Independent C library or function (on Linux) to programmatically generate a self-signed certificate [closed]

Is there a simple C library or function to programmatically generate a self-signed certificate in C on Ubuntu? Of course, one can execute a simple system("....") call to execute a CLI. I am looking for a native, small, stand-alone library just for this purpose with possibly added functionality but not with the full-weight of TLS implementations such as openssl, boringssl, mbedTls, etc.

Windows 10 SSTP with self-signed certificates

I can’t seem to get the Windows 10 sstp client to connect to the (router) sstp server

I have tried numerous combinations when creating my self signed certificates (ca & server) but I have to admit that I’m a little stumped

CA : https://prnt.sc/rqtkhv + https://prnt.sc/rqtks0 Server : https://prnt.sc/rqtls4 + https://prnt.sc/rqtm0y

Windows 10 : https://prnt.sc/rqtxsq + https://prnt.sc/rqtyfm

Q1) When installing the certificate in Windows I usually select [Local Computer] certificate store rather than [current user]. Is it normal for Windows to also install a copy in the [current user] store ? If so what is the point of this duplicate certificate installation ?

Q2) When installing the certificate into the “Trusted Root Certificate Authorities” for [current user] I obtain the following warning : https://prnt.sc/rqtoyb – why don’t I get this same warning when installing via [Local Computer] ?

Q3) What is the meaning of the yellow triangle with exclamation mark on both [Basic Constraints] and [Key Usage] ? https://prnt.sc/rqtzj0 + https://prnt.sc/rqtzut

Q4) Why doesn’t the SSTP client (https://prnt.sc/rqu1r5) detect the presence of the previously installed (sstp server’s ca) certificate ? https://prnt.sc/rqu0o0

Q5) I feel like my multiple certificate installation attempts may have ‘polluted’ my Windows’ certificate store. Is this possible ? If so is there a way to ‘clean up’ the certificate store (besides manually deleting unwanted certificates) ?

Q6) I believe that this used to work with Windows 10 before but, maybe because of the regular updates, things seem to have changed ?

regards yann

Technical description of a self-signed certificate

I’m having a friendly debate with a co-worker as to the meaning of “self-signed” when it comes to PKI. We have an internal root and subordinate CA in our organization. We import the cert chain on internal clients to allow for the trust of certificates issued from our internal/private CA.

My colleague believes that the definition of a self-signed certificate is one where there’s no publically trusted/commercial certificate authority involved. I, however, understand a self-signed certificate to be one that’s created by the host that it resides on and has no further link to any chain, private or public.

I’ve searched Google and found both answers being touted as correct. I’m not great at comprehending RFC’s, which is probably what I need to do to really get to the root of this argument. Rather, can someone more knowledgeable than myself help to settle this disagreement?

Thanks in advance!

Self-signed SSL certificates vs CA-signed certificates [duplicate]

This question already has an answer here:

  • SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? 3 answers
  • SSL certificate chain verification 2 answers
  • Understanding the signing and verification process through a CA 1 answer
  • Clarifying self-signed certificates vs root certificate authority 4 answers
  • Does Self-signed certificate differ from CA from a security point of view? 8 answers

While reading about certificates, I came across this article. It says:

The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.

How exactly does the CA ensure stronger verification?

While trying to find an answer to this, I found this answer. The fifth paragraph mentions:

Once you get the certificate, you want to verify it’s the good one. You can see in the certificate that it has been issue by a CA. If you have the CA key you can verify the signature.

What does this mean? Everyone who’s trying to access any site with a CA-signed certificate will have this universal CA key? If yes, isn’t that insecure in any way? If no, then how do you verify that it isn’t a “forged” certificate from the CA?

(I’d appreciate an in-depth explanation of how CA-signed certificates actually work.)

Is a self-signed certificate from my ISP-provided router a security threat?

I recently found out that in order to log on to the web-based administration tool on my ISP-provided router, I need to accept a self-signed certificate it offers. I did a bit of reading and it sounds like self-signed certificates issued by an ISP can enable the ISP to perform MITM attacks on computers that accepted the certificate. (see Is it common practice for companies to MITM HTTPS traffic?)

Is this something I should be concerned about in my situation? If I accept the certificate, will I potentially be compromising end-to-end encryption with parties other than the ISP or my router’s software?

When I view the details of the certificate, it says “Root certificate authority”. Is this a synonym for self-signing or can this certificate be used for a MITM attack?

Here are screenshots of the details of the certificate, with things that looked like I shouldn’t spread around on the internet blacked out:

Screenshot 1: enter image description here

Screenshot 2: enter image description here

Screenshot 3: enter image description here

RDP with self-signed cert requiring password before launching display

I’ve noticed that the search engine Shodan grabs screenshots from hosts running an RDP service, even if they offer a certificate.

To my understanding, the certificate is used to authentify the server, and encrypt the traffic sent and received (exactly like they are used in HTTPS), and thus should be irrelevant to the protection of hosts exposing RDP to the internet, but when I try to connect to such a service using xfreerdp, I get prompted for a password before I get to where the screenshot was taken, and then the error message : freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014].

I read that Shodan does not try passwords, it just grabs screenshots from accessible targets without credentials How is Shodan able to grab such screenshots? or what does xfreerdp do instead of launching the RDP display?

Connect-PnPOnline using ClientId and self-signed certificate

Does anyone know how to Connect-PnPOnline using Azure AD APP permissions and a self-signed certificate?

Steps:

  • Generated a self-signed certificate. Recorded the password
  • Registered an Azure App. Uploaded a certificate to the app
  • Granted App permissions to the app
  • Granted admin consent

enter image description here

Now, I am trying to connect-PnPOnline using the script below:

    $  certificatePassword = 'CERTIFICATE_PASSWORD'     $  secureCertificatePass = ConvertTo-SecureString -String $  certificatePassword -AsPlainText -Force      Connect-PnPOnline `         -CertificatePath "C:\...\DeploymentApp.pfx" `         -Tenant <TENANT>.onmicrosoft.com `         -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 `         -Url https://<TENANT>.sharepoint.com `         -CertificatePassword $  secureCertificatePass `         -IgnoreSslErrors  

I’m getting an unhelpful error:

Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1 + Connect-PnPOnline ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Can someone recommend something, please?

Update

You can try to easily replicate my case:

  • Get these scripts on your folder these scripts.
  • Install Azure CLI on Windows.
  • Right-click on Register_AD_App.bat and “run as administrator”
  • You will be promted to enter an admin account for your Azure AD/Office 365
  • At the end the app will be registered, concent granted
  • o365AppDetails.json file will be created that contains an auto-generated certificate password

enter image description here

How does the browser decide to accept a self-signed certificate?

As far as I know, with OpenSSL, you can self-sign your website’s certificate. This means that the browsers that will connect your server are supposed to be willing to accept a self-signed certificate for your website. My question is, how does the browser know whether or not to accept a self-signed certificate for a particular website? What if I MITM a client and present a self-signed certificate for a bank website? How does the browser not get tricked at that point?