Defender Firewall - Certificate revocation list (CRL) vertification

It looks by default, this is set to disabled. I'd like to at least make an attempt to check the CRL.

Will the end user be notified if a CRL cannot be contacted if the option is selected for "attempt"?

Does anyone recommend enforcing this instead?

👍︎ 6
📰︎ r/Intune
👤︎ u/htu-mark
📅︎ Mar 09 2021
🚨︎ report
When using smartcard authentication, how often does an AD Domain Controller check the certificate revocation list for a revoked certificate? Is this configurable?

We're in testing phase for smartcard auth for end users and the question of card revocation if lost obviously came up. We've revoked the certificate of a test card and found that it was still able to login. However, once we published a new CRL from the online CA and then went to each DC and forced their cached CRL to expire, the card was rejected for logon.

Our CA publishes a new CRL every 7 days, or immediately if we have to force a cert to expire and do so manually. My question is, how often do the DCs update their cached copy of the CRL? And is this setting configurable?

👍︎ 14
📰︎ r/sysadmin
📅︎ Mar 29 2019
🚨︎ report
How to list Certificate Revocation Lists with PowerShell

Hi all,

Long story short: I need to be able to list the Certificate Revocation Lists (CRLs) on a Windows Server with PowerShell, and then ideally delete some of them. I need to start by figuring out how to list them.

The location I am trying to query is accessible from MMC.exe > Certificates (Local Computer) > Intermediate Certification Authorities > Certificate Revocation List

I've tried Get-ChildItem Cert:\LocalMachine\CA\ but this only looks to list the intermediate certificates, and not the CRLs.

I'm thinking certutil.exe might be helpful but I am having a hard time finding an answer.

Anybody know the answer?

EDIT: Ideally, I am looking for a native PowerShell or Windows solution (such as certutil.exe), as I'd like to avoid using third-party PowerShell modules. I've figured out how to check the CRL Distribution Point in a local certificate using this guide. Just trying to find a way to remove old CRLs from my system now:

SOLUTION: certutil -store CA "Go Daddy Secure Certificate Authority - G2" does what I was looking to do. You can get the CRL's hash value with that previous command and then delete the CRL using certutil -delstore CA "<oldCrlHash here">

👍︎ 3
📰︎ r/sysadmin
📅︎ Aug 22 2019
🚨︎ report
The Failure of the Certificate Revocation List (CRL)

Certificate Revocation Lists (CRL) & CAs are riddled with problems. CodeNotary simplifies everything with infinite granularity & near real time revocation.

👍︎ 2
👤︎ u/codenotary
📅︎ Apr 25 2019
🚨︎ report
ISE 2.0 and Certificate Revocation List

Anyone using ISE 2.0 and have CRL working with Microsoft CA?

In my LAB and a customer deployment getting the same error.

Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

The CRL URL works and can be downloaded in a browser.

Just thought I'd check here .. Will most likely raise a TAC and give OSCP a go.

👍︎ 10
📰︎ r/networking
👤︎ u/philneil
📅︎ May 04 2016
🚨︎ report
How to disable OCSP/CRL checks for executables?

With the recent OCSP debacle on macOS, I'm surprised no-one has brought anything up about the same issue on Windows.

When running a signed EXE, Windows may perform a revocation check to see if the certificate/signature is still valid.
Is there any way to disable this behaviour (or completely disable signature checks altogether)?

I have a firewall blocking these checks from occurring, which works, but causes applications to hang when being launched as Windows waits for a timeout before giving up and proceeding.
The only solution to this I know of is to remove the signature from the applications via delcert, however this has to be applied to every executable, is somewhat tedious and I'd rather a global toggle instead of this.

Microsoft does have a page which mentions disabling Authenticode, but provides no guidance on how to do so.

👍︎ 3
📰︎ r/windows
📅︎ Dec 27 2020
🚨︎ report
MS CA Services - LDAP Location Published as a CRL Distribution Point Potentially Causing Issues

Hey all,

I am working with a partner company right now trying to get their NSX-T Manager up and running. The NSX-T Manager requires some pretty specific certificate requirements in order to accept the certificate for the management URL. One such extension is the CRL Distribution Point has to be valid. The company that I am working with has issued me a certificate and for the CRL Distribution Point they are including both an LDAP string and a standard http URL for revocation. The problem is, the NSX-T Manager either seems to ONLY be reading the first string which is the LDAP location OR the LDAP string is so long, the NSX-T Manager is bailing on reading the entire contents of the CRL Distribution extension from the certificate.

