Why would a certificate authority have multiple root certificates?

When I look at the trusted certificates in my browser, I see that many certificate authorities have multiple root certificates associated with them. For example, org-Amazon has Amazon Root CA 1, Amazon Root CA 2, Amazon Root CA 3, and Amazon Root CA 4.

How do the purposes of these four certificates differ?

I also see that some CAs have root certificates of different "tiers", such as gold, silver, and platinum. What’s the deal with these? I imagine there are price differences associated with the different tiers, but what extra service could they be offering?

What are the security risks of running QEMU/KVM as root?

Context: I own a machine; I trust root and all the accounts. I virtualize untrusted guests using KVM, and don’t want them to escape.

When /dev/kvm has the right permissions, non-root users can run KVM guests. Does this bring any security advantages over running guests as root? In case of a qemu or KVM vulnerability, won’t malicious guests gain kernel privilege no matter what user is running qemu?

Going further, assuming accounts of the host can’t be trusted, is it possible to gain root privileges using /dev/kvm?

Do docker images have the same root password?

If two persons are pulling the same docker image (let’s say Debian:10.4), they will obtain the same "files" (layers) from the docker repo.

So, from what I understand, launching a docker image is not exactly like a fresh install, it is more like a preinstalled OS. So I guess the two docker images debian:10.4 launched in two separate hosts should be as equivalent as possible to avoid difference in the behaviour from a host to another.

Considering this, I am asking myself if the root’s password is always the same on every debian:10.4 images.

I don’t know if we know the root’s password of this image or only the hash. But if someone could find a preimage of this hash, he would be able to log in in every SSH server based on a debian:10.4 ?

Or is there a minimal randomness applied at the start of a instance docker to ensure the dispersion of some security constant (root password, id_rsa key, …) ?

[Hostpoco.com]*VPS,1024 MB RAM, 30GB Storage, IPv4 include & Complete Root Access.

Hostpoco.com offers Openvz VPS hosting at an affordable price with premium Intel Xeon servers with full-SSD / HDD storage in premium data centers connected to redundant Tier 1 internet providers.
Just Sign up and be online within Hour with our instant & free setup!

[b]All services include the following:[/b]

– VPS Type OpenVZ
– Complete Root Access
– 24×7 Rescue System
– Premium Bandwidth
– Free Setup
– 99 % Uptime Guarantee
– 24/7 Live Support
– 1 IPv4 included

[b]*VPS Startup:$14.99 /Monthly[/b]
– 1024 MB Memory
– 30 GB Raid 10 Storage
– 2 TB Monthly Traffic

[b]*VPS Pro:$24.99 /Monthly[/b]
– 2048 MB Memory
– 60 GB Raid 10 Storage
– 3 TB Monthly Traffic

[b]*VPS Premium: $44.99 /Monthly[/b]
– 4096 MB Memory
– 120 GB Raid 10 Storage
– 4 TB Monthly Traffic

[b]*VPS Elite: $84.99 /Monthly[/b]
– 8192 MB Memory
– 180 GB Raid 10 Storage
– 8 TB Monthly Traffic

Please feel free to chat with us via email/phone if you have any questions
email – [b]Sales@hostpoco.com[/b]
web – [b]https://hostpoco.com/[/b]

Check Our Reviews:
[b]https://hostadvice.com/hosting-company/hostpoco-reviews/[/b]

Thank You.

Why is my RADIUS Certificate not automatically signed with the root CA Certificate on my iPhone

I have spent the last few days setting up a freeradius server with eap-tls as the only authentication method. I have used this old tutorial for setting up my own CA and generating the certificates and adjusted the older parameters to match the current ones.

So far I managed to authenticate my iPhone 6 running iOS 11.1.2 as a test device, for that I have:

  • Installed the root CA’s(the one I created) certificate on my iPhone
  • Installed a test identity profile on my iPhone with the name "Test" and test passphrase, which I converted to a .p12 file

Now when I connect to the network with the freeradius server running in debug mode, I can select EAP-TLS as the auth type and tell it to use the identity certificate. It then prompts me to trust the server’s certificate and I get a successful connection.

