I am developing an application in C++. Here i am performing some encryption and decryption using the digital certificates. My objective is that a user with an valid digital certificate should only be allow to proceed. Here a valid digital certificate means the one issued by CA(certificate authority). Now for example we can create our own digital certificate like this.
My objective is to verify the issuer of the digital certificate and check the validity based on the issuer.
What i need here is the exact CryptoAPI to perform above operation? If you have any other suggestion to achieve the above mentioned objective then i would be very grateful.
Thanks in advance for you help.
The CA will supply its root certificate which will provide the trust for your user certificate. You will build a chain to your root certificate to achieve this. Refer to Certificate Chain Verification Functions
You will also find other relevant functions that will allow you to validate the certificate itself using either CRL/OCSP.
If you are not familiar with cryptoAPI, a good starting will be to go through this book, Performing X.509 Certificate Verification with CryptoAPI
Related
I'm currently developing a graph app for neo4j desktop. From what i figured out, app should be signed with neo4j#code-signer (which utilizes node-forge i presume).
It needs a certificate and private key (and password probably).
What i can't figure out is, what kind of certificate is actually needed?
I signed my app with self-signed certificate which produced a big untrusted warning in neo4j desktop (touche, i should have known).
I used my ssl key which enabled my HTTPS, but this produced an error in neo4j desktop:
Certificate keyUsage or basicConstraints conflict or indicate that
the certificate is not a CA. If the certificate is the only one in the
chain or isn't the first then the certificate must be a valid CA.
Both options did produce signature.pem file.
Do i need to buy a Code Signing Certificate for this? If so, standard or EV?
Any help would be greatly appreciated!
Maybe this is going to help somebody:
There wasn't any issue with my certificates.
I got an answer from neo4j offical, that they are (at the time being) signing apps internaly, and that there is no automated way to do this (yet).
This is an existing question only. But i dont get exact clear details on this question.
We are using TCPDF to generate PDF with signatures. And for testing purpose we have generated self signed certificate to generate signature fields and make it work.
But we want to move it to live server. So we have to suggest our client to purchase trusted certificate for this purpose.
So my question is,
What type of certificate do our client had to purchase?
Whether we can use the SSL certificate for this purpose?
If not means, where can we purchase it and what are the details do we need to know before purchase?
Please anyone provide me detail explanation on the above
In layman's terms, this depends on the country you are in. There are Signature Issuing authorities, also call Certifying Authority (CA). CA may offer various types of signature after various types of authentication method for Individuals and Corporations or Institutions.
You may search for Certifying Authority (CA) in your country and follow their procedure to get legally (binding) valid Digital Signature.
Certificates for digital signatures are available from CAs (Certificate Authorities). Unfortunately, the CAs often charge a lot of money for such certificates.
"Code-signing" certificates won't work for digitally signing documents.
You can also get certificates for digital signatures from a couple of countries:
Estonia's e-residency program provides a digital signing certificate on a smart card to anyone after paying €100. The cert is good for 5 years. (You don't need to open a business in Estonia, that's just what they hope you do with the card.)
The card will be given to you at your local Estonia embassy or consulate after they verify your identity via your passport.
SuisseID -- from Switzerland, also available to anyone. Valid for 3 years, CHF 146.60 ($148)
I have to add a SAML implementation on a project. I decided to use Spring SAML.
I'm able to generate an Service Provider metadata file and I have to send this file to the IDP (this IDP uses ADFS) but I don't know if I should create an auto-signed key or CA signed certificate for our SP metadata file.
According to this link, the best practice is to generate a self-signed certificate (x509 certificate). But I also found some topics which advice to use a CA signed certificate.
But I can't find anything on the specs.
What's the best practice ?
And if I should use a CA signed certificate, how can I obtain it?
Thanks to All
SAML2 uses certificates just as a convenient way to handle signing and encryption keys. The SAML2 specification even states that it cannot be asumed that the certificates hasn't expired or is issued to any relevant host name.
So that's what the specification says. But in reality some IDP or SP operators require the certificates to be valid.
I'd suggest that you talk to the Idp operator and ask if they have any requirements. If they don't, go for a self signed cert.
The question may sound a bit stupid but I really want to know this.
