I created a test domain, a CA and I issued a certificate with that CA. I also have fully functional CSP. For logging on, Windows are offering smart card as logon option. However, when I insert the card, after a few seconds of interaction with the card I receive the message "no valid certificates found". I did my homework by reading tons of MS documentation and generally whatever Google offered. Since I have no more options I'm trying here.
Added after posting: The certificate was created from the Smartcard Logon template.
Here are a few things I would check:
the authentication cert asserts the windows smartcard logon OID in the EKU.
the authenctication cert has a UPN in the subject alternative name (not stricly necessary for windows 7/server 2008).
the authentication cert key usage is digitial signature.
the domain controller has the certificate chain installed correctly.
How was the card issued?
* Follow-up *
How did the certificates make it on to the card? AFAIK, there is no card management built into Windows, so an external card management system is needed to load the certs on the card in whatever card applet you are using. Can you provide more specifics on the card you are trying to use?
* Follow-up *
You might find this link interesting; it's for PIV cards but the same ideas probably apply to your situation - the article describes a test lab setup for smart cards. In particular, check out which certs go in which trust stores.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427
You may find commercial software automating the binding process but no free ones. This way you won't have to check tons of support KB.
You can get a look at this demo (http://www.youtube.com/watch?v=OkMGXr-bls0) to see one of these tools in action.
Related
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
I am new for developing CryptoAPI with signing certificate in VB. My old system uses emvtool.exe to sign the certificate with Luna CA3 and HSM. For example, get keys, format data and sign the certificate. I read all the files about CryptoAPI and CSR workflow. I need to redesign the format data and signing parts. I am totally lost on how to use CryptoAPI instead of emvtool.exe.
thanks for any help.
I'm not familiar with the CryptoAPI in Windows, however, I believe if you have the Luna driver installed on the machine, you most likely have a "Crypto Provider" listed in Windows for the HSM. This is useful in interfacing with the HSM when performing some Windows crypto operations. So I'd dig into the CryptoAPI and whenever there's mention of a parameter for the crypto provider, use the Luna's provider.
I'm creating an application for a select group of people to use. But since it'll be free-ware I can't afford to buy a digital signature to authenticate the source as me. Do I have any other option? Are there any tools in windows I could take advantage of? Any free (third party) tools that I could use to increase the chances my app wont be flagged as potentially malicious? I understand that obviously these things aren't the easiest to come by, but I'd like something to at least say the applications not been tampered with.
Can you please advise me on any tools or methods I could use.
No, in the end these things are about trust, and unless you can get a key trusted at the location where they want to verify the binary, you cannot confer trust of the library.
Key trust is normally established using a certificate that was created for you. Buying a signature would only make sense if there is a separate party signing the code as a service.
Of course there are other ways to trust an application; e.g. you can distribute the source and allow builds of the application at a location that the user can trust. But that won't be as convenient as receiving a signed binary, if the system has been setup to mark those as trusted.
I have a low volume (<500 PDFs/year) application for automated digital-signing of PDF files using iText in Java on Linux.
I've got iText adding a digital signature to PDFs using my SSL certificate. Is this a valid method to prove the PDF was generated by my domain (e.g. server)? Can it be used somehow to get the green checkmarks showing "trust" in Adobe Reader?
If not, I should use a certificate intended for PDFs (e.g. not my SSL certificate), so that the little green checkmarks indicating "trust" appear naturally when the user opens the PDF document.
The book http://itextpdf.com/book/digitalsignatures does a great job introducing this topic to me (I have very little experience in this area).
The book talks about a SafeNet Luna device (an HSM), but's it is much too expensive. I only require a minimal solution, and the Luna has a lot of bells and whistles. The Luna PCIe device is less expensive, but I don't require any features other than providing a certificate I can use to sign. Also, the USB-based SafeNet iKey device seems only to be marketed to Windows devices. Has anyone got iKey working with Linux? Is it even possible? Do other companies offer USB based devices that work on Linux?
I'm looking for a minimal solution for serving automated digitally signed PDFs on a Linux box. I'm sure a lot of small businesses have similar needs. I'm just trying to tap into existing knowledge out there. How do people solve this problem?
The solutions I see for automating this process assume large corporations using Adobe Live Cycle, and priced accordingly (see for example: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html). But small businesses need to automate things too.
Ideally someone would sell a certificate similar to the SSL certificates, but for PDF files. Is there such a thing?
Is hardware (of some sort) a requirement (seems so)? If hardware is a requirement, are there any minimal solutions out there (e.g. with limited functionality other than enabling digital signing)?
Hoping someone can help me see the forest from the trees. What's the conventional wisdom?
Regarding signing with your SSL certificate: in a future iText version, we make require that the key-usage of the certificate indicates that the certificate can be used for non-repudiation. For now, we make checking the key-usage the responsibility for the developer, but in a perfect world, you should only sign with certificates suited for non-repudiation, and your SSL certificate probably doesn't allow this.
Regarding the green check mark: unless you can ask the consumers of your PDFs to add the root certificate of your certificate to the list of trusted identities, you'll always need a public/private key stored on hardware to get a green check mark.
Regarding the price of an HSM / USB key. USB keys are much cheaper, but usually they are meant for manual use (usually they have a limit of signing only once every second). I think that GlobalSign has a flavor of keys that work on Linux. As for HSMs, one of our customers told us that he bought one from Utimaco because it was less expensive (but I don't know what budget he had or spent).
No price info, but maybe a good read for inspiration: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
I would like to do Symbian programming with features that require an application to be signed with more then the standard self signed cert. I don't want to pay mony for a cert since I don't know if I will get to a point of selling an application. Is there a way to grant capabilities such as read and write device data to my application for use on just my phone?
If you don't have a Publisher ID the only option for you by now is Open Signed Online.
Open Signed Online allows you to sign an application for installation onto a single device. Unfortunately you will get the signed application, not a certificate itself.
Aside from Open Signed Online, which is pretty hopeless when you want to debug on the device, the only options at the moment are to find someone with a publisher ID to create a developer certificate for you device via Open Signed Offline, or wait for Symbian to come up with another way to get you a developer certificate. They are already planning to make publisher IDs cheaper and easier for individuals to get (currently you need to be a registered company) and wider availability for developer certificates is also on the cards.