Self-signed SSL certificates vs CA-signed certificates [duplicate]

This question already has an answer here:

  • SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? 3 answers
  • SSL certificate chain verification 2 answers
  • Understanding the signing and verification process through a CA 1 answer
  • Clarifying self-signed certificates vs root certificate authority 4 answers
  • Does Self-signed certificate differ from CA from a security point of view? 8 answers

While reading about certificates, I came across this article. It says:

The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.

How exactly does the CA ensure stronger verification?

While trying to find an answer to this, I found this answer. The fifth paragraph mentions:

Once you get the certificate, you want to verify it’s the good one. You can see in the certificate that it has been issue by a CA. If you have the CA key you can verify the signature.

What does this mean? Everyone who’s trying to access any site with a CA-signed certificate will have this universal CA key? If yes, isn’t that insecure in any way? If no, then how do you verify that it isn’t a “forged” certificate from the CA?

(I’d appreciate an in-depth explanation of how CA-signed certificates actually work.)

Is a self-signed certificate from my ISP-provided router a security threat?

I recently found out that in order to log on to the web-based administration tool on my ISP-provided router, I need to accept a self-signed certificate it offers. I did a bit of reading and it sounds like self-signed certificates issued by an ISP can enable the ISP to perform MITM attacks on computers that accepted the certificate. (see Is it common practice for companies to MITM HTTPS traffic?)

Is this something I should be concerned about in my situation? If I accept the certificate, will I potentially be compromising end-to-end encryption with parties other than the ISP or my router’s software?

When I view the details of the certificate, it says “Root certificate authority”. Is this a synonym for self-signing or can this certificate be used for a MITM attack?

Here are screenshots of the details of the certificate, with things that looked like I shouldn’t spread around on the internet blacked out:

Screenshot 1: enter image description here

Screenshot 2: enter image description here

Screenshot 3: enter image description here

RDP with self-signed cert requiring password before launching display

I’ve noticed that the search engine Shodan grabs screenshots from hosts running an RDP service, even if they offer a certificate.

To my understanding, the certificate is used to authentify the server, and encrypt the traffic sent and received (exactly like they are used in HTTPS), and thus should be irrelevant to the protection of hosts exposing RDP to the internet, but when I try to connect to such a service using xfreerdp, I get prompted for a password before I get to where the screenshot was taken, and then the error message : freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014].

I read that Shodan does not try passwords, it just grabs screenshots from accessible targets without credentials How is Shodan able to grab such screenshots? or what does xfreerdp do instead of launching the RDP display?

Connect-PnPOnline using ClientId and self-signed certificate

Does anyone know how to Connect-PnPOnline using Azure AD APP permissions and a self-signed certificate?

Steps:

  • Generated a self-signed certificate. Recorded the password
  • Registered an Azure App. Uploaded a certificate to the app
  • Granted App permissions to the app
  • Granted admin consent

enter image description here

Now, I am trying to connect-PnPOnline using the script below:

    $  certificatePassword = 'CERTIFICATE_PASSWORD'     $  secureCertificatePass = ConvertTo-SecureString -String $  certificatePassword -AsPlainText -Force      Connect-PnPOnline `         -CertificatePath "C:\...\DeploymentApp.pfx" `         -Tenant <TENANT>.onmicrosoft.com `         -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 `         -Url https://<TENANT>.sharepoint.com `         -CertificatePassword $  secureCertificatePass `         -IgnoreSslErrors  

I’m getting an unhelpful error:

Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1 + Connect-PnPOnline ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Can someone recommend something, please?

Update

You can try to easily replicate my case:

  • Get these scripts on your folder these scripts.
  • Install Azure CLI on Windows.
  • Right-click on Register_AD_App.bat and “run as administrator”
  • You will be promted to enter an admin account for your Azure AD/Office 365
  • At the end the app will be registered, concent granted
  • o365AppDetails.json file will be created that contains an auto-generated certificate password

enter image description here

How does the browser decide to accept a self-signed certificate?

