Questions tagged as ['certificate']
I have a fleet of Ubuntu edge computers that host simple web HMI servers. Many are behind dynamic IPs where port forwarding is unavailable.
So, to access them each uses autossh to create a reverse tunnel into a central cloud proxy server. I can then access each one with https://proxy.mydomain.com:6001, 6002, etc. This is working.
I now want to use NGINX so that we don't have to remember the port numbe ...
I am attempting to generate CSR using openssl with subject alternative names however i get an error stating no options for adext. See command below.. I am using OpenSSL 1.0.2k-fips
openssl req -new \
-newkey rsa:2048 -nodes -keyout {domain-name}.key \
-out {domain-name}.csr \
-subj "/C=GB/ST=test/L=/O=test/OU=test/CN={domain-name}.com" \
-addext "subjectAltName = DNS:first.{domain-name}.com,DNS:second ...
I have a gitlab community edition hosted on a server, and when using curl on this server to fetch this local gitlab website, I get an expired certificate error even if the dates are valid:
curl --insecure -vvI https://gitlab.mysite.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: CN=gitlab.mysite.com
* start d ...I have an authentication server based on certificate. The previous roll of certificate (1 CA + 1 Server + 1 Client) worked perfectly. A few days ago the client certificate expired and I had to generate a new one. I encountered the following problem so I generated once again all of the certificates (CA, Server and Client) but the problem still remain.
The server hold the CA + Server + Client certi ...
We've developed our own implementation of a XCEP/CES WCF service that uses a combination of our certificate management solution and the Microsoft CA to issue the certificates. The standard XCEP XML definition is used (same as the standard Microsoft XCEP/CES WCF service). We use the same WSDL for the WCF service. This works fine for CEP and CES.
Now, we extended the software to use a different Cer ...
I am setting up prometheus to scrape kubernetes cluster. I am trying to use "role: node" with kubernetes_sd_config to monitor one of the K8s cluster. I created certificate ashishcert.pem for user "ashish" and prometheus will use this cert to scrape the cluster. This certificate is signed by cluster CA.
Now when i look back in my prometheus, it says "cannot validate certificate x.x.x ...
I have 2 windows server 2019. e.g. server1 and server2. server1 is the domain controller. server1 has below roles installed: ADDS, ADCS, DNS, FILE STORAGE, IIS.
server2 is connected to that domain controler. server1 has below roles installed: ADCS, FILE STORAGE, IIS.
I have setup PKI on server1 and everything works fine. I am able to use CRL as well as OCSP feature for certificate validation.
I wanted ...
I'm troubleshooting an issue with a SAS vendor. To be clear, this question isn't "how do I fix it?", nor is it "what exactly is causing this problem?" -- rather, it's "how do these technologies work, such that this combination of symptoms is possible?" I have a support ticket open with the vendor already (and I am less-than-patiently waiting for it to be escalated to someone sufficiently capable). The p ...
I launch an EC2 instance with an AMI from the marketplace, which is called LAMP packaged by Bitnami.
After the instance is launched, I find I can only access its DNS name or IP via HTTP, not HTTPS. It seems that the SSL will not be installed by default.
So I search on its document and find this: https://docs.bitnami.com/aws/faq/administration/generate-configure-certificate-letsencrypt/
I follow the instr ...
I have SERVER1 in DOMAINA and SERVER2 in DOMAINB. There is a firewall between the domains. SERVER1 is running Windows 2012 R2 and SERVER2 is running Windows 2016 Std. SERVER1 is a domain controller and SERVER2 is Windows Event Forwarding (WEF) collector. DOMAINA\SERVER3 is also a domain controller running Windows 2012 R2.
SERVER3 is using a certificate to send its Security event logs to the c ...
We are trying to generate server certificates for a cluster of Kafka servers to communicate over SSL.
The procedure works, but the resulting validity of the certificates is only 30 days.
We are requesting 365 days, and after "Step 1" (see below), we have a key pair with the correct validity. See (1) below.
However, after we import the signed certificate back into the keystore, the validity has been red ...
I need to verify that two pfx files are indeed different certificates, and not the same data pasted two times. My constraints are:
- I don't have access to the certificate password, therefore I cannot use tools like "certutil -dump path" etc.
- As explained, I cannot rely on the file metadata (creation date, etc.) because I want to verify that the content is actually different.
I understand that the p ...
I have a feeling there's something about this I don't understand.
I have a working point-to-site VPN connection between my computer (using Windows' native rasphone component), and our Azure Virtual Network Gateway. The gateway uses a self-signed root certificate that I created, and my computer has a client certificate signed by the root which it uses to authenticate.
In the VPN configuration on my co ...
I knew about gdb. I already dump memory of running nginx process. I see all txt *.conf configs in that dump.
But! howto find, convert, etc... some of memory range from that dump to valid initial and erased ssl cert?
(Now I can not nither reload or restart my nginx - nginx -t WARN me, there is no ssl cert's)
After upgrade to iOS 14.7.1 I am no longer able to sync my email/calendar/contacts with company Exchange 2019.
Our Exchange uses certificate issued by our enterprise CA and these seem to become untrusted after the upgrade to iOS 14.7.1.
