It seems when SQL TDE is implemented certificates are used to protect the keys used to encrypt the data. What would be the benefits of using a CA signed certificate in this scenario over a self-signed certificate?
Is there a simple C library or function to programmatically generate a self-signed certificate in C on Ubuntu? Of course, one can execute a simple
system("....") call to execute a CLI. I am looking for a native, small, stand-alone library just for this purpose with possibly added functionality but not with the full-weight of TLS implementations such as openssl, boringssl, mbedTls, etc.
I can’t seem to get the Windows 10 sstp client to connect to the (router) sstp server
I have tried numerous combinations when creating my self signed certificates (ca & server) but I have to admit that I’m a little stumped
CA : https://prnt.sc/rqtkhv + https://prnt.sc/rqtks0 Server : https://prnt.sc/rqtls4 + https://prnt.sc/rqtm0y
Windows 10 : https://prnt.sc/rqtxsq + https://prnt.sc/rqtyfm
Q1) When installing the certificate in Windows I usually select [Local Computer] certificate store rather than [current user]. Is it normal for Windows to also install a copy in the [current user] store ? If so what is the point of this duplicate certificate installation ?
Q2) When installing the certificate into the “Trusted Root Certificate Authorities” for [current user] I obtain the following warning : https://prnt.sc/rqtoyb – why don’t I get this same warning when installing via [Local Computer] ?
Q3) What is the meaning of the yellow triangle with exclamation mark on both [Basic Constraints] and [Key Usage] ? https://prnt.sc/rqtzj0 + https://prnt.sc/rqtzut
Q4) Why doesn’t the SSTP client (https://prnt.sc/rqu1r5) detect the presence of the previously installed (sstp server’s ca) certificate ? https://prnt.sc/rqu0o0
Q5) I feel like my multiple certificate installation attempts may have ‘polluted’ my Windows’ certificate store. Is this possible ? If so is there a way to ‘clean up’ the certificate store (besides manually deleting unwanted certificates) ?
Q6) I believe that this used to work with Windows 10 before but, maybe because of the regular updates, things seem to have changed ?
I’m having a friendly debate with a co-worker as to the meaning of “self-signed” when it comes to PKI. We have an internal root and subordinate CA in our organization. We import the cert chain on internal clients to allow for the trust of certificates issued from our internal/private CA.
My colleague believes that the definition of a self-signed certificate is one where there’s no publically trusted/commercial certificate authority involved. I, however, understand a self-signed certificate to be one that’s created by the host that it resides on and has no further link to any chain, private or public.
I’ve searched Google and found both answers being touted as correct. I’m not great at comprehending RFC’s, which is probably what I need to do to really get to the root of this argument. Rather, can someone more knowledgeable than myself help to settle this disagreement?
Thanks in advance!
This question already has an answer here:
- SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? 3 answers
- SSL certificate chain verification 2 answers
- Understanding the signing and verification process through a CA 1 answer
- Clarifying self-signed certificates vs root certificate authority 4 answers
- Does Self-signed certificate differ from CA from a security point of view? 8 answers
While reading about certificates, I came across this article. It says:
The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.
How exactly does the CA ensure stronger verification?
While trying to find an answer to this, I found this answer. The fifth paragraph mentions:
Once you get the certificate, you want to verify it’s the good one. You can see in the certificate that it has been issue by a CA. If you have the CA key you can verify the signature.
What does this mean? Everyone who’s trying to access any site with a CA-signed certificate will have this universal CA key? If yes, isn’t that insecure in any way? If no, then how do you verify that it isn’t a “forged” certificate from the CA?
(I’d appreciate an in-depth explanation of how CA-signed certificates actually work.)
I recently found out that in order to log on to the web-based administration tool on my ISP-provided router, I need to accept a self-signed certificate it offers. I did a bit of reading and it sounds like self-signed certificates issued by an ISP can enable the ISP to perform MITM attacks on computers that accepted the certificate. (see Is it common practice for companies to MITM HTTPS traffic?)
Is this something I should be concerned about in my situation? If I accept the certificate, will I potentially be compromising end-to-end encryption with parties other than the ISP or my router’s software?
When I view the details of the certificate, it says “Root certificate authority”. Is this a synonym for self-signing or can this certificate be used for a MITM attack?
Here are screenshots of the details of the certificate, with things that looked like I shouldn’t spread around on the internet blacked out:
I’ve noticed that the search engine Shodan grabs screenshots from hosts running an RDP service, even if they offer a certificate.
To my understanding, the certificate is used to authentify the server, and encrypt the traffic sent and received (exactly like they are used in HTTPS), and thus should be irrelevant to the protection of hosts exposing RDP to the internet, but when I try to connect to such a service using xfreerdp, I get prompted for a password before I get to where the screenshot was taken, and then the error message :
freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014].
I read that Shodan does not try passwords, it just grabs screenshots from accessible targets without credentials How is Shodan able to grab such screenshots? or what does xfreerdp do instead of launching the RDP display?
From a InfoSec perspective which is best for private (on-premise) micro-services (web services) accessed via HTTPS?
Is there an advantage in using regular certificates over self-signed in such a scenario?
Does anyone know how to
Connect-PnPOnline using Azure AD APP permissions and a self-signed certificate?
- Generated a self-signed certificate. Recorded the password
- Registered an Azure App. Uploaded a certificate to the app
- Granted App permissions to the app
- Granted admin consent
Now, I am trying to
connect-PnPOnline using the script below:
$ certificatePassword = 'CERTIFICATE_PASSWORD' $ secureCertificatePass = ConvertTo-SecureString -String $ certificatePassword -AsPlainText -Force Connect-PnPOnline ` -CertificatePath "C:\...\DeploymentApp.pfx" ` -Tenant <TENANT>.onmicrosoft.com ` -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 ` -Url https://<TENANT>.sharepoint.com ` -CertificatePassword $ secureCertificatePass ` -IgnoreSslErrors
I’m getting an unhelpful error:
Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1 + Connect-PnPOnline ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline
Can someone recommend something, please?
You can try to easily replicate my case:
- Get these scripts on your folder these scripts.
- Install Azure CLI on Windows.
- Right-click on Register_AD_App.bat and “run as administrator”
- You will be promted to enter an admin account for your Azure AD/Office 365
- At the end the app will be registered, concent granted
- o365AppDetails.json file will be created that contains an auto-generated certificate password
As far as I know, with OpenSSL, you can self-sign your website’s certificate. This means that the browsers that will connect your server are supposed to be willing to accept a self-signed certificate for your website. My question is, how does the browser know whether or not to accept a self-signed certificate for a particular website? What if I MITM a client and present a self-signed certificate for a bank website? How does the browser not get tricked at that point?