To give you an idea, the string looks like this:

  Full Name:
           URL=ldap:///CN=Company-IssuingCA1,CN=SERVERNAME,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=company-root,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=company-IssuingCA1,CN=SERVERNAME,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company-root,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint)

The NSX-T Manager spits back the error:

> Certifiate validation failed. Reason: Certificate was rejected: CRL check failed: Couldn't get LDAP context from URI ldap:///CN=Company-IssuingCA1,CN=SERVERNAME,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=company-root,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint

Notice it just kind of dies about halfway through reading the string. The company says that they need to rebuild the PKI servers to fix this but I actually think the can just temporarily remove this LDAP string from being published, issue the cert, and then add the LDAP string back to the CRL Distribution Point extension. For example:

  1. Go to the issuing server
  2. Open up Cert Authority Management Snapin
  3. Right click on the issuing server name and go to properties
  4. Navigate to the extensions tab
  5. Select the "CRL Distribution Point (CDP)" option from the drop down menu
  6. Highlight the LDAP string that's causing the issue
  7. Uncheck "Include in the CDP extension of issued certificates" box
  8. Click okay
  9. Issue the certificate
  10. Navigate back to the extensions tab under the CA Properties box
  11. Recheck the "Include in the CDP
... keep reading on reddit ➡

👍︎ 2
📰︎ r/sysadmin
👤︎ u/Khue
📅︎ Aug 20 2020
🚨︎ report
Client VPN Import Revocation list failure


I've been task with setting up the AWS client VPN for our company.

we are using mutual authentication (certificates) until we get the SSO turned on.

Everything is working fine, except when trying to import the CLR list to AWS.

The AWS CLI command has been deprecated so I'm using python to accomplish.

import boto3

client = boto3.client('ec2')

response = client.import_client_vpn_client_certificate_revocation_list(
    CertificateRevocationList= 'crl.pem',

but I get this error

botocore.exceptions.ClientError: An error occurred (InvalidParameterValue) when calling the ImportClientVpnClientCertificateRevocationList operation: The imported CRL is not in PEM format. Imported CRL: crl.pem

the crl is created by easyrsa and should be the same format that is expected.

👍︎ 2
📰︎ r/aws
👤︎ u/broxamson
📅︎ Jun 11 2020
🚨︎ report
How do you manage large scale SSH certificate based Authentication?

I have recently been experimenting with solutions to provide large scale SSH Key based authentication management and have come to the conclusion that implementing a Certificate/Central Authority to produce SSH RSA Certificates to end users is a good way to go.

This seems like a much easier way of managing 'time based' SSH sessions since certificates have validity dates, and easier management of privileges/access for external users. Rather than copying users SSH public keys to individual users ~/.ssh/authorized_keys files on every server.

The snag I have hit is how to manage revocation (revoke) of SSH Certificates. From what I gather using a KRL (Key Revocation List) or CRL (Certificate Revocation List).

Basically I have come up with the idea of an rsync job or a file deployment via Ansible to push out a global KRL/CRL to all servers in the domain at a reasonable time; say every 30 minutes to an hour. The global KRL/CRL will be maintained on the CA server as the single source of truth (one place to revoke and sign keys/generate certificates) and this revocation list will be read by each servers SSH daemon as a RevokedKeys file.

Has anyone else done something similar and could provide some guidance or solutions that will point me in the right direction?

I am not looking for a paid solution such as; SSH.COM PrivX or FoxPass, to manage remote access, but to utilize only underlying OS and base software with Linux Distributions (Ubuntu, Red Hat Enterprise Linux and CentOS).

I look forward to hearing what solutions the community have deployed.

👍︎ 94
📰︎ r/linuxadmin
👤︎ u/sysoap
📅︎ Sep 24 2019
🚨︎ report
Two interesting NordVPN hack details nobody talks about

There are two interesting moments in NordVPN situation nobody talks about.

Moment #1: besides TLS private key for * from commercial central authority which was used for squid and apparently for IPsec, there was also ca.key from OpenVPN


"ca.key" file name is usually used for private key of root OpenVPN central authority. To use it, you also need to have certificate file ca.crt, but it's missing in the leak. Certificate usually could be easily obtained from OpenVPN connection establishment (it's a public file, OpenVPN sends it to the client upon connection), but current NordVPN configuration does not have certificates corresponding to the leaked ca.key.

... keep reading on reddit ➡

👍︎ 15
📰︎ r/VPN
👤︎ u/ValdikSS
📅︎ Oct 28 2019
🚨︎ report
Certificate Management

I am trying to import a .crl file into Certificates>Intermediate Certification Authority>Certificate Revocation list. The issue I am running into is i'm not able to find a Powershell option to to push the CRL to the machine, so I am using certutil.exe to do the actual push of the cert to the store. I am looking for a better way to do this.


