Root certificate

Otherwise, how can they consider my CA valid?

I found many cPanel servers when accessed though the IP on port 443 the root certs are self signed and one was even the name of an FBI agent. Any ideas why?

https://censys.io/certificates?q=cpcalendars+AND+tags.raw%3A+%22self-signed%22

Hello Folks,

We have been lately trying to provide support to run our application in non-root containers as well. We need the ability to let admin users add CA certificates to our trust bundle inside POD. This was basically done the traditional way of putting the new cert under /usr/local/share/ca-certificates and then running "update-ca-certificates" command.

Now, in non-root user mode, we neither cannot give sudo privileges for the user and thus "update-ca-certificates" fails due to permission issue as it cannot update the CA certificate under /etc/ssl/certs path.

Any idea how we can continue supporting this feature while keeping the security intact ?

/etc/ssl/certs has lots of certificates already as part of OS distribution. So it doesn't really make sense for me to package it as part of helm distribution and expose the path as configMap.

UPDATE:

Thank you all. What I ended up doing is similar to what IUseRhetoric suggested:

1. Created emptyDir container /etc/ssl/certs_pod
2. In the init container, copy the contents from /etc/ssl/certs (from the image) to /etc/ssl/certs_pod. This requires init-container to run as root :(, but we were already running few init-containers like that.
3. In the actual application container, mount /etc/ssl/cert_pods as /etc/ssl/certs. /usr/local/share/ca-certificates was already made as an emptyDir. "update-ca-certificates" now works.

I'm a developer and not very knowledge in this area so please excuse my ignorance.

I'm working on an integration with a clients application where SSL seems to be failing after the client updated their certificate for their development environment. Curl returns errors relating to `Unable to locally verify the issuer's authority.`. I have confirmed the new certificate is valid.

After some digging I have discovered that the new certificate is a chain certificate and there is no root certificate in the chain. Here's the service the client is using, I'll use the terms on this page to hopefully better describe the situation: https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads

Running `openssl s_client -showcerts -servername xxx` on the development environment I can only see certificates of type `L1K` (according to entrust this is their G2 chain cert). Checking the trusted ca on my server (`ca-bundle.trust.crt`) I cannot see any L1K type cerificates for Entrust, only G2, etc. Adding the L1K certificate to my `ca-bundle.trust.crt` file the request completes successfully.

Running `openssl s_client -showcerts -servername xxx` on the production environment I can see certificates of type `L1K` AND `G2`. All requests to the clients production server work successfully.

So to the question: Is something misconfigured on the clients side and their certificate chain should contain a root ca cert (in this case, a Entrusted G2 cert)? or do I need to ensure the L1K cert is added to all my environments that integrate with the client?

My gut feeling is that it's a configuration issue on the clients end otherwise my `ca-bundle.trust.crt` would contain the L1K cert as well as the G2 cert.

EDIT: Thanks for all the comments, much appreciated.
Last EDIT: The client (this was confusing wording, I should have said server) seemed to have misconfigured their certificate chain. They done some things on their end and it appears to be working now. Good learning experience!

I'm trying to create an SSL certificate to use on nodes on my own local network. Nodes are being reached like this:

https://pfs1.internaldomain/
https://unifi.internaldomain/
...and so forth

I'm using pfSense to create and store the root CA and the certificates. The root CA is imported into the trust store in Windows and is being picked up by browsers fine.

When I try to access fx. https://pfs1.internaldomain/, i get a "ERR_CERT_COMMON_NAME_INVALID" error. If I access it by IP (https://10.0.10.1/), it works fine (Chrome states certificate as being valid and secure).

The certificate is created with CN *.internaldomain and the following SANs:

DNS Name=*.internaldomain
IP Address=10.0.10.1

If I add the FQDN as a SAN (pfs1.internaldomain) - then that works too. But I'd like to use a wildcard so I don't have to create individual certs for every node.

So my question is - is what I'm trying to do (with the wildcards) not possible for my scenario, or what could be the issue?

I found many root certificates on Firefox Settings. It has the option to distrust/delete it.

What are the security impacts when I delete them?

Can the certificate company intercept passwords sent to websites?

Can deleting some root certificate avoid you from Man in the middle (MITM) attack?

Hello,

I am new to OpenVPN. My team has setup a VPN server that we use to reach physical gateways installed on a different network. We manually generate certificates for these gateways using openssl commands on VPN server and then install them on the gateways. Every gateway (client) is assigned a tunnel IP that we use to access the gateways. There is only one CA which is the root certificate authority in the PKI. We want to get rid of manual process of generating client certificates. In order to automate the process, we are using AWS Certificate Manager Private Certificate Authority link to create a subordinate CA and sign it's certificate using root CA on the VPN server. We then imported the subordinate CA cert and are now using this CA to issue gateway certificates. Client certificate and certificate chain are installed on the gateway along with private key. I want to know if it's possible to establish a communication between the gateways and VPN server now that the certificate is not directly generated using root CA. Would the server be able to verify gateway certificate using the certificate chain? Would this require any configuration change on the VPN server? I noticed that there was no tunnel IP assigned to the gateway.

