Server Fault
Server Fault

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

245 questions
1891
votes
3 answers

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I Google for tutorials and beat away until it finally works. However, in my searches I often come across different file formats (.key,…
Noah Goodrich
  • 20,497
48
votes
4 answers

How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?

I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt.…
blak3r
  • 731
25
votes
1 answer

easyrsa vars options for PKI generation

I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file: export KEY_COUNTRY="" export KEY_PROVINCE="" export KEY_CITY="" export KEY_ORG export…
ilium007
  • 393
16
votes
3 answers

Is there reserved OID space for internal enterprise CAs?

When provisioning a PKI for internal use, is there a private OID space that can be used without having to pay and/or register your own OID range? Think RFC1918 addresses for OID ranges.
MDMarra
  • 101,323
12
votes
2 answers

Do web Servers send the certificate chain to the Web Client?

If my web server (latest Apache) has a valid (not expired or revoked) Verisign certificate chain (root -> intermediate -> leaf/my server), then does the server send the entire(?) chain to the client? Does the web client (e.g., latest Chrome) need to…
mellow-yellow
  • 461
10
votes
2 answers

Smart card authentication to a Cisco switch?

We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH…
murisonc
  • 2,968
9
votes
2 answers

Powershell Remotely Delete PKI Certificates

I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be distributed by GPO, ran from SysVol, and triggered on…
Byron C.
  • 747
8
votes
2 answers

How do I issue multiple certificates for the same Common Name?

I am creating a Certificate Authority for an intranet. I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has CN=mysite.com. In the future this server…
spraff
  • 569
8
votes
2 answers

Windows PKI: How can I import, sign/issue and export a large number of CSRs?

I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure how I can go about doing this. Is it…
user183178
  • 81
7
votes
4 answers

Why does OpenVPN give the error: "unsupported certificate purpose" for an intermediate certificate?

EDIT: I'm really sorry to have to say that the problem has magically fixed itself and I have no idea why. In response to one of the answers, I removed all EKU from the CA chain and it didn't work. After coming back from vacation, I created the cert…
succulent_headcrab
  • 397
7
votes
2 answers

How to bundle intermediate certs into one file

I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from the csr generator and the crt file provided by…
BioRod
  • 315
6
votes
1 answer

SSH authentication sequence and key files : explain

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays…
gwideman
  • 281
5
votes
1 answer

How should I configure a CAA DNS record for use with the AWS Certificate Manager

AWS Route 53 now allows the creation of CAA records to restrict the certificate authorities that may issue a certificate for a domain. I'd like to use an issue directive to restrict the issue of certificates for my domain like in the following…
simpleigh
  • 165
5
votes
2 answers

Can I restrict an intermediate CA to only sign client certificates?

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by…
Roel Harbers
  • 153
5
votes
2 answers

Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?

I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system. Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?
makerofthings7
  • 9,081
1
2 3
16 17