$Servers = Get-Content C:\servers.txt
$copyLocation = "\\ServerName\c$\valid_crl\latest.crl"

$scriptblock {
    $CRL = Certutil -store CA "CRL name"
    $CRL_hashes = $CRL | Select-String "CRL hash" | Out-String
    $CRL_hashes = foreach ($print in $CRL_Hashes){$print.replace('CRL Hash(sha1):','')}
    $CRL_hashes = foreach ($print in $CRL_Hashes){$print.replace(' ','')}
    $CRL_hashes = foreach ($print in $CRL_Hashes){$print.replace(' ','')}
    $CRL_hashes = $CRL_hashes -split("`n")
    foreach ($CRL in $CRL_hashes) { certutil -delstore CA $($CRL.TrimEnd()) }
    certutil -f -addstore CA "E:\Cert_location\latest.crl"

foreach ($server in $Servers) {
    Write-Output "Copying certs to $server"
    if (test-connection -Cn $server -count 1 -quite){
        Copy-Item $copylocation -destination \\$Server\E$ -Recurse -Force[
        Write-Output "Importing certs into CA Store of $server"
        Invoke-Command -$server -ScriptBlock $scriptblock
        $certname = Invoke-Command -ComputerName $server -ScriptBlock {Certutil -store CA "CRL name"}
        $certname = $Certname - replace "CertUtil: -store command completed successfully.", ""
        Add-Content -path "c:\Temp\CRL_Results.txt -Value "$Server;$certname"
    else {
        Add-Content -path "c:\Temp\CRL_Results.txt -Value "$Server is not online"        

Write-Output "Import of CRL file to Servers complete."

If someone has a better option for this please let me know. I am banging my head against the wall as this has now stopped working.

👍︎ 6
📰︎ r/PowerShell
📅︎ Oct 11 2019
🚨︎ report
How is someone supposed to pass Security+ 501 when literally every resource out there has conflicting, or outright incorrect information? Is this all a scam to get people to pay for the Security+ test multiple times?

This is just a small example of what I'm referring to:

I have paid money for a book of practice tests that has conflicting information. I've read the 700 page books from Amazon, I've watched Professor Messer's videos (which thus far were the most helpful) and being ready to get started, I paid for the practice exams from to test my knowledge.

Every... Single... Place... I look, there's conflicting, or outright incorrect information. For example, the practice book tells me that CAC's are issued only to military personnel. (I've been a contractor in this space for 20+ years, and I and every single other contractor has a CAC). It says that you have to wipe a harddrive 7 times before the data's unrecoverable, Messer shows sources that say it's once. Which one is on the test? In the book it simultaneously talks about TACACS+ and TACACS, saying that TACACS+ uses both UDP and TCP, but then later saying ANOTHER question is answered wrong because it only uses TCP. Then it also says TACACS uses both UDP and TCP, and later says you're wrong because it only uses UDP.

And after paying for the freaking practice exams, it's just more of the same.

Here's just one example of the many such questions I "got wrong" on this test.

What's the "gotcha" here? These tests seem to be purposely designed to make people fail, and if that's the case, there's a SERIOUS problem with fraud, waste, and abuse since the DoD seems to be their primary customer.

According to OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end.

According to wikipedia: Since an OCSP response contains less data than a typical certificate revocation list (CRL), it puts less burden on network and client resources.

And these are just SOME of the MANY examples of inconsistencies, or outright false information out there across the spectrum of resources.

Is this being done on purpose? Is there some final authority where we could get the REAL answers (whether they're correct or not, I just want to pass the test and get it over with)?

The definition of "spear phishing" has changed more times than I care to count. 60% of the garbage in this test are made up acronyms and words we'

... keep reading on reddit ➡

👍︎ 2
📰︎ r/CompTIA
👤︎ u/Javin007
📅︎ Mar 26 2019
🚨︎ report
Tutanota's Decision To Use An American SSL Provider

Tutanota's Decision To Use An American Root Certification Authority

Tutanota uses a US based X.509 TLS certificate provider (COMODO/SECTIGO) on all of it's services.

As is well known, any US based company is subject to American laws and regulations and would be required to comply with orders issued by American courts, or other more private pressures.

Some questions:

  • Why did Tutanota choose an American certification authority when there are many European certification authorities with similarly wide root certification bases, including within Germany itself (example D-Trust - ?
  • Would there be technical problems created by changing the CA and using a new German/European certificate, if so, what?