When we download a file, say abc.exe, it is digitally signed with some digital certificate of some organisation. Why do we need to install that certificate? What is the use of it? What if we dont install it?
When I run certmgr.msc in my windows system, I see some certificates already installed. What do they mean?
If you get signed material, you may want to verify the signature.
Digital signatures usually are created using a private key and can be verified using the associated public key.
Certificates essentially are transport containers for public keys with some extra information. Thus, to verify signatures you usually need the certificate of the signer.
You install certificates to make them known to your system (to allow for signature verification) and to tell your system to trust material signed by the associated private key.
As having to install certificates by each and every party you want to trust is too much work, certificates can have hierarchies, some root certificate may be the issuer of multiple other certificates, and by trusting that root you implicitly trust those other certificates the root issued.
For more details you may want to ask on https://security.stackexchange.com/.
The RSA algorithm used for encryption is used for digital signatures.
Use of RSA for a signature is as under:
1. First, a message digest is calculated.
2. The private key is used to sign the digest of the message.
3. The signature is appended to the message and transmitted to the recipient.
4. The recipient calculates the digest of the received message.
5. Then, verifying the signature requires extracting the signature from the message
and using RSA on the signature with the public key.
6. If the result of the transformation and the newly calculated digest are equal, the signature is valid.
I made an application, which communicates over the. net SSLStream, and for developing I used makecert.exe to create a self signed ssl certificate. Now Ive read in some microsoft article, that makecert should be used for testing only.
Now my question is: is the application safe with this cert, or which program can i make a safe and comparible cert?Any help will be greatly appreciated
Edit: The self signed Certificate is hardcoded into the client application and it compares it everytime it establish a connection, so man-in-the-middle attack couldnt work, but how random are the makecert Certificates?
I would recommend using OpenSSL to create a self-signed certificate used for production environment. I've never made thoughts about makecert.exe. To be honest: You want to achieve an encrypted transfer of your data using SSL between your Application and the server.
The hole certificate wont be displayed to the "user/customer". The only reason nowadays is to embedd a badge with "this is a secure page" to the page on which SSL is enabled.
If you are looking for this, you will definitely need a signed Certificate from a CA. If you are thinking about this, i recommend StartSSL, because it's far the cheapest and offers you for one time validation nearly unlimited wildcard certificates. Its trusted by microsoft and you can create a code-signing-cerficiate for free. (Onetime fee for validation only).
Concerning the randomness and security of the certificate:
If you are validating the fingerprint of the certificate you are connecting to, there should be less security concerns. (i.e. Fiddler won't work this way).
SSL is based on RSA Algorithm so when generating a private/public keypair with a keysize of 2048 or even 4096 (max. on StartSSL) there shouldn't be any security concerns. How to create the Certificate you will find here If you wont trust RSA, you shoudn't trust anyone ;)
Keep in mind that most universities using self signed certificates created using OpenSSL. Its now FIPS certificated and allowes you a wide bunch of settings to achieve fit your system.
It's safe if you find some secure way to get the certificate to everyone who uses your application. Otherwise, they'll have no way to know they're really talking to your application. Anyone else can run makecert just like you did, and nobody will have any way to know whether they're really talking to you. A certificate issued by a CA bind your identity to a certificate, allowing clients to know they're really talking to the right service.
When you punch https://www.amazon.com into your browser, how do you know you're sending your credit card information to Amazon and not an imposter? Well, Amazon has a certificate that was issued for www.amazon.com by a certification authority. An imposter could not get such a certificate -- the authority wouldn't issue it.
But if Amazon used a self-signed certificate ... well, anyone can do that. So how would I know I was actually talking to Amazon? I would have to know ahead of time which self-signed certificate that claimed to be for www.amazon.com was the right one. I wouldn't have a CA's stamp of approval to tell me.
you hardcoded your password (as a long cert) into your application, and you are asking if it's safe?
all I need is a copy of your code or wherever you stored it and I can hack all the apps you ever write. plus you cannot update or change it.
Self-signed certificates say essentially "I certify that I am I. Signed: I". Look up how to set up you own certificate authority (it depends on your choosen environment, and there are several options). Use that authority to issue certificates, and set the servers and clients to trust your CA. No need to pay $$$$ for them, plus you know exactly under what conditions you hand out certificates.