Using apache mina for ssh using signed ssh-rsa-cert-01 from Certification Authority

There is an existing client configured and running (SshClient) using apache mina to ssh to one of our internal jump boxes. It currently uses PEM based authentication. Due to compliance we have to switch to using internally signed certificates (internally we are using hashicorp vault as a CA). I’m unable to find any documentation regarding how to use signed certificates for ssh in apache mina to start with. Is it not supported? Will I perhaps have to use any other java ssh library?

Keeping self signed CA certification a secret [duplicate]

I have a server that has a public and private key pair that are known by my own self hosted CA.

A client wants to send the server some sensitive data. When the client receives the server’s public key, to initiate a tls connection, the client obviously has to contact my CA to verify the server is not an imposter.

The client has to also make sure my CA is not an imposter. Is the only option for facilitating this is to obtain a non self signed, legitimate certificate from another CA, embedded into the software tools the client is already using to communicate all this? Or a second option, send the client our CA certificate before hand, like in an email to use in all future communications with our CA? How is this normally handled in software exposing public APIs over secure connections and who want to manage their own PKI?

Is Certification path construction algorithm needed for SSL/TLS?

In the TLS Handshake a Certificate message is sent. This message contains the (chain of) certificates needed to validate the provided certificate of the communicating party.

However, I have also read some papers, and also defined in RFC5280, that the certification path process is challenging; and, an algorithm is needed to actually do the path construction.

This confused me, since during the TLS Handshake the chain of trust is provided in the Certificate message. Therefore I was wondering: Is a Certification path algorithm also needed in the TLS protocol?

  • If so, why is it needed? As far that I know, the Certificate message sends all the certificates in the chain of trust.
  • If not, is it true then that the Certificate message does not (always) provide all the certificates in the chain? Or maybe, does the certification path algorithm not apply at all for SSL/TLS; but for what kind of protocols is it needed then?

Will it be safer to use self sign CA and client certification in the company for a private website?

Our company have 10+ private websites and 20+ person and need to open a different one automatic when the developers are testing some functional. We do not want anyone outside the company to view the content of the private websites.The websites is access with ip and port.Those websites have public ip, can be access from any place.

So there is two options:

  • We can open http websites and use a http basic auth with a fixed username and password to login. When someone leave the company the password will change.
  • We can create a self sign CA and a client certification , and use that ca to sign a https server certification to the websites, and the websites need the client certification to view. We will continue using the fixed username and password and http basic auth in the https websites.

We use the fixed username and password to prevent the left person have the access to the private website. They are fixed , so we can use less time to manage it.

Will option 2 safer than option 1? Or it is just a illusion of safer because of https?

Is there any bigger safe problem in the option2?

Will it be safer to use self sign CA and client certification in the company for a private website?

Our company have 10+ private websites and 20+ person and need to open a different one automatic when the developers are testing some functional. We do not want anyone outside the company to view the content of the private websites.The websites is access with ip and port.Those websites have public ip, can be access from any place.

So there is two options:

  • We can open http websites and use a http basic auth with a fixed username and password to login. When someone leave the company the password will change.
  • We can create a self sign CA and a client certification , and use that ca to sign a https server certification to the websites, and the websites need the client certification to view. We will continue using the fixed username and password and http basic auth in the https websites.

We use the fixed username and password to prevent the left person have the access to the private website. They are fixed , so we can use less time to manage it.

Will option 2 safer than option 1? Or it is just a illusion of safer because of https?

Is there any bigger safe problem in the option2?

Can I restrict a Certification Authority to signing certain device/application?

Basically another administrator wants a subordinate CA certificate for their fancy appliance. How do I restrict the subordinate CA certificate issued to them only able to issuing for their usages and not allowing them to issue certificate that are used else where.

Having subordinate CA that is not under control is pretty risky, I need to make sure that the sub CA will not cause damange to the PKI system.

Is there some policy that I could set in the Sub CA for the restriction ?

How does a merger formally impacts an ISO 27001 certification?

Organization A has a service that is ISO 27001 certified. It is acquired by Organization B which does not have any certification.

What are the formal impacts of the acquisition on the ISO 27001 certification?

I am interested in two cases:

  1. right after the acquisition when nothing changed yet in Organization A
    → my understanding is that the certification is intact as i) the scope has not changed and ii) the means to handle the requirements (patch management for instance) has not changed either

  2. Organization B integrates Organization A and the means to handle the requirements have changed. To take the patch management example above, it is now ad-hoc, uncontrolled, in one word not suitable for ISO 27001 requirements.
    → does the ISO certification still holds?

Another way of looking at it is whether the certification is a snapshot checked every year (with the hope that things are correct over the year), or whether any negative change over that year automatically invalidates it.

If the latter: how does this invalidation happens?

Can’t Identify the CA certificate chain in the server’s certification manager to auto enroll it

I’m on Windows Server 2019 with AD/DC,DHCP,DNS,Remote Access and CA roles installed on it. I created a VPN certification (for SSTP and IKEv2) on my server, issued it and installed it in the personal certificate store. now I want my clients (basically Windows 10 pro machines) to automatically receive the CA Certificate Chain so that they can trust certificated issued on my server like the VPN cert. I’m gonna do this using group policy but the problem is I can’t tell which one of the installed certificates in the certificate store of the local machine (Server 2019)is actually the CA Certificate Chain.

I have 3 identical CA certificates, 2 of them are in the Trusted root certificate authority store and one of the is in the personal store.

here is the details of those 3 certs, the screenshots i took from the details are the same in all 3 certificates.

View post on imgur.com

I’d appreciate if someone can help me find the right one.