Is CA certificate same client certificate?
If not how can I get client certificate? If yes how can I use it as client certificate?
Sorry for the dumb question.
Thanks in advance.
Server cert or client cert are just certs, they only have different properties. Everyone in the certification tree (including the end-users, and certificate issuers) has a certificate, usually X509 Certificate.
The certification authorities are on a tree structure (the depth of the tree is not fixed):
Root certication authority of a country (level 0)
Certification authority 1 (level 1)
Certification authority 1.1 (level 2)
End-user 1.1.1
End-user 1.1.2
...
Certification authority 1.2 (level 2)
...
Certification authority 2 (level 1)
...
The certificate of end-user is signed by the certification authority at the leaf of the tree. And each certification authority also has a certificate which is signed by the parent certification authority.
The certificate of the root certification authority (level 0) is signed by this root CA itself.
Take 1 example: Certification authority A has a child certification authority B, and the certification authority B issues a cert for end-user C.
For this example: the cert that B is holding and the cert that C is holding are different. The B's cert is signed by A, the C's cert is signed by B. And these certs are definitely different also, because the contents of certs are different.
And regarding how to get a certificate, there are 2 ways: (1) find a certification authority and ask them to buy a cert, (2) use certificate generation software to create your own cert. However, the cert issued by a CA has validity by law, the one generated by yourself can't be used to sign anything legally, and thus the cert generated by yourself can be used as a test cert only.
A certificate file (.cer, .p12, etc.) can be imported to browser; for the Chrome Browser: open 'Settings' --> 'Advanced' --> 'HTTPS/SSL' --> 'Manage certificates' --> 'Import'. The file .cer is X509 certificate (no private key), the file .p12 is PKCS12 certificate (containing private key). Not all certificates are trusted by browser; only those certs issued by a CA in a certification tree which has the root CA known by browser are trusted.
Related
i builded an app running in console with Python. Then i made this app convert to exe. i wanna publish this app on the web. So i signed this app. But i see this problem:
This CA Root certificate is not trusted. Upload this certificate to the Trusted Root Certification Authorities store to be trusted.
From this warning i understand that i must my upload certificate to the Trusted Root Certification Authorities store. But i do not know it way.
My app certificate' s is:
https://www.digicert.com/support/tools/certificate-utility-for-windows
Who issued certificate:
http://127.0.0.1:5000/
Whom was issued certificate:
http://127.0.0.1:5000/
Signature algorithm:
sha256RSA
You're using self-signed certificate i.e. certificate is not issued from valid trusted Certificate Authority. If you want to publish the app for public, then you've to sign it by obtaining the certificate from valid trusted certificate authority (CA). In case, you want to manually share the app with the recipients, and they're aware of the possible risk factor then you can share the issuer certificates with them, and they've installed those into the windows trust store.
Just search for certmgr on windows and add the issuer certificates into Trusted Root Certification.
Say I have the following certification chain
some_company
|______ some_company_technical
|_____________some_cert1
some_cert1 will be replaced every year. By importing the Root certificate and the Intermediate certificate into my client's truststore...
keytool -import -trustcacerts -alias some_company -file some_company.crt -keystore some_client.jks
keytool -import -trustcacerts -alias some_company_technical -file some_company_technical.crt -keystore some_client.jks
...will some_cert1 (and some_cert2, some_cert3 .... some_certn signed the same way) be recognized as a trusted certificates by my application or am I misunderstanding how truststore works ?
As long as the some_certx is signed by the same SubCA/CA, and if these CA certificates are trusted by the client, you should be good, meaning the some_certx will be recognized as trust certificate.
How and Why?
Clients (eg: browser) that communicate with secured servers see if the server's certificate is signed by a CA that the client trusts. If the server's certificate is signed by a CA that client doesn't know about, there is no chain of trust. In simple words, the client doesn't trust the organization (CA) that trusted the server. This is what chain of trust means, do I trust the organization that trusted you? If I trust the organization that trusted you, I can trust you.
You might be thinking what the role of the end-entity (some_certx) would be. The clients have their ways to check the validity and status (revoked or not) of the certificate. The data required for these checks can be found in the end-entity certificate itself. The validity of the certificate can be verified using the Valid from and Valid to fields, and the status of the certificate can be checked using CRL or OCSP. The URLs for these can be found in CRL Distribution Point or Authority Info Access extensions of the certificate.
