pki

Implementing X509TrustManager - passing on part of the verification to existing verifier

懵懂的女人 提交于 2019-12-28 12:34:11
问题 I need to ignore the PKIX path building exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc ption: unable to find valid certification path to requested target I know how to do this by writing my own class implementing X509TrustManager where I always return true from isServerTrusted . However, I don't want to trust all servers & all clients. I want all the default verification

Adding a self-signed certificate to iphone Simulator?

回眸只為那壹抹淺笑 提交于 2019-12-28 01:43:06
问题 I have a self-signed certificate at the endpoint of my API. I'm trying to test some things using the simulator but am getting "untrusted server certificate". I have tried to use safari on the simulator to download the .crt file, but that doesn't seem to work. Where does iPhone Simulator get its keychain from? How can I add a trusted certificate so my application will work? UPDATE I got it to work by creating a CA and then adding a CA certificate using the iPhone provisioning tool. Then I was

Is it possible to programmatically generate an X509 certificate using only C#?

社会主义新天地 提交于 2019-12-27 16:59:06
问题 We're trying to generate an X509 certificate (including the private key) programmatically using C# and the BouncyCastle library. We've tried using some of the code from this sample by Felix Kollmann but the private key part of the certificate returns null. Code and unit test are as below: using System; using System.Collections; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto.Generators; using Org.BouncyCastle.Crypto

ssl原理及ssl配置

烂漫一生 提交于 2019-12-25 19:51:05
先来扫盲 CA证书 https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/ca.md 先来一个例子 A公司的小华被派到B公司办事情。B公司如何信任小华是A公司派来的呢? 普通介绍信 为了让B公司信任小华,A公司特意给小华开了一封介绍信,在信件中详细说明了小华的特征以及小华过来的目的, 并且声明这个小华确实是A公司派来的,除此之外还要有一个A公司的公章。 这样B公司前台姐拿到介绍信后,通过信件内容和A公司公章就能判断出小华确实是A公司派来的员工。 那万一A公司公章是假的呢?毕竟公章伪造太容易了,这样岂不是会存在问题。咱们就暂且认为公章这种东西很难伪造, 否则故事无法继续喽。 引入第三方中介公司 好,回到刚才的话题。如果和B公司有业务往来的公司很多,每个公司的公章都不同,那B公司的前台姐就要懂得分辨各种公章, 非常滴麻烦。所以,有某个中介公司C,发现了这个商机。C公司专门开设了一项“代理公章”的业务。    于是今后,A公司的业务员去B公司,需要带2个介绍信: 介绍信1(含有C公司的公章及A公司的公章。并且特地注明:C公司信任A公司。) 介绍信2(仅含有A公司的公章,然后写上:兹有xxx先生/女士前往贵公司办理业务,请给予接洽......。) 这样不是增加麻烦了吗?有啥好处呢? 主要的好处在于,对于接待公司的前台

intermediate root authority cross chain validation

房东的猫 提交于 2019-12-25 08:37:59
问题 I have created a root CA(CA-R) and two intermediary CA's(CA-I1 & CAI2)(all self-signed). Using CA-I1, I generated a private key for a server1/client1, CSR & created the certs. Installed the certs for Server1(Apache2) and client1.Im successfully able to connect to the server1 using my client1(python client). Here is the chain -> client1->server1->CA-I1->root CA Using CA-I2, I generated a private key for a server2/client2, CSR & created the certs. Installed the certs for Server2(Apache2) and

Intercepting and forwarding client certificate to webservice

旧城冷巷雨未停 提交于 2019-12-24 11:54:06
问题 I have a web application (gwt) that is running on a tomcat application server. This web application consumes several web services (login, application data transfer, queries, etc.). The web service client on the tomcat is implemented as apache axis2 web service client. For user log on I provide a form in the web application with username and password. This data are transmitted via web service to authenticate the user. It is planned to change the hole authentication mechanism to client

Why is SSLCertificateKeyFile needed for Apache?

£可爱£侵袭症+ 提交于 2019-12-23 06:48:16
问题 What's the technical reason that SSLCertificateKeyFile is needed (the private key)? Where is that used and for what? 回答1: The SSL certificate file contains the X.509 certificate (which, in turn, contains a public key used for encryption). The SSL Certificate Key File contains the private key corresponding to the public key in the certificate. In order for the webserver to encrypt and decrypt traffic, it must have both the public key (certificate) and corresponding private key. Apache, unlike

Linux CA

三世轮回 提交于 2019-12-23 01:27:51
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。 1.什么是CA认证? CA认证,即CA认证机构,为电子签名相关各方提供真实性、可靠性验证的行为。 2.什么是CA证书? 证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。 3.CA证书类型? 证书颁发机构自签名证书 服务器证书 用户证书 二. CA服务器部署 1. 部署环境 [root@linux-ca ~]# touch /etc/pki/CA/index.txt #index.txt:索引文件,用于匹配证书编号; [root@linux-ca ~]# echo 01 >/etc/pki/CA/serial #serial:证书序列号文件,只在首次生成证书时赋值。 [root@linux-ca ~]# cat /etc/pki/CA/serial 01 2. 生成密钥 [root@linux-ca private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakay.pem 2048) genrsa:生成私钥; -out:私钥的存放路径,cakey.pem

RSA Key Values and Modulus in Public/Private Keys

廉价感情. 提交于 2019-12-22 06:38:11
问题 I am writing an application that used PKI to secure email, files etc. Using the System.Cryptography namespace, I am generating a new key pair using RSACryptoServiceProvider . The method is: public static void GenerateKeys(int keySize, out string publicKey, out string privateKey) { using (var provider = new RSACryptoServiceProvider(keySize)) { publicKey = provider.ToXmlString(false); privateKey = provider.ToXmlString(true); } } keySize = 2048. This results in a public key like (this has been

Created a certificate using SecCertificateCreateWithData on iOS

早过忘川 提交于 2019-12-21 18:57:46
问题 I want to create a certificate programmatically within an iOS app. The closest API I could find is SecCertificateCreateWithData which requires a DER encoded binary input. Given that I have all the data needed available as runtime objects, How can I construct the DER encoded binary data input ? 回答1: This is how it can be doen: NSString* certPath = [[NSBundle mainBundle] pathForResource:@"myCertificate" ofType:@"cer"]; NSData* certData = [NSData dataWithContentsOfFile:certPath];
订阅 pki