pki interview questions
Top pki frequently asked interview questions
I have a self-signed certificate at the endpoint of my API. I'm trying to test some things using the simulator but am getting "untrusted server certificate".
I have tried to use safari on the simulator to download the .crt file, but that doesn't seem to work.
Where does iPhone Simulator get its keychain from? How can I add a trusted certificate so my application will work?
UPDATE
I got it to work by creating a CA and then adding a CA certificate using the iPhone provisioning tool. Then I was able to have a certificate signed by that CA certificate on the API server and the NSConnection just worked. I was not able to get it to work using a self-signed certificate for some reason. I need to re-attempt this using the provisioning software.
My real question is how do I get this to work on the simulator? I would think that the simulator uses the keychain of the actual computer.
Source: (StackOverflow)
There is a webservice protected by a certificate. In the client code which calls it, the certificate's CA has to present in the truststore (JRE_path\lib\security\cacerts) - if not, you get the PKIX exception on the client side.
What happens if the certificate has expired - the the client code fails.
However, this can be bypassed by adding the certificate directly into the truststore - Trusting an expired certificate
i.e. if the certificate itself and not the CA is present in the truststore, then everything works even if the certificate has expired.
In my scenario, the webservice certificate is a self-signed one, so I anyway had to add it to the truststore, and the client continues to work fine even when the cert has expired.
Now my question is will this work in all scenarios - my program is just a command line program running of a local JRE.
In case there is an application calling the webservice and the application is running on Websphere, JBoss, WebLogic, Tomcat, Glassfish etc and the self signed cert is added to truststore of that environment, can I still assume that it will continue to work (not give expired errors)?
I assume it would work - because those application servers would also use a JRE just like any program - or am I missing something?
Source: (StackOverflow)
I have figured out all the necessary steps to get DOD CAC card based client certificate authentication working in Apache, but am now struggling to pull a good GUID for the user from the certificate I am receiving. Is there a GUID available on the certificate that will not change when the CAC card is renewed? I was thinking of using the SSL_CLIENT_S_DN which would look something like:
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=LAST_NAME.FIRST_NAME.MIDDLE_NAME.0123456789
but I have heard that the number on the end changes when the CAC card is renewed. Is this true? Is there a better piece of information to use for a GUID? I'd also like to get the users email address, but I don’t see it available in the information I am receiving from the certificate. Is the email adress available in some custom extension that I am not seeing?
Thanks!
Source: (StackOverflow)
Trying to get a better grapple on how public/private keys work. I understand that a sender may add a digital signature to a document using his/her private key to essentially obtain a hash of the document, but what I do not understand is how the public key can be used to verify that signature. My understanding was that public keys encrypt, private keys decrypt... can anyone help me understand?
Source: (StackOverflow)
I work on a vertical-market Mac application that uses a USB dongle to make sure users have paid for it. It's expensive enough, and in enough demand, that "black hats" have tried to crack the dongle scheme, so the app checks the executable and key resource files at runtime, and if something has been tampered with, the program won't run.
With PKI (Public Key Infrastructure) based code signing becoming more commonplace in the Mac world, I'm considering switching to using it to do this runtime verification, which would have the nice side effect of making Gatekeeper happy.
However, Apple's interest is very different from mine. Their focus is on making the user happy, so if an app has an incorrect signature, Mac OS X will simply ask the user if they want to run it anyway. My focus is on thwarting crackers, so if my app has an incorrect signature, I simply don't want it to do anything that's useful to an end-user.
So I want my app to be able to validate its own executable and resources, using Apple's signatures, at runtime.
Also, from what I've read of the libraries offered Mac OS X for doing validation, they simply give a "yes" or "no" answer to requests to validate an executable. It strikes me that this is susceptible to "black hat" attack in a number of ways - for instance, one could simply replace Apple's tools with ones that always say, "yes, this is valid", either in the system directories or by changing the search path for those tools. So I think it might be a good idea to build the complete set of signature validation code into my app.
So I have a few questions:
- What PKI libraries/APIs are available to let an app validate its own executable and resources which have been signed using Apple's codesign system?
- Do these libraries have source code available?
- Are my security concerns about using the PKI libraries Apple ships with Mac OS X valid, or are they safer to use than I think?
