Tag: Certificate

Applying for UK Visa – what documents can I submit in lieu of marriage certificate?

My wife and I got married but have not yet been able to get the marriage certificate made in India (Indian citizens).

We are planning to travel to the UK in March 2018. In our individual applications, we mentioned each other as our spouses and included all requested details (name, date of birth, passport number). Now the checklist is requesting for a marriage certificate.

  • Is this going to be a problem? We are both working so neither is dependent on the spouse.
  • What document/s can I submit in lieu of the marriage certificate?
  • I don’t think we have enough time to postpone the visa appointment and get the certificate in time – or is this the only way out?

I would really appreciate any help and my apologies if this is a duplicate question. I could not find any query similar to this. Many thanks in advance.

Certificate for Windows IoT Core Retail Image [on hold]

I am working on a Windows 10 IoT Core application and I need to build a custom retail image of Windows 10 IoT Core. I was following the docs of building retail image for Windows 10 IoT Core here(https://docs.microsoft.com/en-us/windows-hardware/manufacture/iot/build-retail-image#build-and-create-the-image).

There is a slight confusion whether I need a Code Signing certificate or a Driver signing certificate. I am quoting the important statement from official docs.

Purchase a code-signing certificate from a Certificate Authority (CA) for which Microsoft also issues a cross-certificate. The Cross-Certificates for Kernel Mode Code Signing topic provides a list of CAs for which Microsoft also provides cross-certificates and the corresponding cross-certificates. Note that these are the only cross-certificates that chain up to the “Microsoft Code Verification Root” issued by Microsoft, which will enable Windows to run OEM drivers.

So I am confused in Code Signing vs Driver Signing, Any help in this regard is highly appreciated.

can we check client certificate of same root ca against multiple crl servers (that each crl generated by same rootca )?

Certificates having 2 crl distribution point both signed by same root ca. What should be crl fetch behaviour?

Crl fetched should be concated or overwritten?

can we check client certificate of same root ca against multiple crl servers (that each crl generated by same rootca )?

PHP Curl SSL returns Peer’s Certificate issuer is not recognized

I am a client trying to connect to my vendor’s server.

I have been through dozens of sites trying to figure out what I am doing wrong…

$  url ="https://someurl.com"; $  curl = curl_init(); curl_setopt_array($  curl, array(     CURLOPT_URL => $  url,     CURLOPT_RETURNTRANSFER => true,     CURLOPT_ENCODING => "",     CURLOPT_MAXREDIRS => 10,     CURLOPT_VERBOSE => TRUE,     CURLOPT_TIMEOUT => 30,     CURLOPT_CAINFO => "./cert.crt",     CURLOPT_CUSTOMREQUEST => "POST",     CURLOPT_POSTFIELDS => $  xml,     CURLOPT_HTTPHEADER => array(           "Cache-Control: no-cache",           "Content-Type: application/xml"     ),   ));

the response:

* Initializing NSS with certpath: sql:/etc/pki/nssdb *   CAfile: ./cert.crt  //server info * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0  Peer's Certificate issuer is not recognized.

When i do:

openssl s_client -connect server:443 -CAfile /path/to/cert/cert.crt

it works and i get among other lines of response:

     Verify return code: 0 (ok)

I have tried changing:

   CURLOPT_CAINFO => "./cert.crt" to its full path (same as openssl test)

I updated php to PHP 7.0.13

I installed NSS (version 3.36.0)

From what I understand this error occurs because the server responded with a cert, and php compared to the cert i told it to, and thought it was bad. But openssl test worked fine…

Secure Store Service Certificate Issue Event ID 7557

I have recently created Secure Store Service in my Production environment. Its never been up since its creation and i am seeing a generic error below when navigating to service. However its working fine on Dev and UAT environments.

enter image description here

I have checked the logs but could not find any resolution yet. Below are the logs details.

The Secure Store Service application Secure Store Service is not accessible. The full exception text is: An error occurred while making the HTTP request to https://SERVER:32844/0bcdc6cacc6b4aeca8f6686649c722ce/SecureStoreService.svc/https. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

and

Logging unknown/unexpected client side exception: CommunicationException. This will cause this application server to be removed from the load balancer queue. Exception: System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://SERVER:32844/0bcdc6cacc6b4aeca8f6686649c722ce/SecureStoreService.svc/https. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host      at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)     -  -- End of inner exception stack trace ---      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)      at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)      at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)      at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)      at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)      at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)      at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)      at System.Net.ConnectStream.WriteHeaders(Boolean async)     -  -- End of inner exception stack trace ---      at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)      at System.Net.HttpWebRequest.GetRequestStream()      at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()     -  -- End of inner exception stack trace ---    Server stack trace:       at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()      at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)      at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)      at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)      at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown  at [0]:       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)      at Microsoft.Office.SecureStoreService.Server.ISecureStoreServiceApplication.IsMasterSecretKeyPopulated()      at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.<IsMasterSecretKeyPopulated>b__5c(ISecureStoreServiceApplication serviceApplication)      at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.Execute[T](String operationName, Boolean validateCanary, ExecuteDelegate`1 operation).

and the last one below.