As far as I know, with OpenSSL, you can self-sign your website’s certificate. This means that the browsers that will connect your server are supposed to be willing to accept a self-signed certificate for your website. My question is, how does the browser know whether or not to accept a self-signed certificate for a particular website? What if I MITM a client and present a self-signed certificate for a bank website? How does the browser not get tricked at that point?

How to Trust a Self-Signed Certificate

According to Why are self signed certificates not trusted and is there a way to make them trusted?, to trust a self-signed certificate we need to import the root certificate into the trust store of the browser. Does that mean I must distribute to my clients a file, and is that the *.crt file, the *.csr, or the *.key file? What instructions should they follow to import that certificate correctly?

What are the differences of checking a self-signed certificate vs ignore it?

I’m doing an integration with a system that has a self-signed certificate. For initial development, we choose to ignore the certificate checking to bypass some errors:

Exception in thread “main” javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

because we first need to understand how to add the certificate using the Java keytool on a docker environment.

But, my question is: what is the advantage in that case to import a self-signed certificate as a “Trusted Certificate” when I could just ignore it?

Why isn’t free software signed with self-signed certificates? [duplicate]

This question already has an answer here:

  • Why don't websites provide a checksum of their downloadable files? 5 answers

A majority of free software (in particular, Linux ports for Windows) are not signed.

As I understand it, it is quite easy to create a self-signed CA, and sign the software. Distribution would be handled by major free software players, like KDE, Gnome, or whoever is behind the software.

Why isn’t this standard practice?

Why is openssl complaining that my certificate chain is self-signed?

I am trying to set up a certificate chain for a lab server. I have created my own root CA, an intermediate CA and a server certificate. I supplied these certificates along with the server key to the openssl s_server command. When I run openssl s_client and connect to that server, openssl complains that there is a self-signed certificate in the chain.

When I connect to a public web server using s_client, however, not only does the server not send all of the certificates in the chain (just the intermediate parent certificate of the server certificate) but openssl doesn’t complain about a self-signed certificate, let alone an incomplete certificate chain.

If I use s_server with a CA file containing just the server’s parent intermediate certificate, s_client complains that it can’t get the local issuer certificate. I never see this error with public web servers even though they don’t send the entire certificate chain.

In none of these tests (using my own certificates or public web servers) I am using the -CApath, -CAfile or -verify options with the s_client command.

I don’t know what I’m doing wrong. Why does s_client complain about my certificate chain even though I don’t use -verify? Why is it complaining about my (I assume) root certificate being self-signed when all root certificates are self-signed?

For example, this is what I get with a public web server:

openssl s_client -showcerts -servername security.stackexchange.com -connect security.stackexchange.com:443 CONNECTED(00000004) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = *.stackexchange.com verify return:1 --- 

But using s_server with my full certificate chain, I get this:

openssl s_client -showcerts -servername server.domain.com -connect server.domain.com:443 CONNECTED(00000004) depth=2 C = US, ST = State, L = City, O = Company, OU = Company CA verify error:num=19:self signed certificate in certificate chain --- 

Here are my certificates. And yes, I have the constraints CA=TRUE, Digital Signature and Certificate Sign set in my root CA.

openssl x509 -in root_ca.cert.pem -noout -text Certificate:     Data:         Version: 3 (0x2)         Serial Number:             bc:e0:9f:2a:5d:25:6e:8f     Signature Algorithm: sha256WithRSAEncryption         Issuer: C=US, ST=State, L=City, O=Company, OU=Company CA         Validity             Not Before: May 30 22:35:50 2019 GMT             Not After : May 25 22:35:50 2039 GMT         Subject: C=US, ST=State, L=City, O=Company, OU=Company CA         Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus: .........                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Subject Key Identifier:                 2A:0A:D6:EF:96:02:70:4F:89:7A:69:C5:3E:37:47:EE:B1:E1:92:C0             X509v3 Authority Key Identifier:                 keyid:2A:0A:D6:EF:96:02:70:4F:89:7A:69:C5:3E:37:47:EE:B1:E1:92:C0              X509v3 Basic Constraints: critical                 CA:TRUE             X509v3 Key Usage: critical                 Digital Signature, Certificate Sign, CRL Sign     Signature Algorithm: sha256WithRSAEncryption ......... 

