Super User
Super User

Questions tagged [x509]

In cryptography, X.509 is a standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI).

X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

More information about X509 can be found in its Wikipedia article.

50 questions
107
votes
8 answers

Avoid password prompt for keys and prompts for DN information

I am using following code to generate keys: apt-get -qq -y install openssl; mkdir -p /etc/apache2/ssl; openssl genrsa -des3 -out server.key 1024; openssl req -new -key server.key -out server.csr; cp server.key server.key.org; openssl rsa -in…
JP19
21
votes
3 answers

view all certs in a PEM cert file (full cert chain) with openssl or another command

often cert files (in PEM) format contain multiple certs like: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- with the command: openssl x509 -in cert.pem -noout -text I can see…
gelonida
  • 455
19
votes
5 answers

OpenSSL: How to create a certificate with an empty subject DN?

Is it possible to create a PKCS#10 certificate request / X.509 certificate with the identifying information only in the subject alternate name attribute/extension? According to X.509 4.1.2.6 Subject, the subject can be empty for a certificate whose…
yonran
  • 702
11
votes
1 answer

"Copy to File..." button is disabled in certificate dialog

In the certificate details dialog, the button to save it is disabled. Why is that? I remember it working before. What I did was: open a new window of IE (best to close all others first) to visit a HTTPS website, like https://www.google.com click on…
David Balažic
  • 1,970
7
votes
2 answers

s_client not failing on revoked certifcate?

I'm running Firefox with with the EFF's HTTPS Everywhere. I recently visited Lavabit's site to see if its accepting donations: The revocation is expected considering the history.... However, I'm not duplicating the result using OpenSSL's s_client.…
jww
  • 12,722
7
votes
1 answer

How to import an SSH ed25519 key to GPG?

I have an SSH ed25519 key which I would like to import to GPG as an Authentication Subkey. There doesn't appear to be any documentation available on how to do this.
tcyrus
  • 75
6
votes
3 answers

Is there any use for SANs in client certificate verification?

When a client verifies a server's certificate, it knows the domain name of the server, then it can check whether the domain name exists in the SAN (Subject Alternative Name) field of the server's certificate. When a server verifies a client's…
Robby
  • 61
  • 1
  • 2
5
votes
1 answer

Incorrect Authority Key Identifier on openssl end cert

I'm getting interesting results when signing an end-server certificate using an intermediate CA using openssl. I have a Root CA which looks like this: Serial Number: 14296918985177649921 (0xc668dc11960d5301) Issuer: C=US, ST=xROOTx, L=xROOTx,…
Huckle
  • 628
  • 1
  • 8
  • 24
5
votes
3 answers

X.509 certificates - expiration and key reuse

I have set up a small X.509 certificate authority for internal use in my network. Now I want to renew a certificate, and I want to know how should I do it. Can the new certificate reuse the same key pair as the expired one? Should it? Can I…
grawity
  • 501,077
5
votes
1 answer

What does openssl rsa -passin pass:xxx without other important commands do?

It is not clear to me what the second command does openssl genrsa -des3 -passout pass:123 -out private/server.key 2048 openssl rsa -passin pass:123 -in private/server.key -out private/server.key The first one generate a RSA key encrypted using des3…
user217354
  • 153
4
votes
2 answers

How to get the type of encoding used in a X509 Subject field?

In RFC 5280 is written that for example the X520OrganizationName can use one of the following encodings: X520OrganizationName ::= CHOICE { teletexString TeletexString (SIZE (1..ub-organization-name)), …
FireEmerald
  • 183
  • 5
4
votes
1 answer

How can I specify the validity of a certificate in an OpenSSL configuration file?

I am fairly new to OpenSSL and I am trying to specify a certificate that is valid for just one hour using OpenSSL. I have been successful in doing so with openssl ca using the -startdate and -enddate options, but I was wondering if it is possible to…
MOT
  • 73
3
votes
1 answer

logstash-forwarder failed to tls handshake cannot validate cert because it doesnt contain any IP SANS

I have a logstash / elastic search / kibana server on ubuntu 14.x 64bit. I have a few other servers with the same spec using logstash-forwarder, and everything is working as expected. However, when I setup a 32bit centos 6 server, with a config…
felbus
  • 191
3
votes
1 answer

What's a good database-backed X.509 certificate authority on Linux

I've been using OpenSSL as an X.509 certificate authority. Because multiple machines will need to create certificates, I've exported the certificate authority folder on a distributed filesystem. When I stress-test my CA by making hundreds of…
Anand Patil
  • 53
3
votes
2 answers

Alternatives to SSH x509 logon

I have a Windows 7 machine which is not part of domain, and a Linux machine. I want to login to Linux from Windows using an x509 certificate stored in windows certificate store. Is it possible? Quoting How to set up OpenSSH to use x509 PKI for…
nponeccop
  • 249
1
2 3 4