Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
We have an internal customer which has issued a Root CA using SHA-1 (which both they and us know should be deprecated) and have issued a server certificate from the Root CA with a Hash Algorithm of SHA2. A team member suggested that this cannot be support as all Hash Algorithm of the certificates must match, but having no understanding of the topic I set out to google to find if there are reasons for a mixed hash environment being unsupported as intuitively I thought a leaf certificate should be able to be a lower encryption level than the root. Finding no comprehensive answer I end up here. Our situation raises three questions for me:
Must the Hash Algorithm remain static for each certificate in the chain of trust?
If Hash Algorithm maybe different can bottom certificate be of a higher or lower public key level?
Could each certificate in a chain use a random encryption level?
There can be mixed signature algorithms used for the certificates. Apart from that the signature of the root certificate is not checked anyway so the algorithm used their does not matter. The root certificate is trusted just because it is in the local trust store and not because it was signed by somebody (usually signed by itself).
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I accidently deleted EFS (Encrypting File System) certificate by using the properties form in the Internet Explorer and now I don't have access to my encrypted files.
Is there any option to restore the certificate?
I can see this certificate in the system but when I imported it back, it is not shown that the certificate has a private key.
In my case, I found another version of the same certificate in certmgr.msc and luckily this version has a private key. I exported the certificate and then imported it into the personal folder. The access to the encrypted files was restored.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I am unable to find a solution where I can create a new folder/directory under Windows Certificates so that I can import all my self signed CA certificates into that folder.
I know that we can import our self signed CA certificates under Windows ROOT Trusted Root CA. But I have a requirement where we need to create a new Folder/Directory under the Windows Certificates so that I can import all of my self signed CA certificates under that folder.
We have lot of self signed CA certificates and my project requirement states that they be grouped under one folder.
I opened the certmgr.msc and checked for options but I could not find the option to create a new directory under the Windows Certificates. Is it possible to achieve this requirement?
You can do it with PowerShell.
cd Cert:\
cd LocalMachine
mkdir somefolder
If you’re working in C, CertOpenStore, without the existing-only flag, will create a store.
In C# you can get the same by
X509Store store = new X509Store(storeName, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
// the store should now appear in MMC (after a refresh)
Adding to that store object works like any other store.
In my experience MMC won’t display private key management options for the custom store. Maybe there are options to let it do so, but any commandline utilities (or custom code) will probably see it just as any other store. (In MMC’s defense, it’s treating it like “any other store”... it thinks only the “My” store has private keys associated).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
The title says it all. I have found several discussions of AIA, but I have not found any recent statement that it is (or will be) supported, either for server side or client side certificates. This is important because we have a smart card project that will affect thousands of people with certs that are not in the standard list of CA roots, and/or intermediates, but does have a valid AIA. It is not practical to require our users to add the missing certificates; too many, too low-tech. Of course the certificates work just fine with IE and Chrome.
Do I have to tell people not to use Firefox? :-(
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Is it theoretically possible to register a new top-level domain (so I would have a page like page.mydomain)? If yes, then where is it possible and how much is it?
It seems you are looking for TLDs (Top-Level Domains). Historically, only countries and large interest groups could register TLDs, but recently ICANN, the organisation in charge internet domain names, opened bidding for corporate TLDs. You can see a current list of applications here. To apply for one yourself, I believe the entering price is somewhere around $10,000, but I'm not sure. Either way, the wait for authorisation is probably still over a year, so I wouldn't count on getting it done soon or cheap.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I would like to tell the recipients of my emails that I use GnuPG. To do so, I would have simply put a line "GnuPG key 0x14102F.." under my address in the email's signature. However, I often see people also giving a fingerprint. Is this a good idea? I don't see any reason. If a recipient has my key ID, (s)he can go to a keyserver, download my public key, and use it for verifying my signed and/or encrypted messages. So why would one need a fingerprint?
I was wondering what is 'good practice'.
Actually, I found that giving the fingerprint only is the desired method, see http://lists.gnupg.org/pipermail/gnupg-users/2009-January/035204.html It also contains the key ID, so that information does not have to be provided as well. The issue of the key ID not being unique is raised at several places, for example http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html The fingerprint is indeed also not unique but it's very unlikely that it isn't.