I think many users would prefer Tutanota use a German Root CA provider, as one of the leading factors for many users using Tutanota in the first place is because it is based in Germany, and protected by strict German privacy laws. Tutanota likes to advertise that all of it's data is stored and encrypted in Germany, yet it creates a fundamental vulnerability in it's services by using an American Root Certification Authority. COMODO, the CA used by Tutanota has issued fake/fraudulent certificates of real companies in the past, including Microsoft. There should be a solid commitment by Tutanota to find a better more secure European Root Certification Authority.


This post has started to attract trolls. Avoid feeding them.


There have been comments that Tutamail could switch to Let's Encrypt, which might actually be worse.

Tutanota does not appear to have any plans to switch to Let's Encrypt. That narrative was advanced by a troll using unclear language posted on Tutanota's to-do list.

Tutanota now has confirmed they are indeed moving to Let's Encrypt. This is a mistake. By doing so, Tutanota is opening itself up to potential compromise if the US pressures/threatens Tutanota with certificate revocation for failure to comply with some given future demand. Tutanota would probably refuse. This would then also cause Tutanota to experience chaos during the transition to a new Root CA as its customer's pages and apps would report errors worldwide. There is also the risk that Tutanota would comply to avoid the chaos, thereby compromising the privacy of its users. This is why the best option would be to avoid a US Root CA company.

**Update 1 - Let's Encrypt U

... keep reading on reddit ➡

👍︎ 8
📰︎ r/tutanota
📅︎ Jan 10 2019
🚨︎ report
VPN server using ssh keys?

I need a VPN server solution that I can deploy on AWS and uses ssh public:private key authentication. From a brief review of the options, the standard modus operandi for a VPN server as I understand it is:

Server generates a server certificate and creates/signs client certificates

  • These certs are then distributed to clients
  • Any users whose access is to be removed subsequently have to have their certs added to a certificate revocation list

Sadly, this won't really work for me.

Use case

I need users to be authenticated against AWS IAM for a VPN service that gives them a predictable IP address for all outgoing ports and protocols, including http(s) and TCP. The reason for the ssh key based requirement is to be able to use Amazon Web Services IAM for managing user identity and access to the VPN. This is similar to the Bastion service that I recently wrote about . I have already investigated in some detail and asked on the AWS sub. About the only way that IAM users can have self service secrets accessible to a non-AWS service is via rsa ssh key because it uses a user-configurable value, managed with IAM that can be queried using AWS API calls.

Whatever solution is arrived at need to be cross-platform at the client end, at least for MacOS; Windows and Linux and ideally for Android and iOS also.

What I have looked at so far:

  • Zerovpn (a riff on openvpn) but this uses a linux only python script on the client and seems to be a very small project. I al;so confess that I don't really understand it.
  • StrongSwan appears to offer support for RSA Key based authentication but despite being a feature for 4 years there seems to be almost no documentation for it. I have only really found this and this. The man page for just the StrongSwan config file is 2440 lines long!

Can anyone point me to an existing solution or advise on where to start? I get that VPN's are not trivial to work with but anything toward a working example using ssh would be a great help


👍︎ 23
📰︎ r/linuxadmin
👤︎ u/jmkite
📅︎ Jul 19 2018
🚨︎ report
PNCSE Study Notes: Chapter 8: Decryption


Decryption Concepts

  • Encrypted traffic is growing every year
  • PAN's can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
  • SSL Establishment includes:
    • Client - requests SSL connection
    • Server - sends server public cert
    • Client - Verifies Cert
    • Client - sends encrypted session key
    • Server - begins encrypted communications session
  • When an SSL session is first established or needs to re-establish a session and rekey, this is known as PFS (Perfect Forward Secrecy)
  • The FW can act as an Outbound SSL Proxy:
    • A client initiates a session to an external server
    • The FW intercepts the connection, decrypts it, applies any security policies, re-encrypts the traffic and sends to the external server
  • The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and inspects)
    • The internal server's certificate and private key need to be added to the PAN firewall for this to function properly
  • The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
    • If SSH Tunneling of another application is found, the session is blocked to prevent apps from bypassing firewall rules.
  • Public Key Infrastructure (PKI) solves issue of secure identification of public keys
    • Uses digital certificates to verify public key owners (x.509 format)
    • Typical PKI components include:
      • Root CA: Provides service that confirm identity and public keys to people and companies.
      • Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB that will issue, revoke certs and stores CSR's
      • Device has the certificate and private keys. They maintain a list of trusted CA's, and can be updated by admins or by system updates.
    • Certificate Chain starts with the device and ends with the Root CA. As long as there is a Root CA in the chain, the certificate can be checked as valid (or revoked).
    • Certificate Hashes can be validated to confirm that it hasn't been intercepted and altered.
  • Firewalls can use for many purposes:
    • SSL/TLS
    • MGT Interface User Auth
    • Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
    • Captive Portal User Auth
    • IPSec VPN IKE Auth
    • HA Auth
    • Secure Syslog Auth
  • All Certificates in a chain must be checked and validated before an SSL session is permitted
  • Checking a Certificate includes:
    • Is the signature valid
    • Is the date range valid
    • is it intact/not malformed?
    • Has the
... keep reading on reddit ➡

👍︎ 13
👤︎ u/rushaz
📅︎ Sep 04 2018
🚨︎ report
Issues with certificates and revocation server

Hello! If this isn't the right place for this please let me know!

