We need an SSL wildcard certificate for our HTTPS servers all belonging to "*.domain.com".
Is it then possible for us to derive server certificates from the ordered wildcard certificate?
Reason: In case when a server should get compromised we have to be able to revoke the certificate for only this one server. All other servers using certificates derived from the same wildcard certificate should keep working.
Is it possible to purchase such a wildcard certificate? Any recommendations?
No, it is simply not possible. You can not change the base domain once you have ordered an SSL Certificate for.
There is two possible solution you can evaluate.
Contact your SSL Certificate Authority and cancel that order (only if your order is under refund policy), ask for the refund and reorder the SSL for the Wildcard domain which you are wishing to secure.
Get a Multi Domain Wildcard SSL Certificate, it will allow you to secure multiple domain and sub-domains.
No, you can't derive other certificates from a purchased SSL certificates. An ability to use certificate to sign other certificates is mainly controlled by a Basic Constraints certificate extension. This extension consist of two components, one of them (isCA attribute) determine whether this certificate can or cannot be used to sign other certificates.
When you purchase SSL certificate, you will get a certificate with isCA = false value in the Basic Constraints certificate extension.
If you want to control each server's certificate revocation, you have to purchase a separate certificate for each server (either, wildcard or for specific host names).
Related
I want to have a certificate that has a different CA cert for it.
Reason? - For self signed certs, most browsers handle this as a invalid certificate. I know I can ignore those warnings but I just don't want to get them in the first place.
I tried googling how to create such a certificate but found so many sites where only a self signed certificate is created.
Therefore, how can such a certificate + CA certificate be generated and is there a better synonym for such a certificate pair?
If you need certificate signed by trusted CA there are two options:
You can get free letstencrypt certificate.
This certificate will work everywhere, not only your testing machine.
To get such certificate you need to own (e.g. buy) some domain, so you can pass certbot ownership challenge.
If you need to test local server, you can get certificate for subdomain (e.g. local-test.example.com is subdomain of example.com) and map that subdomain to 127.0.0.1 in /etc/hosts.
For purpose of local testing, certificate signed by self-signed CA can be sufficient.
Google Chrome and most other applications will accepts such certificate after you install/trust your self-signed CA (some applications may require restart).
There are some convenient tools written in go and js.
I have been managing Let's Encrypt's SSL certificates for a domain.
Now I am moving to Amazon API gateway. I will be using the AWS Certificate Manager to generate HTTPS certificates for the root domain and a bunch of subdomains.
If I make the transfer, what happens to my current HTTPS certificate which is associated with my domain. If browsers suddenly start seeing a new HTTPS certificate for a domain, for which they had been getting a different HTTPS certificate until now, would this be a problem?
Also, once I make the shift, what do I do with my current (manually managed) Let's Encrypt certificate? Is there a way to permanently void it?
Szabolcs Dombi says
You can have multiple valid certificates for the same domain at the
same time. Moving from one certificate issuer to another should not
cause a problem.
Toby Osbourn says
SSL certificates don’t last forever, most of them need to be renewed
on a yearly cycle and occasionally you will want to change the type of
the SSL certificate mid-cycle.
Since you are replacing certificates, I suggest you to back up the ones you have.
Once you have backed up the old certificates, just overwrite the .crt and .key files with your new ones. Then, reload your web server so it knows to look at these new certificates, and you should be good to go.
If it's within your interest to know more about how to Generate SSL certificate using Amazon Certificate Manager (ACM), I suggest Barguzar, A. (July 2018). Building Serverless Python Web Services with Zappa. where one can read a good step by step guide. See an excerpt of it below:
ACM is a service that manages and creates SSL/TSL certificates for
AWS-based services and applications. An ACM certificate works with
multiple domain names and subdomains. You can also use ACM to create a
wildcard SSL.
ACM is strictly linked with AWS Certificate Manager Private
Certificate Authority (ACM PCA). ACM PCA is responsible for validating
the domain authority and issuing the certificate.
You can have multiple valid certificates for the same domain at the same time. Moving from one certificate issuer to another should not cause a problem.
This also means that if you create a new certificate the old one still can be used unless it already expired.
I have a website that works offline using service worker. I heard that, to make it live need a proper https certificate. How to get one https certificate? its free? Please Help.
There are 3 grades of TLS certificates:
Domain Authority
Organizational Authority
Enterprise Authority
They are all valid certificates, they just require a higher level of authentication to obtain. Most sties just need a DA certificate, which is validated via the whois e-mail. The other two take more vetting.
As far as SNI or not SNI that does not matter either.
All that matters is you have the TLS certificate to create that wrapper of encryption around the data packets.
You could use a certificate from the Letsencrypt organisation. It's free and reliable. I can recommend it.
Is there a way to choose the specific default client certificate for authentication on web-resources? In the prefs.js in firefox app data folder, there is a line:
security.default_personal_cert
I changed its value to:
Select Automatically
And now it is selecting the first certificate for site avaliable. I want basically to automatate this process (with imacros and few other tools). Is there a way i can set a SPECIFIC certificate as default client certificate? Maybe i have missed somethign else?
It is possible to implement this, but probably not very useful, and I do not believe it is implemented in Firefox.
Servers are usually configured with a specific CA certificate (or set thereof) to use for validating client certificates. The TLS Certificate Request message will usually advertise the Issuer Distinguished Names of these CA certificates in the certificate_authorities field, which the client will then use to select an appropriate certificate to supply in the Client Certificate message. In particular:
If the certificate_authorities list in the certificate request
message was non-empty, one of the certificates in the certificate
chain SHOULD be issued by one of the listed CAs.
An "always use this certificate" option would be useful only in the case where the server does not advertise which CA(s) it intends to use to validate client certificates (I have never seen this situation before). Normally, the Select Automatically heuristic will Do The Right Thing.
If you need an automated way to choose a particular certificate where you have multiple certificates for the same site, Firefox provides the option of multiple profiles. You can have a single certificate in each profile, which will be automatically chosen. It is inconvenient but I do not know of another way.
I am interested in web security right now. So I read about PKI and Diffie Hellman authentication forms.
Now I am reading about certificates and I ask me how that works. So I know Browser have some trusted certificates in it, so you trust the pages, the company which the browser is from, trusts already. So when A trusts B and B trusts C --> A trusts C. Standart Web-of-trust thing.
But what I don't get is how for example google did it when they made there applications https. I never had to download a certificate. How works that?
There are a number of commercial bodies whose business is the issuance of digital certificates; these are called "Certificate Authorities" or CAs. The certificates of the top-level keys of these bodies are distributed with the common web browsers, so you will already have them installed.
If you (or Google, or anyone else) want a certificate for your key you send a request (and some money) to one of the well-known CAs. The CA performs some checks to verify that you are who you say you are, and (as long as the checks check out) they make a new certificare by signing your key with their certificate-signing key.
When you send your certificate to some third party they can check your certificate using the CA's certificate stored in their browser, and this allows them to establish that the identity you claim in your certificate is correct.
There are various levels of certificate which carry different levels of guarantee that the identity claimed in the certificate is correct. Basically, the more you pay the more trouble the CA takes in checking your identity and the more insurance they buy!
All browsers store certificates of Certification Authority, who in turn issue certificates for various organizations.