private key of SSL certificate

To create a certificate, first we need to fill a CSR and in CSR we have to place our public key and that key pair can be generated by different ways in different devices. To do ssh, we run command (crypto key generate RSA modules 1024) and generate the key pair.

Now with the help of this command we are generating public and private key for SSH which will help in encryption but the same key can be placed in CSR and from that CSR we can generate a certificate. Is it correct?

Where is the private key stored? I know the private key is very sensitive data but still if I am a server admin of a server or a firewall and want to see the private key then how can we check that? is there is a command for that?

Should I obfuscate/disguise (file) names in certificate exams?

I have 0 experience taking exams for security certificates. When I’m taking an exam for something like OSCP, should I obfuscate/disguise my files and names (like naming a file update.sh) to make it harder for “future testers and auditors” to find like a criminal would, or just make them obvious (naming a file exploit.sh) for the examiner(s) to understand my reports more easily, or does the naming of my files and folders (and variables and functions) not matter at all?

Let’s encrypt certificate in the backend server

I created a let’s encrypt certificate for my domain and install my SSL certificate in the nginx reverse proxy. Now, I want to secure the communication between the proxy and the backend server using also let’s encrypt and I have the same domain name for both the proxy and the server. I don’t want to use self-signed certificate in the backend server. So, how can I use let’s encrypt for both the server and the proxy?

Can one use a certificate directly from Microsoft Azure Key Vault for LDAP/S?

The only method I can seem to find to add a certificate for secure LDAP (LDAP/S) for Azure Active Directory Domain Services is to upload the certificate from my local computer. This seems like a very poor key management solution when Microsoft Azure Key Vaults is available for creating and storing key pairs and certificates. Am I missing something? Is there a way to directly use a certificate and key pair from a Key Vault or must I download these from a Key Vault and then upload them for LDAP/S? Best PKI practices dictate that I never access the private key directly.

Transferring Microsoft SmartScreen reputation to renewed certificate

I know that even a software signed with a new code signing certificate triggers Microsoft SmartScreen warning (“Windows Defender SmartScreen prevented an unrecognized app from starting”), until the certificate builds a reputation:
Smart-Screen filter still complains, despite I signed the executable, why?

But we are signing our software (WinSCP) with DigiCert code signing certificate for years. It is a plain certificate, no EV.

As our certificate is expiring soon, we have renewed it. But now, our software signed with the renewed certificate triggers the Microsoft SmartScreen warning.

Is that expected? Is the reputation really not transferred to the renewed certificate? If not, what does it take to build the reputation again? The new version of our software (signed with the renewed certificate) is out for few days already, has tens of thousands of installations, but still triggers the warning. Or is there a way to help the reputation to transfer somehow?

Truststore with root certificate throwing the sslhandshake Exception

I got to know from below post that having root ca certificate in the truststore is enough. If that’s the case, I just created my own truststore and added the root certificate to that truststore and trying to establish the connection using this truststore then I’m getting following exception. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Please someone help me with this. TIA

Certificate warning when I enable DNSSEC

I registered mydomain.net (with Google domain registration server). In the DNS settings on the google control panel, I say that mail.mydomain.net should go to the email cloud app (business.zoho.com in this case, but that’s probably not pertinent). I used a CNAME record to do this in the Google domain DNS panel.

mail CNAME 1h business.zoho.com 

At first it worked seamlessly, but at some point, I think after I enabled DNSSEC, I started getting a certificate error as obviously mail.mydomain.net doesn’t match business.zoho.com. It all points back to DNSSEC being the culprit but I can’t be sure. Does this make sense – and what would I need to do (in a general sense) to enable DNSSEC but not get the certificate warning in the browser?

Is pinning global root CA almost same as not having any certificate pinning at all?

I have seen multiple mobile applications that are pinning Global Root CA’s instead of intermediate/leaf certificates. Doesn’t this expose to the same risk as not having certificate pinning at all?

Considering the classic coffee shop attack scenario where the owner of the network has a certificate issued for his domain (*.evilcoffee.com signed by DigiCert)

Now if the mobile application is trusting any certificate issued by Digicert then you can effectively MiTM? Am I missing something?