Error occured while managing Secure Store Application ccf7e37a-246e-41e0-be40-801071d973cc. Error message: System.ServiceModel.CommunicationException: Secure Store Service did not performed the operation.      at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.Execute[T](String operationName, Boolean validateCanary, ExecuteDelegate`1 operation)      at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.IsMasterSecretKeyPopulated()      at Microsoft.Office.SharePoint.ClientExtensions.SecureStoreAdministration.SSSAdminHelper.EnsurePrerequisite(SecureStoreServiceApplicationProxy proxy, String& errorMessage)      at Microsoft.Office.SharePoint.ClientExtensions.SecureStoreAdministration.ManageSSSvcApplication.InitializeGridView().

It looks like more related to WCF service issue to me. However till now i am unable to find any clue. I have checked the permissions for the Secure Store Service account in SharePoint CA and on DB server too. Everything is as expected. Please help.

Updating certificate for FTP site for IIS 10 – FTP client does not see newly updated certificate on primary connection

I run a website that uses IIS 10’s FTP server and I have it setup to use Explicit FTP over TLS and it’s worked great for the last year+. I bought the server certificate through Digicert.

The server certificate expired on 2019-01-04. I renewed the certificate at Digicert, one that is good through 2021. I then installed it on the Windows server, and updated the FTP site to use the new certificate.

However, when I try connecting with FileZilla Client, the log reports the following:

Status: Connecting to xxx.xxx.xxx.xxx:21... Status: Connection established, waiting for welcome message... Status: Initializing TLS...

But then up pops a warning saying that the certificate expired on 2019-01-04.

enter image description here

If I click Ok, it continues, but then it says: Primary connection and data connection certificates don’t match. Here’s the log following the “Initializing TLS…”

Status: Verifying certificate... Status: TLS connection established. Status: Logged in Status: Retrieving directory listing... Command:    PWD Response:   257 "/" is current directory. Command:    TYPE I Response:   200 Type set to I. Command:    PASV Response:   227 Entering Passive Mode (38,101,199,155,19,46). Command:    LIST Response:   150 Opening BINARY mode data connection. Error:  Primary connection and data connection certificates don't match. Error:  Transfer connection interrupted: ECONNABORTED - Connection aborted Response:   226 Transfer complete. Error:  Failed to retrieve directory listing Status: Disconnected from server: ECONNABORTED - Connection aborted

It’s like the Initializing TLS logic is somehow grabbing the OLD certificate, but once it connects, it’s grabbing the NEW certificate and seeing they don’t match.

If I update the IIS FTP server to use the OLD certificate and retry connecting, I get the same expired certificate warning on Initializing TLS, but then when I click Ok it connects and I can transfer files without issue (albeit, I have to confirm that the certificate is expired every transfer).

What’s going on here? Is FileZilla Client caching the Initializing TLS certificate? Is there some other setting or action I need to take in the IIS FTP configuration to get the new certificate “to take?” (I tried rebooting the web server after updating the certificate – still no dice, same problem.)

Thanks

Implementing certificate pinning on openldap client

I am trying to find a way to get openldap (client-side, RedHat 7.6) to only accept one particular TLS server certificate for a particular server, and rejects any other certificate, even if it was issued by the same CA – basically, I want to pin the TLS certificate. Of course in a perfect world, there shouldn’t be any other valid certificates, but I want to protect against unauthorized certificates.

I didn’t find any explicit documentation about how to do that.

One hunch I have is that I could manipulate the file listed in TLSCACertificateFile by removing all CAs, and then adding only the one authorized certificate itself.

That seems to violate the documentation, though (emphasis mine):

This directive specifies the PEM-format file containing certificates for the CA’s that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA’s from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

How else can I accomplish what I am trying to do?

What are the security differences between a service-signed client certificate and an out-of-band shared secret?

TLS allows for client certificate validation. Client certificates can be signed by the client, the service provider, or a trusted third-party CA. I’m talking about the middle option.

At a glance, it would seem to me that handing out an API key to a client would be equally (in)secure to identify that client, as when signing a CSR for that client on the service provider. The API key approach would be a LOT simpler, not having to deal with CSRs and certificate renewal etc.

Are there any differences in security between these two options?

I have to also mention here that there is complete control over client implementation, i.e. safeguarding the API key client side is under the same level of control as the client’s certificates and private key