I'm currently developing a graph app for neo4j desktop. From what i figured out, app should be signed with neo4j#code-signer (which utilizes node-forge i presume).
It needs a certificate and private key (and password probably).
What i can't figure out is, what kind of certificate is actually needed?
I signed my app with self-signed certificate which produced a big untrusted warning in neo4j desktop (touche, i should have known).
I used my ssl key which enabled my HTTPS, but this produced an error in neo4j desktop:
Certificate keyUsage or basicConstraints conflict or indicate that
the certificate is not a CA. If the certificate is the only one in the
chain or isn't the first then the certificate must be a valid CA.
Both options did produce signature.pem file.
Do i need to buy a Code Signing Certificate for this? If so, standard or EV?
Any help would be greatly appreciated!
Maybe this is going to help somebody:
There wasn't any issue with my certificates.
I got an answer from neo4j offical, that they are (at the time being) signing apps internaly, and that there is no automated way to do this (yet).
Related
We are required to add certificate for https://www.googleapis.com/youtube/v3/videos to our trusted certificates on our servers for complying with security policies.
We noticed that the certificate expires on the 24th of November,2016. Can someone help with a support team mailing list which we can contact to get the new certificate in advance so that there is no outage for the functionality.
Thanks
I think you are missing a basic concept of TLS: the role of a certificate issuer.
You usually don't lock yourself to a specific certificate for a site and hope that somebody will provide you with the new certificate up front if the old certificate expires and that you then can change all your clients to accept this new certificate. This simply would not scale.
Instead you trust an issuer (CA - certificate agency) to issue a certificate for a specific site. Then you check for any certificate you got that the trust chain to your locally trusted certificate is fine and that the subject of the certificate matches the site you access. The same CA certificate (or at least the public key inside) will be used for many years to issue new certificates, contrary to leaf certificates which are only valid for 1..3 years or even a few month only to reduce the risk of compromise.
In summary: Don't expect anybody to tell you up front when they issue a new certificate because nobody will tell you. Instead do it like everybody else and trust a CA.
TL;DR: you can't. Validate the certificate using CA list.
Google already use a pinning mechanism in chrome:
https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
But www.googleapi.com is not pinned in that list (only translate.googleapis.com), it means google didn't ensure anything about his keys/certificate/certificate chain. So you can't pin it without taking the risk to break something, even before the renewal: they could change the certificate and/or the chain without notice.
I had installed SSL certs one one of my cloud server by following this:
http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache
I am running jetpack plugin on my wordpress blog. The jetpack plugin is not getting connected to wordpress. I have talked with the Jetpack support guys and they say this:
Support Reply
"The problem is that OpenSSL doesn't recognize your certificate's Certificate Authority's certificate. The that URL works in browsers is because most modern browsers allow for certificate discovery by reading the "Authority Information Access" metadata from the certificate, which contains a URL from which the browser can download the CA's certificate. OpenSSL does not.
The best solution is if you can configure your webserver to supply the entire SSL certificate chain, rather than just your own certificate. That's what we do on WordPress.com. Sending the entire chain will also make your sites more compatible with older (and I believe some mobile) browsers."
Can any one describe me how can I install or provide entire certificate chain???
Thanks
These pages might help with setting up a CA and then creating a certificate: https://help.ubuntu.com/community/OpenSSL#SSL_Certificates
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
I have a simple question (maybe stupid) and i didn't find any clear answer to it. If i get a certificate from a trusted signing company (like verisign...) for one of my server (web for instance), i'll have private an public keys. With this certificate can i set up my own intermediate CA and sign cert request and the be trusted by every one (i know that's shouldn't be..)? My real question is : what will prevent me for issuing certificate and how the company can garanty that nobody does ??
Thanking in advance!
The certificate issued for your web site is suitable for SSL/TLS and is not suitable for issuing other certificates (Key Usage field is different). Consequently while you technically can generate another certificate using yours as a CA, such generated certificate won't be trusted by properly implemented and configured validators (those that check Key Usage).
You are not paying verisign or other certificate organisation for the certificate publishing but for the certificate validation, this meens that they have web services that respond if your certificate is valid or not, if it is still active and not expired and your contact information as requested.
Unfortunatly this is something you have to live with it and pay them if you really need ssl over your site.