Win 7. I have spent countless hours trying to figure out what's going on.


I have a cloud based backup provider. Out of the blue, their local application stops working. I've gone back and forth with them via email for over a week now trying to figure out what's going on.

I'm getting the following errors in event viewer:


The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The SSL connection request has failed. The attached data contains the server certificate.


The revocation function was unable to check revocation because the revocation server was offline.

I initially thought this was limited to the local app for the backup but I tuned logging on for CAPI2 and There are a whole bunch of these errors for a number of programs.

I've tried to disable Certificate Revocation List checking in internet options (Server & Publisher). I've disabled antivirus, antimalware, and firewall.

The customer service for the cloud backup hasn't been very helpful but they've tried. They have no idea what's going on.

Does anyone have any suggestions?

👍︎ 2
👤︎ u/xmonster
📅︎ Dec 19 2018
🚨︎ report
CCNA-Security Acronyms


I just wrote up this quick list of some of the Acronyms I'm seeing as I'm studying for CCNA-Sec. Thought sharing here may be helpful for anyone just starting down this road. I'm about to take my test, so just wanted to share this tidbit of learning experience.

  • AAA Authentication, Authorization, Accounting

  • ACE Application Control Engine

  • ACE Application Control Entry

  • ACS Access Control System

  • AH Authentication Header

  • APIC Application Policy Infrastructure Controller

  • ASA Adapitve Security Appliance

  • ASR Aggregation Services Router

  • AVC Application and Visibility Control

  • BPDU Bridge Protocol Data Unit

  • CASE Context Adaptive Scanning Engine

  • CBAC Contect Based Access Control

  • CCP Cisco Configuration Professional

  • CES Cisco Email Security

  • CLI Command Line Interface

  • CMX Connected Mobile Experience

  • CoPP Control Plane Policing

  • CPPr Control Plane Protection

  • CRL Certificate Revocation List

  • CRM Customer Relationship Management

  • CSA Cisco Security Agent

  • CSM Cisco Security Manager

  • CSR Cloud Services Router

  • CTA Cisco Trust Agent

  • CTI Computer Telephony Integration

  • CWS Cloud Web Security

  • DAI Dynamic ARP Inspection

  • DAP Dynamic Access Policy

  • DART Diagnostics And Reporting Tool

  • DCA Dynamic Content Analysis

  • DCOM Distributed Component Object Model

  • DES Data Encryption Standard

  • DLP Data Loss Prevention

  • DPD Dead Peer Detection

  • DSA Digital Signature Algorithm

  • DTLS Datagram Transport Layer Security

  • DTP Dynamic Trunking Protocol

  • EAP-FAST Extensible Authentication Protocol via Flexable Authentication via Secure Tunneling

  • EAP-TLS Extensible Authentication Protocol - Transport Layer Security

  • ECMP Equal-Cost Multipath

  • EEM Embedded Event Management

  • ESA Email Security Appliance

  • ESP Encapsulating Security Protocol

  • FED Forged Email Detection

  • FLOSS Free/Libre Open Source Software

  • GRE Generic Routing Encapsulation

  • HMAC Hashed Message Authentication Codes

  • ICAP Internet Content Adaptation Protocol

  • ICS Industrial Control System

  • IDM IPS Device Manager

  • IDS Intrusion Detection System

  • IEFT Internet Engineering Task Force

  • IGMP Internet Group Management Protocol

  • IKE Internet Key Exchange

  • IME IPS Manager Express

  • IPA India Pale Ale

  • IPS Intrusion Prevention System

  • ISAKMP Internet Security As

... keep reading on reddit ➡

👍︎ 13
📰︎ r/ccna
📅︎ Apr 13 2018
🚨︎ report
2017 Working Setup for Synology (DSM 6.1) with PIA VPN + Plex (w/ Remote Access)

Made a reddit account to post this and hopefully help someone out who was in the same situation I was in. Finally took the plunge and got a NAS for my movies / shows, document backup, etc. Never had any experience with them prior.

