Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
1791
votes
3 answers

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I Google for tutorials and beat away until it finally works. However, in my searches I often come across different file formats (.key,…
Noah Goodrich
  • 19,427
  • 6
  • 25
  • 16
48
votes
4 answers

How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?

I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt.…
blak3r
  • 731
  • 1
  • 11
  • 16
25
votes
1 answer

easyrsa vars options for PKI generation

I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file: export KEY_COUNTRY="" export KEY_PROVINCE="" export KEY_CITY="" export KEY_ORG export…
ilium007
  • 393
  • 1
  • 5
  • 7
16
votes
3 answers

Is there reserved OID space for internal enterprise CAs?

When provisioning a PKI for internal use, is there a private OID space that can be used without having to pay and/or register your own OID range? Think RFC1918 addresses for OID ranges.
MDMarra
  • 100,734
  • 32
  • 197
  • 329
10
votes
2 answers

Do web Servers send the certificate chain to the Web Client?

If my web server (latest Apache) has a valid (not expired or revoked) Verisign certificate chain (root -> intermediate -> leaf/my server), then does the server send the entire(?) chain to the client? Does the web client (e.g., latest Chrome) need to…
mellow-yellow
  • 441
  • 6
  • 15
10
votes
2 answers

Smart card authentication to a Cisco switch?

We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH…
murisonc
  • 2,968
  • 2
  • 21
  • 31
9
votes
2 answers

Powershell Remotely Delete PKI Certificates

I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be distributed by GPO, ran from SysVol, and triggered on…
Byron C.
  • 747
  • 1
  • 7
  • 15
8
votes
2 answers

How do I issue multiple certificates for the same Common Name?

I am creating a Certificate Authority for an intranet. I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has CN=mysite.com. In the future this server…
spraff
  • 549
  • 4
  • 8
  • 18
8
votes
2 answers

Windows PKI: How can I import, sign/issue and export a large number of CSRs?

I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure how I can go about doing this. Is it…
user183178
  • 81
  • 1
7
votes
4 answers

Why does OpenVPN give the error: "unsupported certificate purpose" for an intermediate certificate?

EDIT: I'm really sorry to have to say that the problem has magically fixed itself and I have no idea why. In response to one of the answers, I removed all EKU from the CA chain and it didn't work. After coming back from vacation, I created the cert…
succulent_headcrab
  • 387
  • 2
  • 6
  • 12
6
votes
1 answer

SSH authentication sequence and key files : explain

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays…
gwideman
  • 281
  • 2
  • 8
6
votes
2 answers

How to bundle intermediate certs into one file

I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from the csr generator and the crt file provided by…
BioRod
  • 303
  • 4
  • 13
5
votes
2 answers

Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?

I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system. Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
5
votes
1 answer

What is the purpose of a custom Certificate Trust List?

You can create and deploy a certificate trust list as detailed here, but I'm trying to understand the advantages of this over just deploying root and intermediate certs with group policy the normal way. Why would I want\need to do this?
red888
  • 4,183
  • 18
  • 64
  • 111
5
votes
2 answers

How to tell if an (offline) SSL Certificate been revoked

I would like to know whether an SSL certificate was revoked. The website no longer serves up that certificate, I only have the domain name and the serial number. The SSL certificate was replaced 5 months before expiry without explanation. That…
Rodney
  • 328
  • 1
  • 9
1
2 3
15 16