If either of the 2 above conditions fail, the server cannot be trusted.
I'm requesting a webpage with the following code:
Jsoup.connect(url)
.method(Connection.Method.GET)
.execute()
The site I'm attempting to scrape shows the following certification path in Chrome:
1) ***REDACTED***
Issued by DigiCert Global CA G2
2) DigiCert Global CA G2
Issued by DigiCert Global Root G2
3) DigiCert Global Root G2
Issued by DigiCert Global Root G2
Running my program with -Djavax.net.debug=ssl shows this chain:
1) ***REDACTED***
Issued by DigiCert Global CA G2
2) Symantec Class 3 Secure Server SHA256 SSL CA
Issued by VeriSign Universal Root Certification Authority
3) VeriSign Universal Root Certification Authority
Issued by VeriSign Universal Root Certification Authority
The result is a javax.net.ssl.SSLHandshakeException. Testing the server in SSL Labs shows the correct chain under "Certification Paths" and the broken one under "Additional Certificates (if supplied)", with "Incomplete, Extra certs, Contains anchor" listed as chain issues. I have no desire to use validateTLSCertificates(false) unless absolutely necessary.
How can I ensure that Jsoup follows the correct certification path instead of getting distracted by the erroneous extra certificate?
I'm having an issue calling an asmx webservice:
Could not establish secure channel for SSL/TLS with authority ...
When I go to the asmx url in a browser on the server (WIN2k12R2 fully patched as of 6 Sep 2016) making the requests I don't see any issue with the certificate. It's issued by COMODO RSA Extended Validation Secure Server CA (Intermediate Certification Authorities), which is issued by COMODO RSA Certification Authority (Intermediate Certification Authorities), which is issued by AddTrust External CA Root (Trusted Root Certification Authorities) - all report ok.
The time on the server (UTC) is synced with 3.europe.pool.ntp.org
I'm using the proxy that was built by Visual Studio.
I've moved the Intermediate COMODO certs to the Trusted Root Certification Authorities and no longer encountered the error - does this seem like a valid solution? It appears to have solved the problem, but I don't understand why.
Suppose a PKI hierarchy like below.
root CA ==> inter-1 CA ==> user-1
\
\======> inter-2 CA ==> user-2
My question is: does root CA also need to periodically download CRL from its children: inter-1 and inter-2?
Since user-1 and user-2 can authenticate each other, if user-2's certificate is revoked by inter-2, inter-2 should let root know and then propagate to inter-1 and user-1, right?
If so, it seems quite complicated. Is there any tool to use for managing the revocation logic? Thanks a lot.
No, revocation of certificate is not propagated across the CA tree. Each CA (root and intermediate in your case) is responsible of the publication of the CRL containing the list of only the revoked certificates that were issued by this CA.
An example:
Root CA publishes a CRL for the certificates issued by Root CA: inter-1 CA and inter-2 CA. Root CA is not aware of the user-1 and user-2 certificates or their revocation status.
inter-1 CA (resp inter-2 CA) publishes a CRL containing the list of revoked certificates issued by inter-1 CA (resp inter-2 CA) and only these certificates.
CRL Root CA CRL inter-1 CA
^ ^
| |
root CA ==> inter-1 CA ==> user-1
|
| CRL inter-2 CA
| ^
\ |
\======> inter-2 CA ==> user-2
if user-1 certificate is revoked, this certificate (actually its serial number) will only appear in the CRL published by inter-1 CA.
When someone wants to check the validity the user-1 certificate the process is as follows:
build the certificate chain between the certificate and a trusted CA: user-1 / inter-1 CA / root CA
fetch the CRL for the first certificate in the list
verify the signature of the CRL
check the status of the first certificate in the list against this CRL
if the status is not revoked, remove the certificate from the list and go to 2. otherwise fail
if the list contains only the trusted CA, check the chain of signature of the certificates (a certificate must be signed by the following certificate in the list)
if all signature have been checked and are valid, the user-1 certificate is valid.
Note that validating the CRL signature can trigger a validation of another certificate chain : i.e. this algorithm can be recursive. Actually the X.509 certificate validation algorithm is (very) complex and I just summarize the principles here.