I tried multiple procedures:
- Manually imported the .pfx certificate from Exchange into iPhone
- Manually set the trust as per (https://support.apple.com/en-us/HT204477) ...
I am working on CentOS7 machine, and I am trying to upgrade my machine's openssl version 1.0.2k -> 1.1.0l. It seems like the handshake process with my server(which didn't change) fails after the upgrade and I'm trying to figure out the cause.
Running the following command with both openssl version:
openssl s_client -showcerts -connect server:port
Resulted with failure with the newer one (if i provid ...
I want to run (on a certain computer with Windows 10) only those exe. files, who signed by certificates, which installed on the computer (it can be certificates from CA or my own test certificate).
I already tried this solution (and many others): How does one configure Windows not to execute tampered binaries?
but none of them solved my problem.
I wrote two "HelloWorld" apps (with certificate sign ...
I am not a system administrator or a network administrator (I have a software developer background). I am finding some difficulties trying to follow this tutorial in order to implement SLL client authentication on an Ubuntu 20.04 version: https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
I know that this tutorial is pretty old but it seems to works fine except a sin ...
I know that domain authentication is required to get a certificate for HTTPS. But I really don't know why this is needed. Can't you just give a certificate without domain verification? What happens if I just give the certificate? Are there any concerns?
I searched the website, but couldn't find a satisfactory answer. I'm very curious about that part.
I got a certificate from AWS and did dns validation in the process of https communication. But I'm not sure why you are doing that verification. To use the domain, I got a domain from a hosting company and registered it on route53. Isn't this process itself dns validation? I want to know the effect of dns validation, and I want to know what happens when dns validation is not done.
thank you.
We've been considering to make more use of DANE as a decentralised authority for our certificates.
Especially with S/MIME.
However, the key obstacle is... how widely are DANE treated as an authority with mail clients?
Is there a list with all the clients (mail, web, ftp, ssh and etc...) that support DANE?
Thanks,
I have an Exchange 2019 DAG and the CLIUSR certificate (clusinfracert) will expire soon. I have extensively researched this and there are very few resources online that address this certificate.
There is nothing to 'try', it's either manually renew it via ECP or allow it to expire and see what happens to the DAG.
Do I need to manually renew this cert or will it renew on its own?
I have a service that requires access to its own certificate store but gets an access denied.
I checked with mmc and the Certificates snapin for the service and the store exists and contains certificates. However, in the snapin I cannot see or set permissions.
I tried dumping the certificates (for a test, later to change permissions) using certutil but I keep getting a FAILED with "The parameter is ...
I am trying to set up a certificate based VPN connection to a modem (a Digi WAN Connect 3G) in the field.
Using ipsec version Linux strongSwan U5.8.2/K5.8.0-55-generic on Ubuntu 20.04.
I am pretty certain that I am setting up the certificates correctly with pki. After executing ipsec up modem15 on the server I get these messages:
initiating Main Mode IKE_SA modem15[1] to ..
generating ID_PROT request ...Everything is in 2019 functional level.
We host our ADFS WAPs in Azure. Because the Azure servers are registered in Azure AD, they have the Azure DRS CA in the trust chain, and so the WAPs are willing to accept registered device certificates for any workstation, even though those devices aren't actually registered in our tenant. This has a side-effect of prompting users for certificates that the s ...
I have a Windows web server, and usually I install the ca-authority in "LocalMachine\Root" and the intermediary PFX certificate in "LocalMachine\My", everything works well. Now I wonder, if during the PFX certificate generation I include the ca-bundle, can I avoid to install the ca-authority in "LocalMachine\Root" and just install the PFX with included the bundle-ca in "LocalMachine\My"?
I just bought a "Positive SSL certificate". The crt files and bundle-ca from the issuing company (Sectigo) arrived via email. To generate the pfx I use the "PEM TO PKCS #12" from this site https://decoder.link/converter. Is it necessary that in "Bundle File" I insert the bundle-ca received? The pfx certificate is still generated even without inserting it, so I wonder what is needed and if excludi ...
OS: Windows 10 Pro
Where on my computer can I find the certificate that is used in the PEAP authentication of my wireless network connection?
If I 'forget' the wireless network and rejoin then I am once again asked whether I trust the RAS server's certificate, presumably it is then stored somewhere on my computer?
I have tried the following through Powershell but neither lead to the certificate:
I've got a slightly unusual use-case...
I'm using SSH via certificates, (where the authentication mechanism isn't just a signature from a private key, but also presentation of a signed cert).
I have many endpoints/servers and different environments that I access in the same session, thus my ssh-agent is "loaded" with many identities at a time.
I'm using the ssh-agent as it provides a number of ni ...
Environment:
ejabberd version: 20.7 Erlang version: 10.6 OS: Windows Server 2019 Installed from: official binary installer Errors from error.log/crash.log 2021-06-21 07:40:31.041 [critical] <0.105.0>@ejabberd_app:start:71 Failed to start ejabberd application: Invalid value of option listen->4->certfile: Failed to read PEM file 'C:/ProgramData/ejabberd/conf/test.pem': at line 41: failed t ...