I am using gSOAP and it was compiled WITH_OPENSSL. I have found that there is only an API soap_ssl_server_context which takes as PEM file.
Is it possible to provide the private key to gSOAP layer without passing through the PEM files? i want to use HSM
Typically for key management, an HSM e.g. a Thales Payshield 9000, will provide a public key in DER binary format (which can be converted to PEM format using binary->base64 conversion).
However, it is not really intended to provide you with the Private key in DER or PEM format. The private key will be encrypted with the HSM LMK (Local Machine Key).
This means that only HSM can translate the encrypted value (often a pin verification key) to another encryption key. This really is the point of having an HSM e.g. PCI compliance for Visa or MasterCard. You are not meant to get the clear data in software.
If you need to decrypt the data yourself, perhaps just use a software solution like .net RSA or BouncyCastle.
Related
I had a private key/certificate used for the last 10 years. However, now Apache refuses to start with this private key (it's only 1024bit long) and I want to create a new CA for my lab and explore the subordinate CA as well.
Now, I want to create a new CSR for both the CA and the subordinate CA. I am using Ansible for the creation of the keys/csr/certs, by the way.
Now my questions: I understand that you can limit he usage of a certificate/public key by using the relevant option (key usage and extended_key_usage).
My question is:
Do I need to specify any restriction for the CA/subCA?
If so, which restrictions should I apply?
Thank you
Do I need to specify any restriction for the CA/subCA? If so, which restrictions should I apply?
If it's your lab, you actually don't need/ don't must to specify any KU or EKU (key usage or extended key usage). However - in my opinion it's better if you do it (to be as close to the real env as possible and some frameworks may complain about it)
You may actually check how common CAs are building their certificate chain. What I use:
CA certificate:
KU: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Basic constraint: Subject Type=CA, Path Length Constraint=0
Server / client certificate:
KU : Digital Signature, Key Encipherment
EKU: Server Authentication, Client Authentication
Basic constraint: Subject Type=End Entity
Though it depends what do you want to do with the certificates. There are several nice docs around, such as this one
Does anyone know how to transition authentications on NTP? I've done copious amounts of research, none being fruitful. For example, NTP currently using MD5, how do you move over to SHA1?
NTP if compiled along with OPENSSL libraries, then NTP uses OPENSSL libraries for cryptographic operations.
Then you can use different types of message digest algorithms supported by OPENSSL. This is a link which explains configuring ntp key file.
The key file where the keys will be present should be added to the /etc/ntp.conf file.
The keys to be used for generating the digest will be present under
/etc/ntp/keys . This path should be added to /etc/ntp.conf file to specify that this is the keys file.
The structure of the entry in the file will be
This is an example of the keys file
You can mention the keytype as "SHA1" to use SHA1 authentication.
Further details about the length of the digest and keys can be found here:
https://www.eecis.udel.edu/~mills/ntp/html/authentic.html
You can have multiple keys one next to the other.
SO:
first add the new key everywhere
delete the old key once it's added everywhere.
As I am doing my routine penetration testing and found the vulnerability in which OpenSSH have weak RSA-2048 and DSA-1024 keys.
So, I have downloaded the exploit for the same and got some weak keys.
Now, when I am trying to authenticate into the system using RSA private key/ Public key. It still ask me for the password.
I have used the way
ssh -i /my/keys/location user#IPaddress
But, the conceptually, while using RSA keys for the authentication, it should not ask for the password.
May be you will think that, the RSA keys are not present in authorized_keys
The keys are founded by using bruteforcing so they are present in authroized_keys.
Any comment or suggestion regarding the same are most welcome.
Regards
The server mode SSL must use a certificate with the associated private key.
I have my Base64-encoded .crt file and another huge text file with lots of info, from my certificate provider, which includes the private RSA key in an equivalent format.
I tried putting that in a .pvk file to later make the .pfx one, and it didn't work. (nice try, right?)
What do I need to actually do to use this certificate to use SSL in my .NET application?
Edit: Made a proper .pvk, made the .pfx, still, same error.
I finally solved this. I had to use System.Security.Cryptography.X509Certificates.X509Certificate2 with the .pfx file.
The simple X509Certificate didn't seem to work.
Recently, I have to convert an java project related to rsa/des encryption into an iOS project. The provided rsa key strings are from x.509 and PKCS8, however, security.framework only support PKCS12. I've been searching for libraries a long time, but it seems that currently there are not any objective-c libraries that support PKCS8. (I don't want to use Chilkat for some reasons)
The origin version of the project was written in C# which uses an XML string to generate RSA public/private key pair. I guess that generate rsa key pair by myself might be a better solution. Thus, my question is, are there any methods to convert rsa xml data to standard pem key format? Or there are other existing libraries that supports PKCS8?
Hubert
If you can convert the keys at compile time, you can use OpenSSL to do so that it can convert between virtually any certificate / private key formats. Then you embed the certificates in the application bundle in PKCS12.