- Does anybody have experience with this kind of thing they'd be willing to share? Are there other gotchas or tips?
Thanks in advance for any help with this.
Source: (StackOverflow)
Since SSL is the backbone of the secure internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it?
I suppose I'll need to learn some math, some PKI books, crypto, and Sysadmin books as well. Since that isn't a complete list I'm interested in hearing what you think is wise to learn as well.
Source: (StackOverflow)
By specifying a –pe switch ( using
Makecert utility ) we make a private
key exportable.
a) What is it meant by private key being exportable? That we can copy the created .pvk file ( containing private key ) to another system and use it there?
b) If so, then I assume .pvk is only created if private key is to be exported?! Thus, how do we use/obtain private key when we don't want to export it and thus don't specify –pe switch when creating a certificate?
thank you
Source: (StackOverflow)
Hi im trying to use .Net and c# to export a certificate from the cert store into a PFX file. I'm trying to use the X509certificate2.export method wiht the X509ContentType.Pfx flag set, but am unsure how to handle the returned byte array and output it correctly to file.
Any help appreciated.
Thanks
Mark
Source: (StackOverflow)
Could someone please help me on the following?
RFC2560 defines when an OCSP responder certificate (sigining the response) could be accepted:
1. Matches a local configuration of OCSP signing authority for the
certificate in question; or
2. Is the certificate of the CA that issued the certificate in
question; or
3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
extension and is issued by the CA that issued the certificate in
question."
My question is:
If the certificate of the OCSP responder is signed by the Trust Anchor of the validation path, is it also considered accepted?
I have the impression that it should be, but this is not stated explicitely above from RFC and could not found an explicit reference on this.
From my reading of the RFC though is that even if it is signed by the TA, it is still is not valid for OCSP response.
Any help is appreciated
Note: I am working in java on this, in case it matters
UPDATE:
In section 2.2 of the RFC:
All definitive response messages
SHALL be digitally signed. The key
used to sign the response MUST belong
to one of the following:
-- the CA who issued the
certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA
Point 2 seems ambiguous to me.
It could mean:
a) Any PK trusted, so Trust Anchor is acceptable
or
b) Have the meaning of point (1) in the first quotation, which means preconfigure a certificate (any) to trust as being the OCSP responder's as for example is done in java here:
Security.setProperty("ocsp.responderCertSubjectName",ocspCert.getSubjectDN().getName));
List<X509Certificate> list = new ArrayList<X509Certificate>();
list.add(ocspCert);
CollectionCertStoreParameters p = new CollectionCertStoreParameters(list);
CertStore store = CertStore.getInstance("Collection", p);
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.addCertStore(store);
Source: (StackOverflow)
I'm using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can't get it to create a .cer with a Subject Alternative Name (critical) and I haven't been able to figure out how to create a cert that is Version 3 (not sure if this is critical yet but would prefer learning how to set the version).
Has anyone done this successfully? The default config (.cfg) file has seemingly clear documentation (seen below):
" This stuff is for subjectAltName and issuerAltname.
Import the email address.
subjectAltName=email:copy "
However this does not work. My hunch is that the subject Alternative Name is not showing up b/c it is not present in the V1 specs, which is why I'm also pursuing setting he version. Any help on either of these would be greatly appreciated, I have to have this figured out ASAP.
Here is the config file I'm using:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
emailAddress = myEmail@email.com
req_extensions = v3_req
x509_extensions = v3_ca
[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US
C_min = 2
C_max = 2
O = [Press Enter to Continue]
O_default = default
0.OU=[Press Enter to Continue]
0.OU_default = default
1.OU=[Press Enter to Continue]
1.OU_default = PKI
2.OU=[Press Enter to Continue]
2.OU_default = ABCD
commonName = Public FQDN of server
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = email:myEmail@email.com
issuerAltName = issuer:copy
Source: (StackOverflow)
I have a web server that allows access only using X509 authentication. Works like a charm. Now I want to extend the use of the X509 certificates (which are stored in the user's browser keystore) to
- Sign data before it is sent to the server (using JavaScript and HTTPPost)
- Decrypt data read from the server (where it gets encrypted using the user's public key stored there)
I found this example doing RSA Signature which is pretty close.... only it does take the key from a HTML textarea. I want to read it from the key store. Now crypto is quite in flux:
I'm looking for some working examples for signature and encryption (I have some in Java, but not browser based JavaScript).