Could someone please guide me?

Using GPO, I'm trying to install a certificate in our domain users Trusted Root CA's (user account, not computer account), but am running into problems.

If I use GPO to push the certificate, it lands in their Personal certificates.

If I use GPO to create a scheduled task to run a bat file (certutil -enterprise -f -v -addstore "Root" "\\sharepath\certfile.cer"), it won't run because you need to be admin to install certificates into the Trusted Root CA, and you can't store credentials for an admin account when creating a scheduled task using GPO.

How else can I accomplish this?

Gold to whoever helps me figure this out. Thank you!

Has anyone heard of a legitimate case where a root CA was missing on a personal Mac for someone who lives outside of the US?

https://preview.redd.it/ovct187rb1t61.png?width=246&format=png&auto=webp&s=8e5b59122a16d4f8e02bcee22720545675efc1e5

A lot has been done so far including following guidance in a few Citrix KB's but the issue persists.

I'm just struggling to reconcile how this could be a legitimate configuration on a non-corporate, personal machine.

Any guidance is greatly appreciated.

I'm trying to set up a VPN to run on my server but when trying to download the client config I keep getting the error " Please ensure provided client certificate exists in Root CA chain and has necessary extensions set. " I've made sure their all using the same CA and DDns is there something I'm missing. My DDns might not be working properly but I don't know.

Hello,

I am looking to implement a mitigation recommendation from MITRE outlined on the following page:

https://attack.mitre.org/techniques/T1553/004/

The recommendation is to prevent users from installing their own root certificate with non-admin privileges through a change in group policy. The change outlined is as follows:

Windows Group Policy can be used to manage root certificates and the

Flags

value of

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots

can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store

I have made the following change on my machine but it seems I am still able to install root certificates without issue even with a non-admin account. I couldn't find a whole lot of information about this setting, does anyone have any experience using it?

Currently to create application gateway in azure we need to provide root certificate from local files in stead of reading certificate from keyvault, is there any way to create app gateway with terraform with root certificate reading from keyvault ??

resource "azurerm_application_gateway" "app_gateway" {
name = var.appgw_name
resource_group_name = var.rg_name
location = var.rg_region

trusted_root_certificate {
name = var.appgw_backend_http_setting_auth_cert_name
data = filebase64("${path.module}/RootCert.cer")
  }

sku {
name = var.appgw_sku
tier = var.appgw_tier
capacity = var.appgw_capacity
  }
  gateway_ip_configuration {
name = var.appgw_gatewayip_name
subnet_id = var.appgw_subnet_id
  }
  ssl_certificate {
name = var.appgw_certificate_name
key_vault_secret_id = var.appgw_certificate_keyvault_secret
  }
  frontend_port {
name = var.appgw_frontend_port_name
port = var.appgw_frontend_port
  }
  frontend_ip_configuration {
name = var.appgw_frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.appgw_public_ip.id
  }
  backend_address_pool {
name = var.appgw_backend_address_pool_name1
ip_addresses = var.appgw_backend_address_pool_ip_addresses
  }
  backend_address_pool {
name = var.appgw_backend_address_pool_name2
  }

}

I have searched quite a bit, here, on Apple Dev forums, Stackoverflow and Google and have not had a resolution yet. I would really appreciate any help.

I am trying to update and test the Apple Root certificate for our Debian Server for the Apple Push Notifications. The Debian Server is version locked and cannot receive OS updates, so I have to manually update this.

Apple Push Notification Certificate update notice: https://developer.apple.com/news/?id=7gx0a2lp

I'm testing by reviewing the response to the following commands:

>`curl --verbose https://api.sandbox.push.apple.com`
>
>` openssl s_client -connect api.sandbox.push.apple.com:443`

1. What is the correct way to test that the AAACertificateServices.crt is working correctly? Are there any servers that are checking for this license right now that I could try to connect to?
2. Currently, the default root CA `GeoTrust_Global_CA.crt` responds successfully to the above command.

If I remove `GeoTrust_Global_CA.crt` and add `AAACertificateServices.crt`, I get a failed response with a `curl: (60) SSL certificate problem: unable to get local issuer certificate` message.

I am editing the `ca-certificates.conf` file, placing the `AAACertificateServices.crt` in `/usr/share/ca-certificates/` and then running `update-ca-certificates` where it successfully reflects whether a new certificate was added/removed.

I would really appreciate your help as the deadline for the certificate expiry is very close and I need to test and roll this update ASAP. Really appreciate your help.

I'm allowing Xcode to automatically manage signing, but I get the following error:

Warning: unable to build chain to self-signed root for signer "Apple Development: My Name (HRU9F7UWZJ)"

This is a certificate generated by Xcode. When I inspect it in Keychain Access, it tells me that the certificate isn't trusted. So perhaps that could be the issue, but when I change the certificate settings to always be trusted, Xcode gets angry and says that I must revoke the certificate and generate a new one. And then I'm back to where I started.

