How do I configure the Calculator web service sample code in netbeans to use x509 certificates for authentication?

I have successfully followed the steps outlined here: https://netbeans.org/kb/docs/websvc/jax-ws.html

Everything works correctly (i.e. I can run a client jar file from terminal and have it send two numbers to add; the calculator web service receives them and returns the correct sum in the SOAP response).

I now wish to add authentication using x509 certificates, but I am unable to find specific documentation on how to do so. The closest link I found is a secure calculator here:

https://netbeans.org/kb/docs/websvc/wsit.html#Exercise_2_2

But this appears to be using “Username Authentication with Symmetric Keys”, which is not what I am looking for.

I am looking for the calculator client to send its x509 certificate over to the calculator web service. The calculator web service authenticates the x509 certificate it just received from the client. If authentication is successful, it will proceed to add the two numbers sent by the client. Otherwise it returns “invalid cert”.

This seems like a simple thing to do, but I am not able to find any documentation or a sample netbeans project that does this.

This website seems promising: https://docs.oracle.com/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511

Specifically the Example: Mutual Certificates Security (MCS) . However, when I get to the step in the “Securing the Example Web Service Client Application (MCS) section that says:

Select the WSIT Configuration tab of the CalculatorWSService dialog.

Netbeans does not have a WSIT Configuration tab. So this appears to be outdated since I am running Netbeans 8.2.

Would appreciate all / any help from the community.

Client Certificates from Public Certificate Authorities

I’m looking into mutual TLS authentication for a B2B API. Is it possible to use mutual TLS authentication using X.509 certificates while relying on Public CAs?

I see that some Public CAs (from CA/Browser Forum) offer signed “client authentication” certificates. What fields can I rely on in this case? Would I be able to just map the Subject Name to a user in my application and trust the CA/Browser bundle?

Can “Public CA 1” guarantee that “Public CA 2” will not sell the exact same certificate to a different company?

Self-signed SSL certificates vs CA-signed certificates [duplicate]

This question already has an answer here:

  • SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? 3 answers
  • SSL certificate chain verification 2 answers
  • Understanding the signing and verification process through a CA 1 answer
  • Clarifying self-signed certificates vs root certificate authority 4 answers
  • Does Self-signed certificate differ from CA from a security point of view? 8 answers

While reading about certificates, I came across this article. It says:

The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.

How exactly does the CA ensure stronger verification?

While trying to find an answer to this, I found this answer. The fifth paragraph mentions:

Once you get the certificate, you want to verify it’s the good one. You can see in the certificate that it has been issue by a CA. If you have the CA key you can verify the signature.

What does this mean? Everyone who’s trying to access any site with a CA-signed certificate will have this universal CA key? If yes, isn’t that insecure in any way? If no, then how do you verify that it isn’t a “forged” certificate from the CA?

(I’d appreciate an in-depth explanation of how CA-signed certificates actually work.)

SSH CA for managing Github SSH Certificates [migrated]

Github now support authentication via an OpenSSH certificate: https://github.blog/2019-08-14-ssh-certificate-authentication-for-github-enterprise-cloud/.

However, I cannot find any recomendations for a certificate authority to manage these SSH certificates.

There seem to be numerous options surrounding certificate management for servers and productions environments, e.g. BLESS, CASSH etc.

What would you recommend for managing SSH certificates for developers to access Github?

In an ideal world, this would allow for custom configuration by developer. It would be able to interact with an existing active directory to authenticate users attempting to create certificates and it would be a managed service.

Trusted CA SSL certificates and embedded devices

There is an embedded device which should connect to the server over HTTPS and MQTTS. A server certificate is issued by a trusted CA (for example, Let’s Encrypt). But there is a problem with server certificate verification on the client side because the device doesn’t know about trusted CA’s.

So I have a few options:

  1. Put a DST Root CA X3 root certificate (LE root cert) into the device and check against it;

  2. Make a self-signed root certificate and put it into the device;

  3. Public key pinning.

The first approach doesn’t work because the DST Root CA X3 will expire next year. Furthermore, Let’s encrypt may change their root certificate at any time and we can’t guarantee that newly issued certificates will be signed by the same one.

The second way makes my HTTPS server not trusted for other clients like web browsers.

What about using multiple certificates at the same time? Is it possible? If I’m not mistaken Nginx server supports it, but I’m not sure it works in the way I guess: if the first certificate (e.g. Let’s Encrypt) verification fails a server would give a fallback certificate (e.g. self-signed) to the client. Even if so not all servers support this.