I have used a homemade certificate for my lan server and when i visit this https site a big red warning notifies me that this site is malicious and it has not a valid certificate. This doesn't bother me but I am sure that all of my clients would have freeked out if they see such a bold warning popping up to their browser.
what can you do? it's a companies' world
I made an application, which communicates over the. net SSLStream, and for developing I used makecert.exe to create a self signed ssl certificate. Now Ive read in some microsoft article, that makecert should be used for testing only.
Now my question is: is the application safe with this cert, or which program can i make a safe and comparible cert?Any help will be greatly appreciated
Edit: The self signed Certificate is hardcoded into the client application and it compares it everytime it establish a connection, so man-in-the-middle attack couldnt work, but how random are the makecert Certificates?
I would recommend using OpenSSL to create a self-signed certificate used for production environment. I've never made thoughts about makecert.exe. To be honest: You want to achieve an encrypted transfer of your data using SSL between your Application and the server.
The hole certificate wont be displayed to the "user/customer". The only reason nowadays is to embedd a badge with "this is a secure page" to the page on which SSL is enabled.
If you are looking for this, you will definitely need a signed Certificate from a CA. If you are thinking about this, i recommend StartSSL, because it's far the cheapest and offers you for one time validation nearly unlimited wildcard certificates. Its trusted by microsoft and you can create a code-signing-cerficiate for free. (Onetime fee for validation only).
Concerning the randomness and security of the certificate:
If you are validating the fingerprint of the certificate you are connecting to, there should be less security concerns. (i.e. Fiddler won't work this way).
SSL is based on RSA Algorithm so when generating a private/public keypair with a keysize of 2048 or even 4096 (max. on StartSSL) there shouldn't be any security concerns. How to create the Certificate you will find here If you wont trust RSA, you shoudn't trust anyone ;)
Keep in mind that most universities using self signed certificates created using OpenSSL. Its now FIPS certificated and allowes you a wide bunch of settings to achieve fit your system.
It's safe if you find some secure way to get the certificate to everyone who uses your application. Otherwise, they'll have no way to know they're really talking to your application. Anyone else can run makecert just like you did, and nobody will have any way to know whether they're really talking to you. A certificate issued by a CA bind your identity to a certificate, allowing clients to know they're really talking to the right service.
When you punch https://www.amazon.com into your browser, how do you know you're sending your credit card information to Amazon and not an imposter? Well, Amazon has a certificate that was issued for www.amazon.com by a certification authority. An imposter could not get such a certificate -- the authority wouldn't issue it.
But if Amazon used a self-signed certificate ... well, anyone can do that. So how would I know I was actually talking to Amazon? I would have to know ahead of time which self-signed certificate that claimed to be for www.amazon.com was the right one. I wouldn't have a CA's stamp of approval to tell me.
you hardcoded your password (as a long cert) into your application, and you are asking if it's safe?
all I need is a copy of your code or wherever you stored it and I can hack all the apps you ever write. plus you cannot update or change it.
Self-signed certificates say essentially "I certify that I am I. Signed: I". Look up how to set up you own certificate authority (it depends on your choosen environment, and there are several options). Use that authority to issue certificates, and set the servers and clients to trust your CA. No need to pay $$$$ for them, plus you know exactly under what conditions you hand out certificates.
Can we make it possible that browsers ignore self signed certificate?
or is it possible to just show a message to the user so that when they click on the confirm/approve/submit it stores a certificate exception?
Note: I am using PHP and ask about SSL for Facebook apps.
No it is not possible to make all browser ignore self signed certificates, the whole system relies on a trusted party to sign certificates to validate them.
If by ignore you mean to remove the warning, no, you cannot do that. It is one of the main principles of SSL trust to require the "chain of trust" to be in effect.
Furthermore, this is a browser-related problem, it does not matter what language you use at the back end. You can get some more information here, not much good news thought.
No, you can't make browsers accept your self-signed certificated.
However, you can get free SSL certificates from these two providers:
StartSSL / StartCom
CACert.org
I have no experience with CAcert however I have some with StartSSL; here is a step-by-step guide to get free SSL certificate with StartSSL I've written on my blog: http://nicolas.landier.org/2013/03/17/get-a-free-ssl-certificate-with-startssl/