My Setup: Synology DS916+ (DSM 6.1) 4x 4TB WD Red Drives

The setup I was looking to do was remotely log into the nas and tell it which torrents to download (Behind my PIA VPN). I wanted it to automatically add them to Plex so I could view the movies and shows remotely. Wanted to share my setup because I saw countless posts here on Reddit other forums with people looking to do part or all of the same setup.

Found the info needed in various places but never saw it all in one place for the PIA VPN (for torrents) / Plex (w/ remote access) setup. Will site them below to give the others credit

Setting up PIA on the Synology NAS First I tried to get the PIA VPN setup on the NAS and still allow for remote access into the NAS.

  • Download the OVPN Configuration Files from the PIA website and unzip:
  • Use the Synology box's web interface to open Control Panel - Network - Network Interface
  • Click on the Create button and chose "Create VPN profile"
  • Choose "OpenVPN (via importing a .ovpn file)" and click Next
  • In the next box, fill in the fields as follows....

Profile Name: Anything you choose, you can edit it later

User Name: Your PIA user name

Password: Your PIA password Import .ovpn file: click the Browse button and navigate to the location of the unzipped PIA OVPN Configuration Files. Choose the file corresponding to your desired server location, in my case "CA Toronto.ovpn" READ STEPS BELOW IF YOU PLAN TO USE PLEX WITH REMOTE ACCESS

CA certificate: click the Browse button and choose the .crt file included in the PIA OVPN Configuaration Files, in my case "ca.rsa.2048.crt"

  • Click on "Advanced options" to unhide the next group of fields Certificate Revocation List: click the Browse button and choose the .pem file included in the PIA OVPN Configuration Files, in my case "crl.rsa.2048.pem"
  • Leave the other fields blank
  • Click "Next"
  • Specify your advanced settings on the next page: I checked "Use default gateway on remote network" and "Reconnect when the VPN connection is lost"
  • Click "Apply"
  • A new VPN with your Profile Name will appear on the Network Interface tab. Click on this profile and choose connect to test your new connection. You s
... keep reading on reddit ➡

👍︎ 38
📰︎ r/synology
👤︎ u/TM2017ac
📅︎ Aug 05 2017
🚨︎ report
Hello for Business and Hybrid Key Trust Deployment, about the PKI and CRL

I got this working. What I have:

- 2016 Domain Controllers (all of them)

- Azure AD Connect, latest, password sync and seamless SSO

- Hybrid joined computers and users

- PKI for DC Kerberos Certificates

- Windows 10 1803

I had issue of PIN login not working but found out that it was most likely because web based CRL distribution wasn't working. When I updated CRL up to date, PIN login started to work immediately. Microsoft manual says:

  • Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.

Question is, in which cases device tries to reach CRL? Only when logging into domain controller or also outside of network? I have published CRL only in internal network. PIN login seems to work also outside of network but also few times it has refused to login.

👍︎ 3
📰︎ r/sysadmin
👤︎ u/finobi
📅︎ Oct 11 2018
🚨︎ report
DNS Configuration for CRL checks?

I am curious what those of you who work in Dark Networks (zero access to the internet) do for certificate revocation list lookups. What I have done in the past is to create empty authoritative zones for,, etc so that the CRL lookups fail fast and the application continues on with little delay. Another option is to let all systems go to the internet (probably not going to happen here) or possibly allow CRL lookups via proxy server (not sure if it's even possible).

Anyway, how do you guys handle this? Thanks!

👍︎ 2
📰︎ r/sysadmin
👤︎ u/14seconds
📅︎ Sep 24 2018
🚨︎ report
PIVPN Stopped working - answer

Well I found the solution for me - hopefully it helps you too!

Found that /var/log/openvpn.log on the RPi had the line "VERIFY ERROR: depth=0, error=CRL has expired" Searching that gave several results saying to regenerate the Certificate Revocation List, but I couldn't find how to do this with pivpn.

Found this workaround and it worked: use pivpn to add a new user, then revoke the user - the revoke output notes that it regenerates the CRL. I was then able to connect again straightaway :)

👍︎ 2
📰︎ r/OpenVPN
📅︎ Nov 14 2018
🚨︎ report
1702 and Cross-Forest PKI

We're currently working on moving our previous 2012 R2 install of SCCM over to Current Branch. I'm having trouble with getting cross-forest Server 2008 SP2 (non-R2) clients pointed to our new install. All of the Server 2016, 2012/2012 R2, and 2008 R2 clients for the most part appear to be cooperating in this forest - there is a two-way forest trust between SCCM's forest and the client forest.

