i have a pfx file with password i can re sign the certficate using OSSLSIGNCODE whether it will effect HTTPS(ex"https://domain.com).
is this osslsigncode will create self signed certificate?.if it is a self signed certificate means it will effect my https right.kindly give suggestion to me regard this.
Related
I added self signed certificate in .pem format in Firefox under Authorities tab. When I access site, Firefox throws error
mozilla_pkix_error_ca_cert_used_as_end_entity
It says that the certificate is not trusted because it is self signed. What can be issue?
If you add the certificate as authority then it should be used as authority, i.e. for signing other certificates. If you instead use it as a server certificate (i.e. as end entity and not authority) then it should not be added as authority to firefox but instead as server certificate. This will be automatically done if the certificate is not known and you click through the certificate error messages when connecting to your site and accept the sites certificate permanently.
You should also make sure that your certificates contains the necessary key purpose to be used as a server certificate.
I'm trying to verify an Amazon SNS message. It comes signed by an X.509 certificate, and provides a URL for the certificate.
I have no problems checking the signature against the certificate, but how do I know the certificate is valid?
I've seen a variety of places that show how to get OpenSSL to validate certificates used on an SSLSocket, but I can't see how to just check to see if a certificate is valid.
I suppose I could "shell" out to run something like openssl x509 -in <file> -text -noout, and parse the output, but that seems like a lame solution.
So:
cert = OpenSSL::X509::Certificate.new(Faraday.get(cert_url).body)
# now what?
Well, a weekend of struggling and it's now clearer.
The basic sequence is to construct an OpenSSL::X509::Store, and populate it with the certs of trusted CAs.
store = OpenSSL::X509::Store.new
store.set_default_paths # populates with some 'standard' ones
Then, I can test the validity of a certificate with:
store.verify(cert)
An added wrinkle, in my case (verifying SNS notifications) is that the certificate I'm trying to validate isn't directly signed by a trusted CA, so I need an additional level added.
I've been able to check the full chain by fetching the certificate that signed the SNS cert by searching the web. So the final code ends up being something like this:
def valid?(cert)
store.verify(cert)
end
def store
#store ||= OpenSSL::X509::Store.new.tap do |store|
store.set_default_paths
store.add_cert(OpenSSL::X509::Certificate.new(File.read('SNS_issuer_cert.cer')))
end
end
Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.
I would like to ask when is the purpose of a certificate, like Server Authentication, Client Authentication, set for the certificate.
Is it when we generate the CSR or when it is signed by the CA?
The CSR is a Certificate Signing Request. If it is a PKCS#10 request (by far the most common type) it can indicate which extensions are requested and that can include the Extended Key Usage (aka purpose). But the CA ultimately decides what to include when it creates and signs the cert. It could choose not to issue a cert. It could issue a cert with a subset of the requested attributes. It could issue a cert that is completely different. It could issue a cert that is exactly what the CSR requested.
I have my own SSL for development purposes. Normally when IE would give you the WARNING you could simply install the certificate, resart IE and go back to the server without warning. In IE8 I cannot avoid the warning. I have installed the certificate into every single store without success using both the MMC and cert manager in IE8. WHAT AM I MISSING?!
Add the site to trusted sites. Then you will have the option to install the certificate after clicking the Certificate error box and then View Certificate.
Which certificate are you trying to install?
You must install the ROOT certificate, not the END-ENTITY certificate which is signed by that self-signed root. It should go in the Trusted Root Certification authorities store.
Make sure your cert's CommonName matches the domain name. For example, if you website will be accessed at 'https://www.example.com', CommonName should be 'www.example.com'. If this doesn't match, nothing you do in the second and third step will matter.
Run IE8 in administrator mode and navigate to your HTTPS URL. Continue beyond warning, then view the site's cert to access the 'Install Certificate' button.
Add the cert to Trusted Root CA Certificates.
Restart IE8 in protected mode then navigate to your HTTPS URL again. All warnings should be gone.
I could not install the certificate from IE. I had to finally use MMC (Management Console). Instructions here: http://technet.microsoft.com/en-us/library/cc757688(v=ws.10).aspx