In AWS EKS, how should Kubernetes certificates be generated?

This article from 2018 states (emphasis mine):

It is common practices for Kubernetes clusters to self-signed their digital certificates. I often get from Security Practictioners the hairy eyeball when this fact is discussed. Why not use “real” certificates, that are signed by trusted CAs. Well, some people do that, but for the rest of us, you are simply not gaining any signficant security benefits, and you are creating more work for yourself. You see, Kubernetes clusters use many digital certificates in all aspects of managaging a cluster. For example, each node has its own digital certificate to verify its authenticity.'[1]

Is it still the correct approach to just allow EKS managed Kubernetes to create and deploy its own certificates?


Is there a list of Certificate Authorities that provides certificates valid also for digitally sign a document?

I have to digitally sign a pdf. I created a little app using the DSS library (an EU project, based on Bouncy Castle, very simple to use) that sign the PDF with PADES using a p12 file.

I know how to create a p12 file from a certificate using openssl. The problem is I only find Certificate Authorities that provides certificates for SSL.

There’s somewhere a list of official and trusted CAs that provides X.509 certificates also for signing documents? I’m interested in pricing in particular… 😛

Thank in advance.

Can’t stop Service Bus service using Stop-SBFarm to renew expired Workflow Service Certificates in SharePoint 2013

I have SharePoint 2013 Workflow Service auto generated certificates listed below in my single server SharePoint Farm and they all are expired now.

  1. AppServerGeneratedSBCA – Root Certificate for Service Bus
  2. –Service Bus Farm and Encryption Certificate
  3. – Workflow Manager Services and Encryption Certificate
  4. WorkflowOutbound – Workflow Manager Outbound Signing Certificate

I am following article and enrolled the workflow service server in CA and created the new certificates, but still can’t apply new certificates. As soon as I run Stop-SBFarm or Get-SBFarm commands, I always get the below error.

“Thumbprint not found in the certificate store LocalMachine\My”

Thumbprint in the above error is my expired certificate’s thimbprint. I have verified and the expired certificate is still present in my server (mmc).

How to configure Cloud SQL Postgres to require SSL but not client certificates?

Is there a way to create a Cloud SQL Postgres instance that Enforces SSL/TLS, but that does not require the use of client certificates? In pg_hba.conf, this would be a line containing hostssl but not clientcert=1.

I have tried Enforcing SSL/TLS (settings.ipConfiguration.requireSsl on the instance, or gcloud sql instances patch [INSTANCE_NAME] --require-ssl) But this option seems pretty useless, because:

  1. According to Managing your client certificates , you can only create “up to 10 client certificates for each instance.” This means that we would have to share the same client certificate/private keys among multiple users or services, so the secret is not truly secret among our employees.
  2. After presenting a client sslkey/sslcert in psql, postgres still asks for a password. This is evidence that the Cloud SQL sslCerts API inserts a clientcert=1 auth-option, as opposed to a cert auth-method, into pg_hba.conf. This means that each client needs both a client cert and a password.

Why isn’t free software signed with self-signed certificates? [duplicate]

This question already has an answer here:

  • Why don't websites provide a checksum of their downloadable files? 5 answers

A majority of free software (in particular, Linux ports for Windows) are not signed.

As I understand it, it is quite easy to create a self-signed CA, and sign the software. Distribution would be handled by major free software players, like KDE, Gnome, or whoever is behind the software.

Why isn’t this standard practice?

has 3 IOS Distribution certificates but their private keys are not installed

bom.. quando vou tentar gerar um arquivo para poder atualizar meu aplicativo na app store, eu vou em validar app no xcode 10 e encontro esse problema .. mac foi formatado recente e não teve como fazer backup.. conforme a imagem abaixo , gostaria de saber uma solução para meu problema.. queria saber também se independe da resposta, terei como atualizar meus apps na app store

Workflow Service Certificates expired in SharePoint 2013

We have SharePoint 2013 Workflow Service certificates listed below and they all are expired now. What is the best way to renew these certificates?

  1. AppServerGeneratedSBCA – Root Certificate for Service Bus
  2. – Service Bus Farm and Encryption Certificate
  3. – Workflow Manager Services and Encryption Certificate
  4. WorkflowOutbound – Workflow Manager Outbound Signing Certificate

Change certificates with Domain CA issued certificates using “Set-SBCertificate”, “Set-WFCertificate” and “Set-WFNextOutboundCertificateReference” Workflow Power Shell commands, is it the right model?

Is it possible to simply replace them using self-signed certificates created from IIS? If yes, what are the steps?

Or is there a direct way to renew the above already expired certificates?

Thanks in advance.

SSL Certificates Issuer

I opended local computer certificates in Windows Certificate Store and I found that for all certificates, columns Issued To and Issued By have the same values. I didn’t understand that case. Also I have some certificates that have as Issuer 2SB Authority,CKF-26 and I don’t know if these fields are true because far as I know there are no authority that has these names. So for what they refer ?

Below you can find a List of local computer SSL certificates enter image description here

enter image description here