root CA:

-----BEGIN CERTIFICATE----- MIIDjDCCAnSgAwIBAgIJALzgnypdJW6PMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV BAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEQMA4GA1UECgwH Q29tcGFueTETMBEGA1UECwwKQ29tcGFueSBDQTAeFw0xOTA1MzAyMjM1NTBaFw0z OTA1MjUyMjM1NTBaMFMxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsG A1UEBwwEQ2l0eTEQMA4GA1UECgwHQ29tcGFueTETMBEGA1UECwwKQ29tcGFueSBD QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXCAU2fb4zNVGDryN5f H4BozBizvkSp71e5NsYa/LW4R/sEedj2k+1szT2rMRrhbkinYCxjx+qMtZ0ZTmBB y/zbI7XsTaApLZ9f2BMYkfWWi81Plvdg/Z7Z9S5oW3Bnr5ZzhFnAQkVnL5vSbFsG 5dFJMuCUHdGwaAb6ebJCyBxJST3kEd8aog/sdGwH6NPdjel7oc9aCcfp7+Dy7T0g ThE6vbO4qisTlw+dV+fJ2dGt11vDHc3VnHSaFbb7iuDTG3LeWgF9AhuEkf5uxHQX zNyx3AkCL9W1keoTTZaIYkHwyTxv/ghrRgLURe8XhC9fpC3cE+wO1Tvf8nmsLEQx mKMCAwEAAaNjMGEwHQYDVR0OBBYEFCoK1u+WAnBPiXppxT43R+6x4ZLAMB8GA1Ud IwQYMBaAFCoK1u+WAnBPiXppxT43R+6x4ZLAMA8GA1UdEwEB/wQFMAMBAf8wDgYD VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAyoV6gqDAYWs/biVv/EZ52 QMjrF93gyx8xY7PKMCYOhnzl8qjro33mMjVJLzzvmtjSZ1DHhLk0kgqw2HJJ9kNY tzXze9h97pWPvA/4g8wQa1Pc2xuVZ7ELxs5qk1Btkgqh3C2DwGU1Vkruch0wTjG+ r28UdvjVfRObg+qx7We7dRAqk3KjXUJvKCZMu0GBYuCrWFrMR6Xc1O47UiEbzzrC lTeEP6iZKIZI8D1iasrQdjL4CCh3E5w97Hl/NHKPuxTVqs6AdOqDoCBwrQEajO4t 2qHzVBGvTI57PzPYnvc+0fG5n0vn1Dx5SWy7Dl4+51x5vx6tNbTjqhIJnzyuh1l3 -----END CERTIFICATE----- 

intermediate CA:

-----BEGIN CERTIFICATE----- MIIDmzCCAoOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMx DjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdDb21wYW55 MRMwEQYDVQQLDApDb21wYW55IENBMB4XDTE5MDUzMDIyMzYwMVoXDTI5MDUyNzIy MzYwMVowZjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMRAwDgYDVQQKDAdD b21wYW55MRMwEQYDVQQLDApDb21wYW55IENBMSAwHgYDVQQDDBdDb21wYW55IElu dGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMS3 OdbP2p2vzCVL7MMlSszxefWbsuw/F3t2pgqZivxTebMS8GGVhYfG39wKnJOKi/Q8 i4vUxi7RjQT/enpOmTixrG+IrGK9bg0cJg9tM2FHAMr7uGeoqIY0/02dAX1ffrBI KP+U5jk6JhEwqG23xXg22TEtmFwYBclTZE5m11tF15FCJEV9r3ljxJlusXcdOEFn KSrSwYyU352p+WcDuyUbqIeUDzvGpQqmndbEHM3GIo0uvxmkCXr1/Bc6QkhfAJMj A8y+wvmyZFr1QRhX5R0udyHiwWzjgmSsZ8rDpOlcWKsmon07h+iV5EfEu/fiO1OT ddW9xSR3oxBTyCErdVkCAwEAAaNmMGQwHQYDVR0OBBYEFHdi+4NsPyB3yTBZnsti 8QKQngr5MB8GA1UdIwQYMBaAFCoK1u+WAnBPiXppxT43R+6x4ZLAMBIGA1UdEwEB /wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBD AeasspCf6jpj0+HyMJ9+GyF/5utKy8KOHhNMUOe+sExHvPWnEbtpKZ2gqxQpoNbz 7yFDitLPyEPk2CUNwfMW+QRfy+cqW7ci1mFc8xMo1WP2VPmojCGydZ+9IYUqQ5UE DcMSSiGneeWhJ71oZwqE9GikPHZfLq6SEeHD3SI9+0vvv0zbcykH+yOvsaDIq+bl G8rqX1hCs+00L6yBJZHEdz3rKviJgxT3eYkfekd65p92Ehqtzd/ZehqR5P8dM+h/ qnpZOJAvtVhOArP7GwyPcqapToXVEppFhS1nSlxDauTa1VrvzkIgHOzOR/v8EGyH lublY3WfPEBZxdE3zKln -----END CERTIFICATE----- 