I have 2 questions:

  1. Why do I need to trust the server’s certificate if I have the root CA’s certificate installed? As far as I understood the way the authentication works is as follows:
  • The server and client each send their respective certificate for the other party to authenticate with the root CA’s certificate. After both are completed there is an optional challenge for the client to complete? (I’m not sure about this) and the client is authenticated

  • The server doesn’t need to be told to explicitly trust the client certificate but the client needs to explicitly trust the server’s even though they are both issued and signed by the same root CA and both parties have the certificate needed to be able to verify it

  • AFAIK the whole point of certificate-based authentication is to prevent MiTM attacks that other methods are vulnerable against. If the user initially connects to a spoofed access-point and accepts that certificate it will refuse the correct RADIUS server and leak the client certificate to the wrong server, this would be avoided if the client can verify the server certificate on its own without user intervention

  1. There is a username option when selecting the network on the iPhone, which does get matched against a backend SQL database by the freeradius server regardless of that username existing the server accepts the authentication. This page notes that the username is used in inner and outer authentication but to me, that doesn’t seem to make sense as there is no inner and outer identity in EAP-TLS. I assume there is a way to tell the radius server to only accept requests that match a username in the database but if it is not configured that way by default what is the point? Doesn’t the certificate already uniquely identify the device/user and what is the point of the username field if anything can be entered?

I would appreciate an explanation to these concepts, I’m relatively new to certificate-based authentication and RADIUS in general so I’m still learning the basics.

The goal of this endeavor is to deploy the server in an eduroam-like environment where users can generate certificates for their devices on some website, download the two needed certificates and get access without having to trust another.

I should also note that I have complete access and control over the server and my CA so I can modify anything as needed, so no quirky workarounds here.

Smooth root certificate rotation

I am surprised that I couldn’t find one concrete example of how to do root certificate rotation. For example:

  • Root CA has 2 years validity period
  • Intermediate CA has 9 months validity period
  • leaf certificate has a 3 months validity period

The renwal/replace time are:

  • Root CA is going to be replaced every 1 year
  • Intermediate CA is going to be replaced every 6 months
  • leaf certificate is going to be renewed every 2 months

This gives

  • 1 month buffer for service to renew its certificate before the certificate expires.
  • 3 months buffer for intermediate CA to sign new service certificate. By the time the old intermediate CA expire, all the old issued certificates are expired as well.
  • 1 year buffer to distribute the new root certificates to client. We want to give enough time for clients to pull the new root certificate before the old one expires.

Questions:

  • We have root 1 and root 2 overlapped for 1 year, when should we start signing new CSR using root 2 certificate?

If the one year overlapped time is just for cert distribution, by the time root 1 expired, all clients should already have root 2 trusted. However, by the time root 1 expires, we haven’t signed any new server certificates with root 2. It means when the time root 1 expires, all the services will be down. I guess we will need to ensure all services are using cert from root 2 before we can retire root 1? and we also have to ensure all clients have root 2 key before issuing server certificates using root 2? I think that makes sense but in terms of timeline, how should we managed that? In the 1 year overlapped time, maybe we can do 6 months distribution time, and 6 months signing time. so by the time root 1 retire, everything will be running on root 2 already?

And if we are using private CA, (lets say AWS private CA) , do we need to implement a service to ensure things above will happen?

Given that we own all the clients and servers.

*[Hostpoco.com]SSD VPS Hosting + 1 IPv4 + Root / SSH Access + Free Setup.

Hostpoco.com provides SSD VPS Hosting plans that are perfect for everyone who wants full root access to their server. Our managed plans allow you to gain the control you need while still keeping a little extra support to help you accomplish your goals much faster, making them perfect for website owners who are not too familiar with the server-side of web hosting.

We’re deploying premium Intel Xeon servers with full-SSD / HDD storage in premium data centers connected to redundant Tier 1 internet providers. Our fast servers come with a 24/7 super-fast technical support service. Also, all our VPS hosting plans comes with full root access, dedicated IP, free RDNS, and free re-installations. Just Sign up and be online within Hour with our instant & free setup!

====================
*VPS Hosting Feature
====================
~ VPS Type OpenVZ
~ Premium Bandwidth
~ Free Setup
~ 99 % Uptime Guarantee
~ 24/7 Live Support
~ Root / SSH Access

========
*VPS Plan
========
*VPS Startup:$14.99 /Monthly
– 1024 MB Memory
– 30 GB Raid 10 Storage
– 2 TB Monthly Traffic

*VPS Pro:$24.99 /Monthly
– 2048 MB Memory
– 60 GB Raid 10 Storage
– 3 TB Monthly Traffic

*VPS Premium:$44.99 /Monthly
– 4096 MB Memory
– 120 GB Raid 10 Storage
– 4 TB Monthly Traffic

*VPS Elite:$84.99 /Monthly
– 8192 MB Memory
– 180 GB Raid 10 Storage
– 8 TB Monthly Traffic

For more details: https://hostpoco.com/cheap-us-vps-hosting.php

Thank you.