However, every 2008 SP2 machine in this forest is giving me the following error when trying to get it connected to SCCM:


My searching indicates this is something to do with the certificate revocation list, but as I mentioned, this is working properly for all the other machines so far. 2008 SP2 machines in the same forest as the SCCM server have no issues either. Both forests do have their own certificate authority, though the SCCM server's forest is the root and has the older forest set up as an intermediate authority, so the cert chain looks like this:




The machines in question are showing connected via Intranet and many of them sit in the same layer 3 subnet as machines in and other 2012+ servers in Any thoughts on why this particular configuration is causing issues? 2008 SP2 should still be supported on Current Branch from what I can see.


👍︎ 2
📰︎ r/SCCM
👤︎ u/Ghan_04
📅︎ Oct 06 2017
🚨︎ report
Why x.509 PKI does not allow you to revoke a keypair?

As far as I have understood, with x.509 you can only revoke certificates, but you cannot revoke public-private keypairs. As a consequence, if a private key of a CA gets leaked, the CA itself cannot issue a statement "I have been compromised - do not trust anything signed with this key." to the end-hosts (e.g. browsers). Normally, this is not a problem because a compromised certificate can be added to a certificate revocation list, which is usually signed with a key higher in the trust hierarchy.

As far as I can see, this may be a problem if a root certificate is compromised. Because a root certificate is self-signed and trusted a priori, it cannot be revoked. Instead, the organization managing the root CA must individually contact all root CA distributors, ask them to remove the trust to that certificate, and then wait for the software updates to take place. All this takes time. I see no reason why the root CA should not be able to revoke its own keypair (instead of certificate) for example with a mechanism comparable to certificate revocation lists. That is, why x.509 does not allow the root CA to directly inform the endhosts that the keypair should not be anymore trusted?

Am I missing something here?

👍︎ 4
📰︎ r/crypto
👤︎ u/fobobar
📅︎ Dec 28 2016
🚨︎ report
Revocation of client side certificates in docker

I'm trying to use client side certificates to access the docker daemon. Although it is possible for me to start the docker daemon with a specifc CA and the tlsverify option, I can't find a way to manage the revocation of client side certificates. In other TLS enabled services, you can often configure a CRL (certificate revocation list) or OCSP (online certificate status protocol). How can I configure CRL or OCSP or revoke client certificates without it?

👍︎ 4
📰︎ r/docker
📅︎ Jan 19 2018
🚨︎ report
[debian jessie - puppet 3.7] installation of apt package fails

Hi guys!

I just got started with puppet 3.7 on debian jessie. My current state is I have a puppetmaster and one puppet node (both sporting debian-jessie).

I successfully deployed the ntp-package to the node with my cutomized /etc/ntp.conf.

As of next I want to be able to install any package available via the apt-repository on the machine but I am failing hard :-/ My understanding is that adding

package { 'curl':
  ensure => 'installed',
  provider => 'apt',

to my manfifest file will trigger the curl installation via apt. I managed to produce a Error-Message which shows me what puppet is trying to do in the background:

Error: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install gjsdfklgjar' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package gjsdfklgjar
Error: /Stage[main]/Main/Package[gjsdfklgjar]/ensure: change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install gjsdfklgjar' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package gjsdfklgjar

so this looks about right because I can successfully paste

/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install curl

into the node's shell and install the package.

So why does the manifest statement fail and doesn't install curl (in this case).

Thanks in advance!

edit: have a logfile:

[email protected]<workstation>:~$ puppet agent -t -v -d 
Debug: Using settings: adding file resource 'confdir': 'File[/etc/puppet]{:path=>"/etc/puppet", :ensure=>:directory, :loglevel=>:debug, :links=>:follow, :backup=>false}'
Debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/uuidgen does not exist
Debug: Puppet::Type::User::ProviderPw: file pw does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
Debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
Debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
Debug: /User[puppet]: Provider useradd does not support features libuser; not managing attribute forcelocal
Debug: Puppet::Type::Group::ProviderDirectoryservice: file /usr/bin/dscl does not exist
Debug: Puppet::Type::Group::ProviderPw: file pw does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
... keep reading on reddit ➡

👍︎ 2
📰︎ r/Puppet
👤︎ u/renser
📅︎ Apr 28 2016
🚨︎ report
Automate copying files from a Cisco router


I'm interested in the strategies you use for securely copying files from a router to a fileserver.

This specific case relates to publishing certificate revocation lists from an IOS CA server, but I imagine it could apply to any router-initiated copy.

What are the options?

The best I've got so far is something like this:

crypto pki server BLAH
 database url crl publish scp://fileserver/path username whatever password 7 113C2B0F181902020318222320276A

It's okay, but I don't love it. I'd much rather have this operation authenticated using a non-exportable key, rather than an easily-reversible type 7 password.

