Public key certificate

For context, I need to use a client certificate that is stored as a user credential using keychain.getcertificatechain

Able to get the certificate but it is a Java x509 cert.

I somehow need to attach that client very to the request to the api using a client handler or android handler.

This is not an embedded cert. It is stored as a user credential.

It’s a real brain burner.

Any ideas?

Hello,

First of all, I am not expecting anyone to do it for me, I just need a little push.

My professor gave me an assignment and I have to encrypt a message back to him with the public key. He sent his certificate and I have to extract his public key from the certificate in order to encrypt the message and send it back to him. This is quite literally the last step of the assignment and I'm lost.

He does say we might have to search online for how to do it, but just about every possible answer I found online comes up empty or returns and error code.

Any help you be GREATLY appreciated :)

• the public key file for certification (e.g. example.p10)
  • is it the p10 (csr) file or the public key within the csr file.
  • openssl asn1parse -in <file.pem> -strparse 19 -out <file.pkey> -noout
• I have to manually prinout the hash code and send to the authority, is the below command correct
  • openssl dgst -c -sha1 filename.pkey

I found it very difficult to find any code examples on how to convert the X509 certificates in Windows certificate store to the OpenSSH format for public key authentication through SSH. All the examples I found online required either manual intervention, like Pageant, or OpenSSL and SSH-KeyGen which I could not guarantee were on all the client workstations. As such, I dug through documentation and browsed a bunch of MS docs on classes and their methods to come up with the code which I posted to GitHub to share.

https://github.com/jimmy58663/X509ToOpenSSH

In case anyone else ever needs to either use the functions or see a way in code to accomplish the transition from a X509Certificate2 object in .NET to the OpenSSH public key.

I have also created a basic ASN.1 parser that I may post on there in the future to convert the full .cer data, but I have not completely analyzed the .cer structure to determine the location of the modulus and exponent required. This parser would allow for the inclusion of ECDsa and ED25519 certs as well I believe; so if you have that requirement let me know and I may be able to assist.

Is it possible to pin certificates or (preferably) public keys on the OS/library level ? On a Linux system many applications make use of openssl and hence go through the certs in /etc/openssl/

Some applications like curl provide options for pinning, however, others don't. Also I am not 100% sure if these options are application specific or rely on some function of e.g. the openssl library.

As an example, would it be possible to just put the certificate of a single or multiple websites you want to connect to under /etc/openssl/certs/ and only these websites would work in this case without certificate error?

Hey guys,

I haven't been able to find a way to extract all the informations related to the Public SSL Certificate that AWS ACM issued to us for free. Is it even possible ?

If not, does that mean that obtaining Public SSL Certificates from AWS is equivalent to a "vendor lockdown" : if we wanted to move out of AWS, we would have obtain new certificates ?

(While we're here, what is the difference between a Private Certificate and a Public Certificate ? Because their documentation show how to extract the Private Key using a Private Certificate's ARN, but not a Public one... Seems to me like a Private Certificate is issued through one of AWS Private CA, which are rather costly.)

Thanks !

I understand at a high level how digital signatures work but I don't understand how the security aspect of it works. The image in Wikipedia is a good reference: https://en.wikipedia.org/wiki/Digital_signature#/media/File:Illustration_of_digital_signature.svg

In order for Bob to know that Alice signed the message, he needs to have Alice's public key beforehand. But how does Bob know that Alice's public key is authentic? If he received the public key from Alice, it's no more trustworthy than any message that Bob thinks he's receiving from Alice. Where would Bob receive this public key in a real life scenario in a way that he is guaranteed to know that it belongs to Alice?

The public key certificate can be found in left hand side of website name? Location tree: padlock > certificate(valid) > details > public key

I have written a blog post on how to use SSH certificates to authenticate with servers instead of public key authentication. Hope you find it useful.

Hey, Ive googled this many times and everytime, the answer that has came up has been no.