Help is very much appreciated
Source: (StackOverflow)
I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed or CA signed?
I am running a Java web app on tomcat and have openssl at my disposal.
Source: (StackOverflow)
OK, my understanding of the mathematical workings of RSA may not be as deep as it should, so feel free to slap me over the head if this is stupid:
To generate a private key, we need two random big primes. There is no algorithm that can do that precisely and efficiently, but there are algorithms that can generate big numbers that have a 99.99999...(a bazillion 9s)...999% probability of being prime.
My question is: what happens if, by a phenomenal stroke of bad luck, when you were generating your key, the prime generating algorithm generated a non-prime? How does that impact software using that unlucky key?
EDIT: I know other factors are much more probable sources of bad results on this matter; this is just pure nerdy math curiosity.
Source: (StackOverflow)
I have a site that has PKI security enabled. Each client used either a card reader to load their certificate, or the certificate is installed in the IE certificate storage on their box.
So my question are:
- How can I use either the card reader certificate or the certificate stored on the system to verify the system?
- How do I pass the credentials onto the site to say, hey I'm me and I can access the service? They example can be using soft certificates. I can figure out the card reader part later.
I've been searching around, and I haven't come up with anything to help me in this situation. Django has a bunch of modules, but this isn't an option because I'm only concerned of the client side of things. I'm not creating a site to host the service. I need to just access these services.
I have this code working sort of. I just do not know how to handle the redirect I am getting:
import httplib
KEYFILE = r"C:\cert\my.key"
CERTFILE = r"c:\cert\my.pem"
HOSTNAME = 'machine.com'
conn = httplib.HTTPSConnection(
HOSTNAME,
key_file = KEYFILE,
cert_file = CERTFILE
)
conn.putrequest('GET', '/arcgis/sharing/rest?f=json')
conn.endheaders()
response = conn.getresponse()
print response.read()
The result of all of this is:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a rel='nofollow' href="https://machine.com/pki?https://machine.com/arcgis/sharing/rest%3f&f=json">here</a>.</p>
</body></html>
Any help provided would be great!
Software specs: python 2.7.8, Windows 2012 R2
Source: (StackOverflow)
I've recently been put in charge of mocking up an Apple product (iPhone Configuration Utility) in Java. One of the sections I've been a bit stuck on is a part about Exchange ActiveSync. In there, it allows you to select a certificate from your Keychain to use as credentials for your EAS account. After some research, I found that it's actually creating a PKCS12 keystore, inserting the private key of the certificate I selected, and encoding that into XML. So far not a big deal. If I create a .p12 file with Keychain Access it uploads without a problem. But I run into a problem when I try to bring that over to Java.
Say I export one of those certs that I had used earlier with the .p12 file as a .cer file (this is what we are expecting to get in the environment). Now when I upload it into Java I get a Certificate object as follows...
KeyStore ks = java.security.KeyStore.getInstance("PKCS12");
ks.load(null, "somePassword".toCharArray());
CertificateFactory cf = CertificateFactory.getInstance("X.509", new BouncyCastleProvider());
java.security.cert.Certificate userCert = cf.generateCertificate(new FileInputStream("/Users/me/Desktop/RecentlyExportedCert.cer"));
But when I try...
ks.setCertificateEntry("SomeAlias", userCert);
I get the exception...
java.security.KeyStoreException: TrustedCertEntry not supported
So from certs I move onto keys. But with those Certificates (I got the CA Cert as well), I'm only able to access the public key, not the private. And if I attempt to add the public key like so...
java.security.cert.Certificate[] chain = {CACert};
ks.setKeyEntry("SomeAlias", userCert.getPublicKey().getEncoded(), chain);
I get...
java.security.KeyStoreException: Private key is not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: DerValue.getOctetString, not an Octet String: 3
So now I'm here. Does anyone have any idea how to get a private key from a .cer file into a PKCS12 keystore in Java? Am I even on the right track?
Thanks in advance!
Source: (StackOverflow)