Does the SSH client implementation on IOS support the use of RSA keys?

Is there a better way to ship data out of a router?

👍︎ 2
📰︎ r/networking
👤︎ u/kWV0XhdO
📅︎ Jan 15 2015
🚨︎ report
Chromium "trash talk"?

Below are 3 links to screen shots, most recent first.

  • None of these Chromium connections were effected by my active browsing; all occured in the background.
  • The most recent connections (first 2 links) are to valid web sites.
  • The earlier connection -attempts(?)- are invalid; at least they appear to be invalid, and did not respond to ping attempts.

So questions, please:

  1. Could some of the valid connections be some sort of Chromium-internal "favorites" that help sponser the Chromium development? Also perhaps they simply download, for example, the latest Amazon site graphic?

  2. I'm guessing some of the other valid connections were referenced earlier by Dev: (In "questions about chrome", Dev noted: "...It does connect to Google servers to fetch some stuff, but it's not sending information. For example, CRLSets (certificate revocation lists) are downloaded from Google, although that's not currently enabled for Android Chrome to conserve bandwidth. There are other examples, but I'm not sure how many are even relevant to Android where it delegates more stuff to the OS and Play unlike how it works in the desktop build (i.e. the code is there but a lot isn't used on Android)...") The "X" indicates that I've blocked the contact attempts, but I guess that if it is eventually used, I should then unblock/allow the CRLSet connection..... err, which one is that, please?

  3. Could the invalid connection attempts - the early, "trash" links - be elicited by the ROM/OS and not originating within Chromium? Other than possibly drawing unwanted attention on a LAN, are these either harmful or possibly symptomatic of a loose screw in the OS?

Thanks in advance

👍︎ 2
📅︎ Dec 09 2016
🚨︎ report
A new update to Fossa Guard S/MIME extension for GMail and Chrome


Since last time I wrote here, we developed additional features and enhancements for Fossa Guard - S/MIME Chrome extension. This extension allows to exchange signed and encrypted e-mails.

If you remember Fossa Guard has a dedicated Compose and View dialog. We decided to develop it in the very beggining, because GMail built-in dialog auto-saves drafts of e-mail to Google cloud and it is not what is right for secure mail exchange. The newest version of Fossa Guard made usage of this dialog more comfortable, and now users may send S/MIME messages not only to people in "To:", but also to people indicated in "Cc:" and "Bcc:". As a consequence, "Reply to All" button is available.

Another enhancement we made recently allows users to add digital certificates (mostly, certificates of CAs) into trusted store. When S/MIME message is received and Fossa Guard does not trust the sender of this message, it became possible to select a certificate via UI which have to be added into list of trusted certificates. Of course, be careful and add only verified certificates - for that purpose you may audit each field of the certificate by your own eyes.

A new video is available with demonstration of features above.

The server side ( Certification Authority) which supports functionality of Fossa Guard S/MIME extension also evolves. As you may know, private keys used to sign S/MIME messages may be sometimes lost or stolen. For that purpose, we introduced an initial support of CRL (Certificate Revocation List) on our CA. Now, it is possible to revoke an S/MIME certificate if you feel that it can't be trusted anymore. However, Fossa Guard does not yet support CRLs, but this feature is on our road map and will be available soon.

As well, our major goal is to make a process of managing S/MIME certificates as simple as possible. Right now, if your certificate expires, you need to start a manual process of new S/MIME certificate enrollment. Of course it works, but can be much simpler than today. Our short term plans include a feature called "S/MIME certificate automatic re-enrollment" - it will allow our users to do not think about expiration of the certificates - everything will be done automatically and securely by Fossa Guard itself.

We (Fossa Team) hope that

... keep reading on reddit ➡

👍︎ 13
📰︎ r/chrome
👤︎ u/tysonite_
📅︎ Sep 16 2016
🚨︎ report
Mullvad OpenVPN HOWTO

from linux config file, comment the resolvconf related lines :

# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

from ca.crt :

  • remove every lines before -----BEGIN CERTIFICATE-----

create a new VPN profile selecting "OpenVPN with configuration file" :

  • Fill profile name
  • Import previously edited linux configuration file DO NOT ADD CA CERTIFICATE, it will not work from there !

once the profile is created edit it :

  • click on import CA and expand advanced options
  • import ca.crt as CA certificate
  • import mullvad.crt as client certificate
  • import mullvad.key as key certificate
  • import crl.pem as certificate revocation list

note there is no login or password, leave these fields blank

👍︎ 7
📰︎ r/synology
👤︎ u/davlord
📅︎ Jan 20 2017
🚨︎ report

Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.