Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

215 questions
1720
votes
3 answers

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I Google for tutorials and beat away until it finally works. However, in my searches I often come across different file formats (.key,…
Noah Goodrich
  • 18,677
  • 6
  • 24
  • 16
48
votes
4 answers

How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?

I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt.…
blak3r
  • 721
  • 1
  • 11
  • 16
25
votes
1 answer

easyrsa vars options for PKI generation

I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file: export KEY_COUNTRY="" export KEY_PROVINCE="" export KEY_CITY="" export KEY_ORG export…
ilium007
  • 383
  • 1
  • 4
  • 7
16
votes
3 answers

Is there reserved OID space for internal enterprise CAs?

When provisioning a PKI for internal use, is there a private OID space that can be used without having to pay and/or register your own OID range? Think RFC1918 addresses for OID ranges.
MDMarra
  • 100,183
  • 32
  • 195
  • 326
10
votes
2 answers

Smart card authentication to a Cisco switch?

We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH…
murisonc
  • 2,968
  • 2
  • 20
  • 30
9
votes
2 answers

Do web Servers send the certificate chain to the Web Client?

If my web server (latest Apache) has a valid (not expired or revoked) Verisign certificate chain (root -> intermediate -> leaf/my server), then does the server send the entire(?) chain to the client? Does the web client (e.g., latest Chrome) need to…
mellow-yellow
  • 431
  • 5
  • 14
9
votes
2 answers

Powershell Remotely Delete PKI Certificates

I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be distributed by GPO, ran from SysVol, and triggered on…
Byron C.
  • 737
  • 1
  • 7
  • 15
8
votes
2 answers

How do I issue multiple certificates for the same Common Name?

I am creating a Certificate Authority for an intranet. I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has CN=mysite.com. In the future this server…
spraff
  • 519
  • 4
  • 8
  • 18
8
votes
2 answers

Windows PKI: How can I import, sign/issue and export a large number of CSRs?

I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure how I can go about doing this. Is it…
user183178
  • 81
  • 1
7
votes
4 answers

Why does OpenVPN give the error: "unsupported certificate purpose" for an intermediate certificate?

EDIT: I'm really sorry to have to say that the problem has magically fixed itself and I have no idea why. In response to one of the answers, I removed all EKU from the CA chain and it didn't work. After coming back from vacation, I created the cert…
succulent_headcrab
  • 387
  • 2
  • 5
  • 12
5
votes
1 answer

SSH authentication sequence and key files : explain

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays…
gwideman
  • 231
  • 2
  • 7
5
votes
2 answers

Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?

I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system. Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
5
votes
1 answer

What is the purpose of a custom Certificate Trust List?

You can create and deploy a certificate trust list as detailed here, but I'm trying to understand the advantages of this over just deploying root and intermediate certs with group policy the normal way. Why would I want\need to do this?
red888
  • 4,069
  • 16
  • 58
  • 104
5
votes
2 answers

How to tell if an (offline) SSL Certificate been revoked

I would like to know whether an SSL certificate was revoked. The website no longer serves up that certificate, I only have the domain name and the serial number. The SSL certificate was replaced 5 months before expiry without explanation. That…
Rodney
  • 318
  • 1
  • 8
5
votes
1 answer

How does this 2048bit SSL requirement affect existing internal PKIs?

We have our own CA which we've used for years to create hundreds of server certs and thousands of client certs. The CA cert itself is 1024bit and the certs it signed are 1024bit Symantec has been sending out emails to us regarding this "change now…
jhaar
  • 181
  • 1
  • 1
  • 5
1
2 3
14 15