Having a code-signed binary, how can I tell if it’s signed with an Extended Validation (EV) certificate?

I can’t seem to find an answer to this seemingly simple question. Say, on Windows, if I have a binary file:

enter image description here

How can I tell if it was signed with an extended validation (EV) code-signing certificate?

Say, the file above, being a Windows driver on a 64-bit Windows 10 has to have an EV signature to be able to load. So I can’t seem to find anything in its properties that can indicate that it’s an EV:

enter image description here

And since the OS can clearly tell the difference between EV and OV cert, how does it know?

Permissions issue in Docker SQL Server 2017 while restoring certificate

Docker SQL Server 2017 container @latest. Using master database.

The error I am facing is the following:

[S00019][15208] The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.

The closest thing I have found to this exact question is this issue on Stackoverflow. However the answer doesn’t work for me. This question has a similar answer.

I have also tried the instructions here, and here.

So going through the parts of the error:

  1. I have recreated the files twice, so I don’t think it’s the “invalid” part. And it’s obviously not the “does not exist” part (if I put in the wrong password, it tells me it’s the wrong password).
  2. I have backed up and restored the SMK and Master Key without issue, so I don’t think it’s the permissions issue. The files have the exact same permissions.

I can’t get the certificate to restore no matter what I try. I have searched the GitHub issues to no avail so I don’t think it’s a bug. I must be doing something wrong.

Relevant code:

--on Prod BACKUP CERTIFICATE sqlserver_backup_cert TO FILE = '/var/opt/mssql/certs/sqlserver_backup_cert.cer'     WITH PRIVATE KEY ( FILE = '/var/opt/mssql/certs/sqlserver_backup_cert.key' ,     ENCRYPTION BY PASSWORD = 'foobar') GO 
--on Test CREATE CERTIFICATE sqlserver_backup_cert FROM FILE = '/var/opt/mssql/certs/sqlserver_backup_cert.crt'   WITH PRIVATE KEY (     FILE = '/var/opt/mssql/certs/sqlserver_backup_cert.key',     DECRYPTION BY PASSWORD = 'foobar'   ) GO 

It’s noteworthy that /var/opt/mssql/certs is a Docker volume. However I have also tried creating my own directory inside the container and using docker cp. No change.

Additional Encryption of SSL certificate and Public key before handshake?

I am currently working on a security-based product (VPN) and we have one critical requirement that I am unable to figure out.

The connection between the User and the VPN server is based on the OTP (One-time Pad) algorithm and I also have SSL on the server.

At the SSL handshake level, the certificate is sent over to client for verification. But we wish to encrypt the certificate as well using OTP before it is sent over the network.

The client is an iOS app. I am also looking for a solution so that the OTP encrypted certificate is first validated at the device level, before it is validated by the SSL handhshake. It is an additional security level that we wish to integrate.

Any idea how can I do this? As far as I know, the SSL handshake is an automated process and cannot be controlled.

Connect-PnPOnline using ClientId and self-signed certificate

Does anyone know how to Connect-PnPOnline using Azure AD APP permissions and a self-signed certificate?


  • Generated a self-signed certificate. Recorded the password
  • Registered an Azure App. Uploaded a certificate to the app
  • Granted App permissions to the app
  • Granted admin consent

enter image description here

Now, I am trying to connect-PnPOnline using the script below:

    $  certificatePassword = 'CERTIFICATE_PASSWORD'     $  secureCertificatePass = ConvertTo-SecureString -String $  certificatePassword -AsPlainText -Force      Connect-PnPOnline `         -CertificatePath "C:\...\DeploymentApp.pfx" `         -Tenant <TENANT>.onmicrosoft.com `         -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 `         -Url https://<TENANT>.sharepoint.com `         -CertificatePassword $  secureCertificatePass `         -IgnoreSslErrors  

I’m getting an unhelpful error:

Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1 + Connect-PnPOnline ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Can someone recommend something, please?


You can try to easily replicate my case:

  • Get these scripts on your folder these scripts.
  • Install Azure CLI on Windows.
  • Right-click on Register_AD_App.bat and “run as administrator”
  • You will be promted to enter an admin account for your Azure AD/Office 365
  • At the end the app will be registered, concent granted
  • o365AppDetails.json file will be created that contains an auto-generated certificate password

enter image description here

How to generate a certificate with csr’s sans kept by using openssl x509?

I already know how to add sans to csr, and I know it’s viable to add once again to crt using openssl x509 like this openssl x509 -req -extfile < (printf "subjectAltName=IP:xxx" -days xxx -in xxx.csr -signkey xxx.key -out xxx.crt

but I want to find a way to do that in one command line without using config file.


How do I get a Linux box to use RADIUS authentication with a certificate?

Googling anything involving RADIUS configuration has been hell, as many of the terms get mixed together, making search results useless, so…

I have a RADIUS server offering EAP-TTLS based communication using a certificate signed by a private CA to which I have both the public and private keys. I already have this server configured to accept requests from a given IP address.

How do I:

A) Properly install the public CA key on a box such that

B) The box will use it to verify the RADIUS server is who it says it is and

C) That the communication is encrypted and

D) That the box will not trust any other root CA for

E) Authenticating users logging onto the box

How to avoid restarting nginx to renew letsencrypt certificate?

I have installed a Nginx server to host my website, and added HTTPS with LetsEncrypt.

The problem is every time the certificate expire, my site become inaccessible and I need to manually restart the service using So every two months or so I am forced to manually do a:

sudo service nginx restart 

I tried automating that several time already but failed. My last attempt was using this:

sudo crontab -e   0 0,12 * * * letsencrypt renew >/dev/null 2>&1  1 0,12 * * * root /etc/init.d/nginx reload 

Is this the wrong way? How can I validate this job works without waiting my site to be inacessible again?

Certificate problems

Many shell applications are throwing SSL certificate errors. I’m not aware of anything that could have caused this. apt, Google Chrome, Discord all work fine.

Already tried: Problem with certificates


YouTube-dl: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)> (caused by URLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

wget: ERROR: cannot verify www.google.com's certificate, issued by ‘CN=GTS CA 1O1,O=Google Trust Services,C=US’: Unable to locally verify the issuer's authority. To connect to www.google.com insecurely, use–no-check-certificate’.`