How can I check if a x509 certificate matches a CSR (if the certificate was generated based on a specific CSR) in Go? Do I need to generate a new certificate from the CSR and compare them?
If your signing request is in the DER format there's a couple of functions in the standard library you can use; first to parse the CSR (https://golang.org/pkg/crypto/x509/#ParseCertificateRequest) and then the certificate (https://golang.org/pkg/crypto/x509/#ParseCertificate). Once parsed you can compare the public key values.
Standard but important security note:
Please note that this DOES NOT validate the certificate in anyway. It may or may not be safe to use, and could have been substituted or altered.
I apologize if my english is not too good. I am trying to create a certificate request from my IIS server, but everytime i completed the request. The client still don't trust the web server.
I am from a development background not really into infrastructure operation. So my question might be incorrect, due to misconception, if so, please feel free to educate me. Below are my questions:
Do I need to import the root certificate into the window IIS server before starting a certificate request? If so, how do i create or export a root certificate from Window Certificate Authority?
Although this answer is not Windows-specific, I found this page through a search for my problem, and hopefully the following information will be of use to someone having this problem on Linux, like me:
I have encountered this problem too and, although the accepted answer is probably correct, the process for generating a CSR (certificate signing request) with the SAN (Subject Alternative Name) requires a bit of explanation.
There are several articles detailing this, but basically, you need to create a file, let's call it ssl.conf, which contains the necessary information, including the SAN details, which you will pass via a parameter to the openssl command when creating the CSR.
(This assumes you have already generated a key).
The contents of ssl.conf can be as simple as follows. Note the section at the bottom detailing the SAN. Adjust all the parameters to suit your requirements.
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address#your-awesome-existing-domain.com
CN = www.your-new-domain.com
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
The rest of the file contains other X.509 information that you would be prompted for during the CSR creation (country, state etc.)
Now you can create your CSR as follows:
openssl req -new -sha256 -out private.csr -key private.key -config ssl.conf
Where private.csr refers to your new CSR file, private.key refers to the key you already should have generated and ssl.conf is the file above.
You can verify the contents of your new CSR as follows:
openssl req -text -noout -verify -in private.csr
Then you will see, on the console, the details of the CSR, including the SAN details.
References:
https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one
https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
https://geekflare.com/san-ssl-certificate/
The error can be because of multiple reasons
a) You are using an IP address to access the website (assuming you have a certificate based on a URL). So try accessing using the URL for which you have procured the certificate
b) You have procured certificate for xyz.com but have binded the same to abc.com . Hence when accessing abc.com you receive the above error. Bind the correct certificate if have one.
c) YOu have procured a multi domain certificate , but the url you are trying to access is not added as SAN to the certificate. Have a word with your SSL provider and ask him to add the URL as SAN to the certificate.
Should not the answer be that Subject Alternative Name (SAN) is mandated by Chrome for Certificate Validation check? Here is a link which speaks more about comparison between Common Name (CN) and SAN
i have a pfx file with password i can re sign the certficate using OSSLSIGNCODE whether it will effect HTTPS(ex"https://domain.com).
is this osslsigncode will create self signed certificate?.if it is a self signed certificate means it will effect my https right.kindly give suggestion to me regard this.
I am currently developing an application that validates signature certificates (like in a pdf) with OCSP or CRL. These will most likely be leaf certificates, without the entire chain. Getting the url to either validation services proved simple enough.
To my understanding, both OCSP and CRL require the issuer of the certificate to validate it. So now I'm stuck because that is not included in the input. The AIA extension might include a URL to a CA certificate, but unfortunately this is the CA of the issuing certificate and not the certificate itself.
Is there any other way to get the issuer's certificate given only the leaf? Or are there some cases in which OCSP/CRL can validate without it?
Have a look at https://www.ietf.org/rfc/rfc2560.txt which details the requirements for an OCSP response to be considered valid:
The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
The first and third option both require the issuer cert. The second option does not. However I dont think that option is applicable to you situation. The link https://wiki.mozilla.org/CA:OCSP-TrustedResponder has details on what a trusted responder is and when it can actually be used.
I would like to ask when is the purpose of a certificate, like Server Authentication, Client Authentication, set for the certificate.
Is it when we generate the CSR or when it is signed by the CA?
The CSR is a Certificate Signing Request. If it is a PKCS#10 request (by far the most common type) it can indicate which extensions are requested and that can include the Extended Key Usage (aka purpose). But the CA ultimately decides what to include when it creates and signs the cert. It could choose not to issue a cert. It could issue a cert with a subset of the requested attributes. It could issue a cert that is completely different. It could issue a cert that is exactly what the CSR requested.