The third way is to put my server public key hash into the firmware. In this case I can use any CA in future (am I right?). The only thing I should be careful about is always using the same keys when generating CSR.

Which way is better? Or are there any other solutions for my problem?

How to read Computer Certificates in Windows

I found on this post that I can find all Computer Certificate files under the directory:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys 

When I try to open them with Notepad++ there is just a blob of characters.

I would like to have a look at all public RSA certificates that I have on my PC and I would like to read them in plain text with the standard header and footer:

-----BEGIN CERTIFICATE-----  -----END CERTIFICATE----- 

Examples of SSL certificates from major vendors

Is there some place I can find example of SSL (TLS) certificates issued by the major vendors, so I can examine them for myself to see things such as what exactly the issuer field says, what signature algorithm is used, etc.?

Obviously I can check the certificate vendors’ own websites, but they tend to use EV certificates, while I’m only looking for a DV one and that will have a different issuer, possibly even a different root CA.

Does Juniper have an equivalent of ‘show security pki local-certificate’ for remote certificates?

On a Juniper Firewall, the command show security pki local-certificate will give all sorts of detail for a local certificate. (The sort of certificate you would use to stand up an IKE connection)

My question is, is there an equivalent command for the certificate being used by the remote peer to validate themselves?

Or, is the remote peer’s certificate also considered by Juniper to be a ‘local certificate’, even though it’s for the remote peer?

I can see that there is a command ‘show security ike active-peer’ that can be used to get the security associate details.

And that there’s a command show security ipsec security-associations that gives a lot of details, but not, it appears, the details of the remote certificate (I don’t have access to enough equipment to check for myself, I’m afraid)

The page IKE Policy for Digital Certificates on an ES PIC suggests that it’s possible to assign a name to the remote certificate.

To define the remote certificate name, include the identity statement at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address]

identity identity-name;

It’s not clear to me if that name can then be used in the same way that the name of a locally stored certificate can be.

Juniper’s introduction to PKI does talk about a “Remote server local certificate”, which suggests that maybe for some purposes, local doesn’t strictly mean local but also includes “remote local certificates”. (Odd concept.)

BUY REAL QUALITY PASSPORTS, DRIVER LICENSE, GREEN CARDS, ID CARDS, BIRTH CERTIFICATES

BUY REAL QUALITY PASSPORTS, VISAS, DRIVER LICENSE, GREEN CARDS, ID CARDS, BIRTH CERTIFICATE, IELTS, TOEFL 

General support:===  abdelkhalid1950@gmail.com

We offer only original high-quality passports, driving licenses, identity cards, visas, birth certificates
And other products for a number of countries such as:
USA, Australia, Belgium, Brazil, Canada, Finland, France, Germany, Israel, Mexico, Netherlands, South
Africa, Spain, Great Britain etc.
To get the additional information and order the order, visit our website:
(If you are not able to visit our website for technical reasons, we are looking forward to your request
Questions about the e-mail addresses listed below)

http://driverlicensesolution24.com/product/buy-passports-online/

http://driverlicensesolution24.com/product/buy-driver-license-online/

WEBSITE   ;;;;;;;;;;;;;;    https://driverlicensesolution24.com

General support:===  abdelkhalid1950@gmail.com

WHATSAPP NUMBER ===== +1(317)210 1175

-IDs Scan-yes …
-HOLOGRAMES: IDENTICAL
-BARCODES: IDS SCAN
-UV: YES
Registered IDS WITH FAST SHIPPING – EMAIL SUPPORT
Buy real USA  passports,
Buy genuine Australian passports,
Buy genuine Belgium passports,
Buy real Brazilian (Brazil) passports,
Buy genuine Canadian (Canada) passports,
Buy genuine Finnish (Finland) passports,
Buy real French (France) passports,
Buy real German (Germany) passports,
Buy Dutch (Netherlands / Holland) Passports,
Buy Israel passports,
Buy UK (United Kingdom) Passports,
Buy Spanish (Spain) passports,
Buy DIPLOMATIC passports,

General  support========: abdelkhalid1950@gmail.com

WHATSAPP NUMBER ===== +1(317)210 1175

WEBSITE  ;;;;;;;;;;;    https://driverlicensesolution24.com

BUY HIGH QUALITY REAL / REGISTERED PASSPORTS, DRIVER LICENSE, ID CARDS, BIRTH CERTIFICATES etc.