https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
Anyone try something like this for their homelab? I would love to have https on all of my internal network connections and this would make it much easier
For starters, this is a new setup, and I'm completely open to switching to Linux and use openSSL or something of the like. I'm drawn to Windows Certificate Authority because there's a web GUI which will make it easy for my team to get certs for their tools.
Currently, when issuing a certificate using the "Web Server" template, they all issue WITHOUT a SAN name, which of course makes Google Chrome freak out.
I made a registry edit, from here. One of the steps is to add the attribute " san:dns=mydomain.com " to the request. Is there a way I can build that into the Web Server template? Some of the CSRs have SANs in them, but they get dropped when the certificate is generated. I'm wondering if there's a way I can maybe even pull DNS records and auto fill. Does anyone have any experience with this?
Also open to changing to OpenSSL or some other alternative, (bonus points for a web GUI). This is a new setup for us so nothing is issued yet.
I am looking for very high-level best practices for a certificate authority from a reputable source, preferably technology agnostic.
Anyone have a link?
Could you have a pilot license if had ASD (Asperger Syndrome) or to be more specific health certificate, do your country national aviation authority would know if you omitted this?
In my country, it's Poland, UrzΔ d Lotnictwa Cywilnego (ULC) Civil Aviation Authority of Republic Poland, I've always dreamed of being a pilot, although I know I can't afford it yet, it's always good to have some dreams.
But to be able to be a pilot, you first need to obtain a valid EASA ( European Union Aviation Safety Agency,) class 2 health certificate (for amateur flying PPL license) or class 1 (for professional flying (CPL license and higher)).
I read the ICAO guidelines for national airline agencies, and I was curious about Asperger, Asperger's Syndrome, it is not Down's syndrome, after all, maybe this is a bad example because no one chose to be born with a given condition, I read that on, for example, you can be a pilot with a visual impairment, if someone has spare glasses, or if someone has had a laser vision correction, I do not have a vision problem so far. :)
But when I asked in Polish and English-language discussion forums for aviation enthusiasts about such ailments as Asperger's Syndrome, someone wrote to me that in the case of psychological ailments that are not some serious psychiatric diseases, but such defects as Asperger's Syndrome, ADHD, etc I wonder if someone does not tell the whole truth, they will catch it? :-)
Hey Guys,
At the business I work for we just implemented a new 2 tier windows PKI environment which works great. We have plans to utilize this system to beef up security for our Wifi and VPN via the use of Radius. We are just about to roll out auto-enroll for all domain joined computers to get a certificate based on the default "computer" template on our issuing CA. This should allow our domain joined pc's to authenticate to radius easy enough and make management of the certs easy enough on the CA.
The part I'm stuck on is authentication relating to non domain joined IOS and Android clients. What template should be used for these devices when issuing the devices a certificate (computer or user or something else)? To keep things as simple as possible we are planning on manually generating and installing the certs on mobile devices for our company. Currently I am generating these certs based on the "computer" template in LDAP on a domain joined workstation. The issue I am having though is that the certs aren't easily distinguishable on the CA which may make management a little difficult.
How exactly we plan on using these certs is as follows:
- we (IT) generate the certificate itself on a domain joined admin workstation
- we then manually install this newly generated cert on the mobile device (IOS/Andriod)
- we would like this restricted to the MAC address of the mobile device (if possible) to prevent any security vulnerabilities
- we would like some form of distinguishing information present on the CA so we can tell all the certs apart. Currently since I am generating these certs on my domain joined pc, only my pcs information is being shown on the CA associated to the certificates that I generate. If possible I would like to be able to manually enter some piece of unique information during the creation of the certificate that allows easy differentiation between the certs.
Am I going about this properly? Can someone provide their exact CA template configuration/setup? Maybe also provide a step by step for how you guys issue these certs for mobile devices in your business?
Thanks all!
When it comes to Certificate Authorities, we hear of several famous ones like GoDaddy, ZScaler, etc. But who do CA's register with to make them an official CA? Like I heard of Let's Encrypt which basically anyone can use.
In other words, I am trying to obtain a list of legitimate CAs.
when I visit a website, I always check for the CA and although usually they are well known, there are some I never heard of before. I cannot confirm if they are legit or not.
Hello all,
I've had an iPad for a while and installed both my root and intermediate CA on it for a while. Still to this day it's working fine with iPadOS 14.4. I've also installed this CA on my old android and an old iPhone I was trying out.
I have an iPhone 12 mini right now and both the root and intermediate and verified that it's the same as the iPad in every way. But my internal websites are working with my iPad and NOT my iPhone.
When inspecting the cert that Safari it clearly shows my intermediate there but still says my cert is untrusted. From anything I can tell, my cert is being straight up ignored on my iPhone.
I've already gone over the requirements for a CA in Apple's statement and it clearly works on my iPad so I am at a loss.
Has anyone experienced this or solved this?
Thanks
My premethous url certificate is provided my aws.
How can i get the certificate details from AWS. Is there a way to bypass the certificate validation to fetch the custom metrics from premethous using premethous adapter.
Please let me know why i am facing this error. and any solutions/thoughts will be highly appriciated.
Wikipedia subsection I'm referring to. Is "list of certificates" refering to the certificate authorities that issue the certificates, or just the individual certificates itself? If the latter, why would you need to store such a list. Also, what is meant by user agent software?
Read an article on 'Lets encrypt', and it had me wondering ( I'm not an expert on Certs ) : What is the CA was infiltrated by a state level power. What could they now do? I'm not sure if my question violates the rules, if so please remove this post, but I think it's important to understand basic vulnerabilities if this is one.
I have a DC that have ADCS and want to use its certificate for another DC with another domain Is that possible?
The reason iβm doing this is that both DC have websites on them that depends on some services.
Thanks in Advance
One of my friends mentioned to me that you can simply use openSSL along with any webserver to act as a certificate authority, is something like this really possible? I've always been under the assumption that a CA was some specialized piece of software. Does it only work in some limited capacity perhaps?
Google has recently launched CAS , What do you think , will people try to use the services. Any pros /cons ?
How is a certificate authority identified? I'm thinking they are identified by their IP, but I am not sure. Maybe they use their own self signed certs?
Similarly, does a self signed cert use an IP as it's CA server? Thanks.
Google Cloud Certificate Authority Service Webinar on Nov 5th 2020
Registration Link: https://www.brighttalk.com/webcast/18359/447916
I have a DC that have ADCS and want to use its certificate for another DC with another domain Is that possible?
The reason iβm doing this is that both DC have websites on them that depends on some services.
Thanks in Advance