server certificate:

-----BEGIN CERTIFICATE----- MIIEpDCCA4ygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCVVMx DjAMBgNVBAgMBVN0YXRlMRAwDgYDVQQKDAdDb21wYW55MRMwEQYDVQQLDApDb21w YW55IENBMSAwHgYDVQQDDBdDb21wYW55IEludGVybWVkaWF0ZSBDQTAeFw0xOTA1 MzAyMjM2MDhaFw0yNDA1MjgyMjM2MDhaMIGRMQswCQYDVQQGEwJVUzEOMAwGA1UE CAwFU3RhdGUxDTALBgNVBAcMBENpdHkxEDAOBgNVBAoMB0NvbXBhbnkxEzARBgNV BAsMCkNvbXBhbnkgQ0ExHjAcBgNVBAMMFXNlcnZuYW1lIDE5MDUzMDE3MzYwNDEc MBoGCSqGSIb3DQEJARYNcm9vdEBzZXJ2bmFtZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMDHXE+tXVz+vyj2gw8Fzy9QbNFj4Xgx9hUuvSnv5rDbdh1K B0TtQ+JfGqD3onnRUZ6vOEe5m9yfc0Kw2QnyPbEwB3MKc61I0Ls3ve4I2v6auHS0 NDdZyUtTHGlF95XL9c+UqzaOn2eaHQM4VvhhVgDAswXR4Br6m+ID0cOCmS+YHWRG HyvRKRdKn5w7MZ3CKJ7VDgYutREfw6lwoGvgWUTNDYbgLUY26AH0lhMrMjzrp1bx SI+2nbliGBQd/81otWD9FjnbTqBIdDKQlTyrqHJWF0ZWCjZiVJuUC1hKzBySX59R rD7gqARDeSbhlln6LGo31BsqwoYgvvXe/26pdxECAwEAAaOCAS4wggEqMAkGA1Ud EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NM IEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFGSrkvKc5psT 2b+CXmOo1CCICw5OMHwGA1UdIwR1MHOAFHdi+4NsPyB3yTBZnsti8QKQngr5oVek VTBTMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkx EDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAsMCkNvbXBhbnkgQ0GCAhAAMA4GA1Ud DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATATBgNVHREEDDAKgghzZXJ2 bmFtZTANBgkqhkiG9w0BAQsFAAOCAQEAwlOx4gPc7UPC/FRWtsjzeTNsXXXY4zLg NnuBw1y3YCzInLV0w97QvK+QfZ6EANgou7Wl4q3k4SodkAL9GXnfecW2EN13geGa SP+hPqT84jqSsk5mqOYhpyKZHjXTYPUYyQ9p0dIy/Dm9dNjOvHpefsK/DRHJPkyu NS5oZE2CTmZwnNq6w5I/53Gd0dA54F2N3v169ygKCr6WlM95lEwZgZNTLNqyyZnO P7Kbt4ufB7u76ky3X9YvAwSwqj4VzqAm4d/xKAilHEZYWlL2Mo6FqfuXij/avoUc OoGt/A6yzFGLBrGEJf4iQR9Iwgwo3+yZqeMHykM/e44MwCVTA6MH1g== -----END CERTIFICATE-----