStore Explorer:
I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.
On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".
In theory, is this way considered as a One way TLS or a Two way TLS communication?
Thank you so much for the help!
In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup
For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake.
You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA
I have to create an SSL connection between a client and a server. I've created a keypair and signed my public key with my private key. The server won't trust this so I need to get it signed by a CA. I presume that the server will trust a certificate which has been signed by the same CA as was used to sign its own certificate. How do I do the business of creating the signed certificate with keytool? Sorry if this is duplicated information on the Oracle website, but for some reason their pages keep breaking my internet browser.
knowledge so far is based on answer here
I presume that the server will trust a certificate which has been signed by the same CA as was used to sign its own certificate.
Correcting your assumption here: A system trusts various major Certificate Authorities (CA) by default (eg: GeoTrust, Entrust, OpenTrust, Verisign, etc...). When you get your CSR signed by any of these known CA's, the server will trust by default, not just by the CA that signed the server's certificate.
What you could do to test your SSL connection between the client and the server is to work with self-signed certificates.
I've created a keypair and signed my public key with my private key
You shouldn't be doing this as a client. The server is supposed to do this. If the server is working with self-signed certificates, they need to provide the client with that certificate, so that the clients can trust them to make the SSL connection.
As a server, you could use the keytool to create a self-signed certificate. When you are generating a keypair using keytool, it will ask you few attributes like commonName, organizationName, etc... using these attributes, the keytool will create a self-signed certificate and associate it with the private key. All you have to do is export this certificate using the keytool -exportcert command. Once you have done this part, you would use this certificate to secure the server.
Once the server is secured, the server should give or the client this certificate, because it is self-signed and the client's system will not trust it until you explicitly trust it. If the server has secured using a certificate signed by a CA, it need not provide the client with any certificate, because, if it is a known CA, it will already be trusted by the client system.
I have an MVC 3 application running on IIS 7 that associates users to their client certificates during registration.
I am currently using an ECA certificate issued by ORC to login to this application locally.
I need to create self signed certificates that I can use to create new users in this application and assign to the self signed certificates.
I have created a self signed Certificate Authority Certificate. I used that certificate to sign a server and client certificate. The Certificate Authority is installed in the Trusted Root Certification Authorities of the Computer Account on the machine I'm using. The Client Certificate is installed in the Personal Store of my account.
With the above configuration, my browsers will only prompt me for the certificate issued by ORC, and not my self-signed certificate. How can I get the browser to prompt me for the self-signed certificate so that all communication with the server will use my self-signed certificate instead of the ORC issued ECA certificate?
Does anyone know how to set up a Symantec EV SSL Certificate on Heroku? I'm super confused at the moment. They offer me download of an X.509 Cert and a PKCS7 Cert. In addition, I can download Apache Bundle, Plesk Bundle, Certificate Issuer, or Intermediate CA 1. I'm lost.