But recently I stumbled up on a github post about this, and im no github expert, but it looks like the necessary changes to the certbot code have been made to support this.

So can you renew a cert with the same public key? Is it actually possible. I dont have the github post at hand,but it looked like the feature is there to be used when I looked at the feature request on github.

If this feature doesnt exist, is it possible to use some other client to renew my certbot made letsencrypt cert with the same public key? If so what should I use and how.

EDIT: There is a --reuse-key flag in certbot renew, which should do exactly this. Does it work? Sounds retarded to ask that,but everywhere it reads that u cant reuse the key with certbot

Thanks a million in advance and happy new year to everybody!

The classic example:

Alice sends message to Bob. Alice uses Bob’s public key to encrypt the message, and Bob uses his private key to decrypt the message.

Where do digital certificates come into play here?

I haven't lost my private key, nor my revocation certificate, but I cannot revoke my key no matter how hard I try. The reason I want to do this is because I didn't do 4096 bit encryption like I meant to. I uploaded my public key to MIT's servers and it was only then when I searched my name to see if it uploaded correctly did I see my mistake.

I have been trying to upload the revocation certificate on their website but I keep getting an error that says "Add failed: This is a stand-alone revocation certificate. A revocation certificates should be imported to the respective public key before being published to a keyserver".

I've tried googling solutions for hours but most answers require a unix-based system (such as ubuntu etc.) and I lazily used Windows 10 and Kleopatra. I tried revoking it via Kleopatra, but much like when I tried to upload from the software program, revocation doesn't seem to work either -- I have no idea why it won't communicate with servers.

Long story short. I just want to know what I'm not doing right. I'm so exhausted. It's 3 A.M. and I've about given up. I will answer any questions if I accidentally left anything pertinent out. I'm just unable to think straight at the moment.

TL;DR

Tried revoking my public key with a revocation certificate on MIT's key servers. All I'm getting is a "Add failed: This is a stand-alone revocation certificate. A revocation certificates should be imported to the respective public key before being published to a keyserver" error.

Hello,

I'd like to print the public key of a certificate located in the context "LocalMachine" in the certificate store "CA" but I cannot find a way to do this using powershell; I'm impossibly new to powershell and how it works with local certificate stores (I'm used to openssl and actual certificate files).

Any assistance would be appreciated. Ideally, I want to print the public key to the console but writing to a file would work as well.

Hi newbie here. From a high level if we have a vendor who has a server in our Corp network but behind a firewall, when they setup ssl certificates on server and register with CA, from the workstation within our Corp network to view, who provides the public key or certificate? I assume it won't just automatically be imported in browser when CA approves Right? So does the vendor provide that to Us?

Second question relating to the same setup is, alternatively instead of vendor setting up own certificate, our corporate admins can setup our internal certificates too is this correct? If so, which method is better from our corporate IT security point of view: have vendor setup ssl certificates or our own corporate ssl Certificates?

Many thanks

I was looking intp the crypto module on windows and I noticed that the windows certificate storage and X509Certificate modules in .Net force you to leak public AND private key data into the certificate store even if you only want things to be in memory. Why is this? What makes the windows certificate store so secure?

Consider public key servers for GPG keys. If their certificate authority is willing to issue a second certificate for that domain to a government entity which is capable of proxying connections to that site at the NAPs then the SSL encryption on the connection to that server is compromised. It then becomes possible for the middle man to replace the public key requested with one that they have the private key for.

Is there any way this can be mitigated without some sort of entirely offline verification of the public key?

I'm sick of not really understanding this concept. I've generated numerous certificates and keys for Apache and postfix and a few others, but every time I've just googled the problem and followed the instructions I found.

Can anybody recommend a simple tutorial?

What's the deal with Certificate Authorities (CA)? If I don't get one from an issuer, can I create one for self-signing and use it for everything or do I need to create a new one for each use?

Where do I put the keys? Why must every Linux app and web tutorial put them someplace different? Is there a "best-practices" location for keys and certs?

