googled a bit but could not find anything quickly? is it possible to create a live suitable ssl certificate with .net 4.0? MakeCert.exe only creates certs for testing purposes? any other ways to do this? I would like to create a 1536 bit RSA key?
If you need to create certificates in code, then BouncyCastle or PKIBlackbox package of our SecureBlackbox would do the job. However, unless you are a Certificate Authority or you have a CA certificate with the private key, certificates that you create would have limited usability. You can build your own certificate hierarchy but without being trusted (and trust if what CAs give you) browsers and operating systems won't trust your certificates by default.
Related
I have bought a domain and certificate from Azure. The certificate is given by Go Daddy as azure partner and it is signed with the intermediate certificate from Go daddy hence it always needs chaining of certificates till Root CA.
Our website is used as a REST interface for our customers and hence clients use Java SDK or plain scripts. In our case precisely with zulu jdk image(11u5-zulu-alpine) from microsoft and even I tried with ubuntu 16.04 LTS and get the same error.
if we try to even curl to our site with proper certificates we get error as below and its because of the intermediate CA is missing!
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
With java SDK we get as javax.net.ssl.SSLHandshakeException
I have 3 questions.
Do we need to bundle the intermediate and root certificate with our domain certificate and deploy it.( the certificate is in pfx format)
Is it a good practice to tell our clients to install the bundle certificates ( root and intermediate) in order to get this working.
Does GoDaddy needs to update the bundle certificate in the packing repositories of Ubuntu ,alpine Or is my understanding wrong
And lastly I have a fair idea of how certificates work w.r.t client and server but with the intermediate CA in picture I am unable to understand exactly where the intermediate CA should be put in. I read few posts on the SO but its still unclear. Please bear with me and if some one can explain me the approach how it works in general and what could be the good practice.
Do we need to bundle the intermediate and root certificate with our domain certificate and deploy it.( the certificate is in pfx format)
You should definitely configure the server to send all required intermediate certs; this is required by the TLS standards. (Although if you don't, clients have the option to try to obtain them by other means, like a cache or repository or AIA, and sometimes they do.) Whether the server sends the root is optional; the standards actually state this in reverse, by saying the server MAY omit the root, where the all-caps 'MAY' invokes the meaning defined in RFC 2119. E.g. for TLS1.2 in RFC5246 7.4.2:
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
How you do this depends on what web-server software you are using, which you didn't identify. Although from the fact you specify a Java version, I can speculate it might be Tomcat, or something based on Tomcat like Jboss/Wildfly. Even then, Tomcat's SSL/TLS configuration varies substantially depending on the version and which type of connector 'stack' you use (the pure-Java JSSE, or Tomcat Native, aka APR Apache Portable Runtime, which is actually OpenSSL). However, a 'pfx' (PKCS12) file can definitely contain both a privatekey and the matching (EE) certificate PLUS the chain cert(s) it needs, and is a convenient way to deal with the whole kaboodle at once.
For a cert obtained directly from GoDaddy, they provide instructions linked from https://www.godaddy.com/help/install-ssl-certificates-16623 for many common servers. I don't know if for Azure they use any different chaining that would alter these instructions.
If your server is publicly accessible, at port 443, https://www.ssllabs.com/ssltest will check if it is correctly handling the chain certs, as well as many other things. There are other tools as well but I am not familiar with them; for non-public servers I usually just look manually.
Is it a good practice to tell our clients to install the bundle certificates ( root and intermediate) in order to get this working.
Clients should not install intermediate cert(s) because as above the server should send them. The GoDaddy roots have been accepted in most official truststores for several years now, so most clients using default settings should not need to add them. However, some might; in particular Ubuntu 16.04 might be old enough that it doesn't have GoDaddy preinstalled. And any client(s) that wishes to use a customized truststore, and/or a pin, must ensure that it is set to include/allow your cert's trust chain.
Does GoDaddy needs to update the bundle certificate in the packing repositories of Ubuntu ,alpine Or is my understanding wrong
GoDaddy has supplied its roots to (AFAIK all) the major truststore programs, as above. IINM Ubuntu uses the Mozilla/NSS list, which definitely includes GoDaddy today, but as above I can't be sure about 16.04. I don't know for alpine. CAs do not request truststore programs to include intermediates (although a program or user may be able to add selected intermediate(s) as trusted, depending on the software used).