Symplifying expressions with exponentials inside square root

I have an expression $ $ \exp (i k x) \sqrt{y^2 \exp (-2 i k x)} $ $ When I put this in Mathematica and do FullSimplift, it gives

FullSimplify[Exp[I k x] Sqrt[Exp[-2 I k x] y^2]] 

The output is $ $ e^{i k x} \sqrt{y^2 e^{-2 i k x}} $ $ Even if I give all proper assumptions $ \{x,y, k\} \in \mathbb R$ and $ -\pi < k \leq \pi$ like this

FullSimplify[Exp[I k x] Sqrt[Exp[-2 I k x] y^2], {x, y, k} \[Element] Reals && -\[Pi] < k <= \[Pi]] 

The output comes as $ $ \left| y\right| e^{i k x} \sqrt{e^{-2 i k x}} $ $ But the exponentials should not be there anymore, the result should be only $ \left| y\right|$ .

What simplification or assumptions to make, to get the desired result?

Major security and usability flaw in Linux (root privileges and sudoers, folder access restriction, Ubuntu Linux)

Alright, let me give you the context. I am a business owner with strong technical background, say a programmer, though not an advanced system administrator. I’ve bought a VPS server where I want to host several applications and webpages. One of the apps consists of backend, admin frontend and user frontend, another one is just backend and frontend. So 5 different programmers develop those apps. From time to time, as the development takes its place, those programmers need to install and upgrade some packages, modify system configs and so on, i.e. they need ssh access and some root privileges.

And here is the tricky part. It is obvious that I don’t want them to see and gain access to the folders they are not supposed to see, i.e. the devs of the first app shouldn’t have access to the folders of the second app and vice versa. Moreover the backend dev of the first app shouldn’t have access to the frontend folders of the same app and the same goes for the second app. Also I would like to restrict access for them to certain commands like visudo or reboot, so they wouldn’t be able to lock me out of my own server or reboot it without my consent.

Now, if I give them sudo privileges for them to be able to run administrative tasks needed for their development – then they have access to everything and it becomes practically impossible to restrict access for them to certain folders and commands. On the other hand if I DON’T give them sudo privileges, then it becomes a huge pain for me to every time install packages and give them access to certain files and commands they need to continue development. There are over 1500 commands and the corresponding number of system files in Linux they could potentially need access to, so it’s very VERY unconvenient for me to spend so much time to administer the VPS, especially getting the fact that I’m not a very advanced system administrator and I don’t have much time because I need to run my business.

There are already numerous posts and threads on the Internet where people try to find solutions to somewhat close problems like these: One, Two, Three, Four, Five, Six, Seven, Eight, Nine, and they still have no reasonable solutions to them, only those that involve some supercomplex activities and anyway not giving a needed result.

So from my point of view as a business owner it should be something like this: there is a root user who can do everything. He can create admins and define access rights for them, for example in that very sudoers file. Then it’s his decision whether to give access to an admin to the sudoers file itself and any of the folders and commands of his choice. For example an admin could be able to run any command in the system except “reboot” and “visudo” and he can access all files and folders except /etc/sudoers and say /var/www/private_folder even WITH sudo privileges invoked (meaning he can’t even copy those files, overwrite them, chmod and chown them and so on, i.e. access them with any command).

That would immediately make the whole system administration A LOT more easier and logical, eliminating the need for complex solutions like chroot jails, separate bash environments, splitting servers into virtual machines, using containers and so on. And it’s so simple, a matter of a couple of conditions in the code, if I understand it correctly from a developer’s perspective. Also, I want to be in control of my VPS, not having to trust any other third person believing he/she won’t steal my information and/or destroy my whole system either by making a mistake or intentionally and basically it can be considered as a serious security vulnerability from a certain point of view.

This seems so obvious and logical for me, that I was really discouraged and embarrassed that it’s really isn’t like that in Linux. Maybe 20 years ago when Linux was created it was enough to have only a root and sudoers and the rest of users to accomplish tasks they had at that time, but today everything goes a bit different way already and that archaic approach is not usable anymore.

Of course I realize I can understand something wrong and there is a strong reason why it has to be as it is, then please let me know why is it so and what is a correct and easy way of solving my problem described above without a need to build a behemoth on my VPS or manually administering it all the time by myself. After all it should be user-friendly, right? Now it’s not.

On the other hand if there is no such a solution, then I would really be willing to even pay someone who could implement some kind of a patch or a package that will allow to solve this problem.