And while I'm at it, which encryption method is "good enough"? RSA?

Oh, and a video would be awesome, but any help would be appreciated.

Update: some clarification from a comment below:

>I want a method that I can repeat over and over enough times that I can remember how to do it without looking it up. Lots of website's have great tutorials - but I get thrown off because sometimes a page recommends RSA and sometime I see DES. Sometimes they say to put your keys in /etc/<appname>/ssl and sometimes they say to put them in /etc/pki I get assymetric keys, but the certificate authority is confusing me. Sometimes there's a .crt file a .key file and .pem file. Sometimes it's a .csr a .crt and a .key file. When do I use which one?

>I guess that's why I was looking for a video or something super simple. I can do (and have done) all of these, but I never know which to do under which circumstance.

I’m learning how to use keytool to generate a certificate from the oracle guide. The part that I don’t understand is it says after running the command keytool -genkey, it creates a public/private key. Where is the public/private key? Can someone tell me explicitly what and where the public/private keys are? The only part I understand is after running the command, it creates an entry in the keystone…

At any point, please correct me if I am wrong. A large portion of this is speculative. I also apologize if this isn't the best subreddit for asking this question.

I've been stumbling around trying to get hold of a copy of the truecrypt public PGP key, but I don't have a web of trust for PGP as I've never used PGP. So I can get the key, but I can't easily verify it... I saw that the link for downloading the key from their site uses HTTPS, and thought that I could use that (their SSL cert) to bootstrap my confidence in their PGP key. Unfortunately, firefox and google chrome don't seem to be able to verify the certificate (or something). Firefox is able to verify another truecrypt page that uses HTTPS, however, that at least appears to use the same certificate chain.

I posted the details of what I found in the comments of an r/linux4noobs thread before it petered out.

The link in question is: https://www.truecrypt.org/download/TrueCrypt-Foundation-Public-Key.asc. Perhaps the problem is somehow related to the MIME type being inferred as application/octet-stream? I'm really shooting in the dark; any suggestions are welcome.

Thanks in advance.

Here's my understanding of a client - server communication over SSL:

The client will make a request to the server to communicate over SSL.
The client must be able to prove its identity so the server can trust it. So prior to the initial request, the client:
a) Generates a certificate containing its information
b) Client makes a certificate signing request to a Certificate Authority (CA). A CA is an entity that is trusted to verify identities.
c) The CA uses a private key to encrypt the CA's signature and signed the client's certificate with the encrypted signature.
d) The CA provides the certificate and public key freely.

Handshake process:

1. Client sends hello message with supported algorithms.
2. Server responds with its own hello message containing selected algorithm and asks to verify the client's identity before beginning encrypted communication.
3. Client sends a certificate that contains:

• the identity of the client and
• the signature of a Certificate Authority (CA). This signature has been encrypted using the CA's private key

4. Server uses the CA's public key to decrypt the CA's signature - verifying that the CA trusts the client so the server can trust the client to continue with encrypted communication.
5. The server's public key is sent to the client and the client's public key is sent to the server
6. They each generate a large random number and encrypt it using the other's public key. For example:

• Client generates random number (n1), uses server public key to encrypt it (let's call encrypted number n1x).
• Server generates random number (n2), uses client public key to encrypt it (n2 -> n2x).

7. They send each other their encrypted numbers:

• Client receives n2x
• Server receives n1x

8. They use their own private key to decrypt the number:

• Client uses client private key to decrypt n2x -> n2
• Server uses server private key to decrypt n1x -> n1

9. So now they each have n1 and n2. They use the agreed-upon algorithm from steps 1 and 2 to generate a symmetric key. This symmetric key is used to encrypt and decrypt messages sent between client and server for the duration of the SSL session.

Please tell me if something is wrong or out-of-order with these steps. There's a lot of information online, but a lot don't seem to provide full detail.

I also have some questions:

1. The CA uses a private key to generate an encrypted signature to sign a certification. There is a p