I am new to TLS/SSL so this might be a very basic question, but I've been searching a lot an could not find an answer.
I am trying to implement a TLS/SSL client. This client will run on an embedded unit with Windows OS on it (XPe or WES7). My implementation uses GnuTLS.
How do I get the list of trusted authorities to my unit so my client can verify the server's certificate? Is it supposed to be a file stored on the client side, that the client is responsible for keeping up to date? Or can my client somehow get this list from the internet each time it is needed and not maintain it locally?
The Certificating Authority (CA) master certificates are stored client side and the client is responsible for keeping them up to date. Keeping them up to date isn't as hard as it sounds, as CA certificates aren't changed that often - most are valid for 5-10 years at least.
Client side storage is necessary because any given internet site your application uses might be compromised.
To get a list, you might start by looking at the CA certificates distributed with a browser or at the cacerts file distributed with Java. Before releasing your code, you'll probably want to check that the certs you use are genuine by checking them against information provided by the CA.
Go to any Windows machine and run "certman.msc" from command-line. Export each CA certificate (Intermediate Certificates, Trusted Authorities) to file (BER, PEM), then import these certificates into your embedded software. Now you can validate email certificates, the same way Windows does (i.e. using various x.509 related RFCs and CRLs)
I have academical project to build communicator with Public Key Infrastructure. For communication between server and clients I'll use SSL/TLS and I need for them certificates. I have to build Certificate Authority with CRL and I can do this with openSSL but this tool is only good for manual administrative not for making certificates automatically in remote CA.
To be clear: Clients must register and login to communicator using certificates but it should be made invisible for them. I've tried running openSSL as process in Java but it's not working properly - my previous problem.
Have you any good advice for making simple PKI?
You can use and extend EJBCA. It takes some getting used to but it has support for some HSM's, and it should not be hard to create a small PKI with it. Open source.
A replacement for simple operations of OpenSSL, would be Bouncy castle. To have better CA support you should also use the EJBCA.
To create certificates automatically in the client (I assume you use a client web browser) is a bit trickier. Some browser can generate private client keys and then get them signed by the CA server.
Generating client side certificates in browser and signing on server
In that case, I would also use the EJBCA to make it manageable.
If I sign Adobe Air with godaddy certificate, how it will be different from list of recommended by Adobe (for example, here).
The main difference is the name of the issuing authority as shown in the root certificate. If someone were to inspect your certificate, they would see "Go Daddy Class 2 Certification Authority Root Certificate". I suppose it depends on how much confidence your users would place in this name. Security paranoids would have the root certs installed already, low level users probably wouldn't even know such a thing existed, but mid-level "power" users who haven't heard of GoDaddy might be suspicious (or at least more so than say VeriSign for example).
Technically speaking there is not much difference - they are all standard X.509 certificates. I generally find that if you can get the cert in .PFX format (with the private key embedded) it works well across platforms. If you can only get another format (.cer) it's fairly straightforward to convert it using the Certificates snap-in in Microsoft Management Console.
Anyone have any information on this?
You can sign your own SSL certificate if it is what you mean. You can go here for some advice on setting a self-signed certificate under linux, alternatively you can go here for advices for IIS 6 based environments.
You can create as many SSL certificates as you want with OpenSSL for example.
If you don't care about proper trust-chain validation to a root Certificate Authority, you can use a self-signed cert.
MS has a makecert tool.
http://cert.startcom.org/ provides free ssl certificates.
Note:
The "StartCom Certificate Policy & Practice Statements" document ยง3.1.2.1 is explicit that the Class 1 (free) certificates are for non-commercial uses only.[3] The previous version of the CPS did not include this restriction. [https://www.startssl.com/policy.pdf]
I think you can use startssl.com with free in class 1. please check it http://blog.myee.web.id/get-free-ssl-for-your-site/ or http://www.myee.web.id/get-free-ssl-for-your-site/