I have a problem with keypair and certificate generate in token using csp or pkcs, and i must to distict this then i want to know
"How to check certificate and key pair created by CSP or PKCS ??".
You should check their respective API as the first step.
For PKCS, you should read PKCS11 standard as mentioned on: http://www.rsa.com/rsalabs/node.asp?id=2133
This API interface will contains the method to check on the certificate.
Take note that in general, CSP is used by only Microsoft Product, while PKCS is used by the other software vendors.
Related
I've created a Saml2AuthnResponse and am passing it to Saml2PostBinding.Bind()
The X509Data node does not contain X509SubjectName although my cert obviously has one.
How can this be added?
Also, can the standard prefix "ds:" be added to all Signature nodes?
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...
<KeyInfo>
<X509Data>
-missing <X509SubjectName> should be here-
<X509Certificate>...cert data...
The ITfoxtec Identity SAML component use the .NET libraries to add generate the response and add the certificate. I do not thing what you request is supported, I'm afraid.
You are welcome to do at pull request if you figure it out.
Github repository https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2
Is it possible to read the server TLS certificate in the BrowserComponennt (specifically the public key)?
No. You can probably use native interfaces to do that...
But I'm assuming that what you're trying to do is verify the server to protect against some attacks specifically through certificate pinning. Is that correct?
If so check out the certificate pinning section in the developer guide here; https://www.codenameone.com/manual/security.html
I'm trying to configure SSL for Google Cloud's App Engine.
You can upload your own custom SSL certificate + private key in GCP (see screenshot).
I'm using Cloudflare for DNS, and would like to use the "Full (strict)" SSL policy in Cloudflare. This would mean I have to add a certificate and key, created by Cloudflare, in GCP (in same screenshot).
I've managed to convert the private key to a valid (PEM) format that GCP will accept. The only thing not working is the Certificate part.
When entering both certificate and key in GCP, upon clicking upload, the following error is returned:
The certificate data is invalid. Please ensure that the private key and public certificate match.
After some googling, I found the following resources on GCP's documentation, explaining I need a have the full certificate-chain uploaded in the certificate field. So next thing I tried, is to concat my certificate from cloudflare together with the root certificate of cloudflare itself, as explained in the GCP docs.
So I ran the following command to create this chain:
cat domain.crt cloudflare-root-ca.crt > concat.crt
... and uploaded that one in GCP in the certificate field.
That didn't work either, even while the checksums of both private key and the certificate-chain match as explained by GCP docs, by running:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
...and comparing the md5 outputs.
So now I'm completely without Idea's. GCP's error messages are limited to the one above, and one other saying your PK is not a valid format.
Same problems when trying via CLI (gcloud)
When trying this process through the cli gcloud, we get the same errors.
Trying the following command:
gcloud app ssl-certificates create --display-name example.com --certificate ./cloudflare-concat.crt --private-key cloudflare-pk.key
...yields the following error:
ERROR: (gcloud.app.ssl-certificates.create)
INVALID_ARGUMENT: Invalid certificate.
`CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included,
and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits.
The requested private key and public certificate must match.
Any help on uploading a valid certificate (from Cloudflare) and private key in GCP is much appreciated.
Update 1
I found this (cached) paged describing all the root and intermediate certs of Cloudflare. I've tried a couple of them to concatenate agains my domain cert, but no luck so far. It's also not clear which one to use...
Update 2
I've beginning to think that this won't work, ever. Because I'm using an 'Origin Certificate' from Cloudflare, I believe this is a self-signed cert from Cloudflare itself, meaning that App Engine won't ever recognize this as valid.
The reason I think this is the case, is because I tried to use the cfssl tool from cloudflare to 'create a bundle-cert' automatically. The response I get from running
cfssl bundle -cert domain.crt
Returns the following result:
[INFO] bundling certificate for {Country:[] Organization:[CloudFlare, Inc.] OrganizationalUnit:[CloudFlare Origin CA] Locality:[] Province:[] StreetAddress:[] PostalCode:[] SerialNumber: CommonName:CloudFlare Origin Certificate Names:[{Type:2.5.4.10 Value:CloudFlare, Inc.} {Type:2.5.4.11 Value:CloudFlare Origin CA} {Type:2.5.4.3 Value:CloudFlare Origin Certificate}] ExtraNames:[]}
{"code":1220,"message":"x509: certificate signed by unknown authority"}
Extra info
I'm using a free Cloudflare subscription.
Everything works fine when using the 'flexible' setting from Cloudflare,
But I would like to use the 'full (strict)' setting
I discovered a recent blogpost, describing how to solve this.
After following the steps described, the certificate was accepted in Google Cloud, and everything worked for the 'full (strict) ssl' option in cloudflare!
In short: it involved a bit of tweaking the keys, by manually adding 'RSA' to it, as described in the blogpost.
See this link:
https://blog.woohoosvcs.com/2019/11/running-google-app-engine-behind-cloudflare/
EDIT:
This is probably the same end-result as using the shell commands as described by #Andrei
Can you please verify you are using free Cloudflare or paid Cloudflare account.
Because if you are free using than I think SSL strict is not going to work make it flexible and redirect all HTTP request to https request.
I am using libcurl for a small c application. The project uses https and requires a validation of both, server and client certificates. I cannot use an option to suppress the verification, since I work in an insecure environment.
I am currently trying to get the server side certificate validated. First attempts gave me an expected error:
Peer certificate cannot be authenticated with given CA certificates
As said an expected error, I understand what the message means. I dug into the documentation of libcurl and found that it supports "certificate bundles", and that younger versions do not come with a bundle all. All options I found (and also all explanations) refer to certificate files read at runtime and obviously suggest to include the required CA certificate in the local bundle.
Instead I would prefer to include a single certificate inline into the application, so compiled in. This does make sense for this special case, since the application only tries to access a single, hard coded url, so server. I accept that I'd have to replace all deployed copies of the application if the server certificate gets changed. However I do not find any options for that in the documentation. I would prefer this strategy, since it allows a much more compact deployment of the application: a single file instead of a structure and runtime configuration.
So my question is: does libcurl offer to include a CA certificate at compile time which can be used at runtime without having to rely on an external bundle?
In libcurl the part that verifies certificates is handled by openssl. You could use SSL_CTX_use_certificate to install your certificate at runtime or use SSL_CTX_set_verify to overwrite the SSL verification function with your own.
Check curlx.c for an example.
I am using a SSL certificate for my custom domain. This certificate needs five intermediate authorities to get to the root CA, and without them some browsers (pronounce: Chrome) will work, but others (Firefox, Android browsers) will fail.
Is there any way to specify more than two CAs in the PEM file? AppEngine complains when I try to put the whole certification chain (as documented, it accepts only two CAs in the PEM file). Is it my only option to drop my current certificate and go with Verisign?
Just to answer my own question, there is no way to do this at the present time. Switch to a CA that uses a single intermediate authority (DigiCert combines this with a superb technical support) and move on.
UPDATE: Starting today, GAE is supporting a chain of up to five CA authorities.