x509

Client Authentication for WebAPI 2

倖福魔咒の 提交于 2021-02-19 07:39:25
问题 My company has written an API to expose our application data to our clients. We've completed the endpoints and now want to secure the API. The API will only be used by pre-approved clients so no anonymous access is needed. I've been told that we can use an x.509 certificate that we generate to identify and authenticate each client. By identifying, I mean embedding a client code in the certificate that we issue to each client (is this even possible?). As you can probably tell I have little

Spring Security X.509 authentication without user-service

血红的双手。 提交于 2021-02-19 02:23:30
问题 I'm using Spring Security (v3.1.3) for X.509 authentication in my web-application. Users and roles are stored in the Database, but I don't actually need to do it, as CNs of client certificates conform to "[ROLE] - [USERNAME]" schema, which means I already have username and role from the certificate itself. So how to eliminate the database without too much effort? Should I write my own implementation of user-service, which will populate UserDetails, or is there more graceful method? 回答1: Yes,

How to sign cert with an arbitrary or deprecated extension

此生再无相见时 提交于 2021-02-11 18:16:09
问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

How to sign cert with an arbitrary or deprecated extension

我怕爱的太早我们不能终老 提交于 2021-02-11 18:12:32
问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

How to sign cert with an arbitrary or deprecated extension

跟風遠走 提交于 2021-02-11 18:11:18
问题 For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. tmpl := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()*1000), Subject: pkix.Name

How to chain a SSL server certificate with the intermediate and root CA certificates?

北城以北 提交于 2021-02-10 14:29:42
问题 I thought I understood, but it is not working! I read among others http://binblog.info/2010/02/02/lengthy-chains/ which is the cleanest explanation I found. Background: Comodo's cheap PositiveSSL server certificate came with a root and two intermediate CA certificates (I replaced my FQDN with myserver.com): $ unzip ../myserver_com.commodo.certificate.zip Archive: ../myserver_com.commodo.certificate.zip extracting: AddTrustExternalCARoot.crt extracting: COMODORSAAddTrustCA.crt extracting:

Trusted root certificate is magically installed to Windows

元气小坏坏 提交于 2021-02-07 10:01:25
问题 On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage,

Trusted root certificate is magically installed to Windows

怎甘沉沦 提交于 2021-02-07 10:00:13
问题 On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage,

How to create a signing certificate and use it in IdentityServer4 in production?

拈花ヽ惹草 提交于 2021-02-05 13:15:43
问题 Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential() , but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that. How do I create a signing certificate and use it in IdentityServer4 in production? 回答1: Create certificate and add to machine's certificate store I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a

How can I connect with X509 by putting all options in the connection string in node.js driver for mongodb?

白昼怎懂夜的黑 提交于 2021-02-05 09:20:07
问题 I'm using the keys available in mongodb docs for a self-signed certificate using X509 authentication with a Node.js Driver. When trying to connect to the database I get the following error: MongoNetworkError: failed to connect to server [pedro.com:57040] on first connect [MongoNetworkError: unable to verify the first certificate] Despite that error, I am sure that the connection works as I am using Studio 3T and everything is up and running by using the same certificates. So my question is...