This was all working a day ago. Any ideas? I've tried stack overflow solutions with no luck.

When I try to install a certificate as Trusted Root Auth in wine control panel in Linux, it doesn't change and keeps showing "Determined by the program" how do I install a certificate in wine as Trusted Root?

I have a Server STD 2016 Essentials

I have 20+ desktops

Since about a month ago, any new desktop I add to the domain has issues in the web browser. Existing desktops do not present this issue(yet)

I have tried every website guide I can find. Tried manually installing the certs on individual desktops. Tried manually setting DNS settings to external to see if it would look outside instead

Its not a date/time issue/day light savings

Does anyone have any idea how to resolve this or where I should start over as I am probably muddled by everything I tried?

My school wants me to install a Root CA which basically allows the to decrypt ALL HTTPS TRAFFIC and basically perform a Man-in-the-middle-attack on me. Is there any way to bypass installing this certificate and still be able to use the network (I don't want to be spyed on)

I am goin to UAE in 10 days for seeking job. one of my friend told me you must attest your certificates otherwise its difficult to get the desired job here & it would be very expensive to get the certificates got attested from UAE and so on.

I am completely unaware these process. So i contacted an agency; they told me they only do embassy attestation, for HRD attestation , i will have to do that myself. And they were like NORKA attestation isn't mandatory ; embassy attestation is enough and so on. When i searched in internet i got information like all these attestation can be done through NORKA and you could save lots money by doing it through NORKA rather than getting it done through agencies.

So now i am more confused and To be honest i don't know what's NORCA Roots Certificate Attestation - Apostille Attestation - Embassy Attestation & what is its difference , what is its use etc. So i would really appreciate it if someone step up and elaborate these things and guide me how would i get it done in a straight forward way. Thank you.

We have a small PKI infrastructure consisting of a a single online Enterprise Root CA(Server 2012 R2), the Root CA Certificate for this is due to expire in a few weeks and I am looking to renew this with the same private key(SHA256).

When I look at the certificates issued by the CA we have only have one that was manually created (IIS web server cert), the rest are automatically created ones for RDP, kerberos authentication, directory email replication, domain controller authentication and Computer (Machine).

I have been unable to find any current Microsoft documentation on how to renew the certificate, I have only been able to find the following which relates to Server 2003 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc740209(v=ws.10)?redirectedfrom=MSDN

I have read blog posts etc where comments have been made that you can simply renew the Root CA certificate with the same key. I would then look to reissue the web server certificate with the new CA and I presume the automatically created certs will renew themselves before they expire?

Is anyone able to link me to some documentation for this or offer any advice.

Thanks

*EDIT - I have found instructions on renewing the Root CA cert here: https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Root CA cert has now been renewed.

I did something stupid in filza and messed with things I shouldn’t have… And now some websites/apps/etc will not show or display correctly. In safari I can visit the affected sites only after the choosing to visit the website anyways after the warning. Does reset content and settings fix this? will succession? what do I do? I don’t want to restore and lose my jailbreak. 😓🥺 I’m on 13.4.1 on an iPhone XS. Unc0ver 5.3.1

Hi,

I am trying to remove root cert from trusted root certificate, If I run the command below it works fine on the device. But once I sent it from Intune as powershell script status gives failed but It actually removes it from the device. Am I missing something?

Get-ChildItem Cert:\LocalMachine\My\c843721cbc3ad29910e1f31c99361eedceb6ddds | Remove-Item on my device it works good.

Dear r/homelab,

I would like to Use certificates for SSH access and local HTTPS. (dont ask me why, just interested to learn new things) I am the only person accessing my homelab, but still i access it from multiple devices and sometimes over VPN. I would like to setup rootCA in my promox preferably as LXC container. Then get certificates signed by rootCA for individual hosts, VPN server, SSH etc.,

I am searching and reading articles related to this for the past two days. I have come across step-ca and step-cli, which ticks all the boxes. Anyone used it ? feedback is much appreciated.

I have some doubts in this regard.

1. Will alpine linux in LXC work well for rootCA purpose ?
2. How to secure rootCA private key ?
3. What will happen if my local container crashed or i missed rootCA certs. Is it possible to add a backup auth method in openssh ?
4. Ideally i would like to setup something like this. (SSO for SSH) I guess it not applicable for private networks. any chance of implementing something like that in homelab locally.
5. How do you manage SSH access and local https certs ?

EDIT: Linking old discussions here. Some might find useful.

https://www.reddit.com/r/homelab/comments/79w2kd/internal_ca_recommendations/

https://www.reddit.com/r/homelab/comments/au63zj/homelab_pki_solutions/

I have a few local domains on my machine. They all map to localhost. They are in my hosts file. I also have self-signed certs for them, and they are installed in certmgr under Trusted Root Certification. I had no problem with them until I installed a VMW trial. It seems to be hijacking my certificate and replacing it with some untrusted vmware certificate. Chrome completely locks the sites out, and rightly so in my opinion.

After I uninstalled it (I can't use it anyway, I need Docker and Hyper-V for now), things work great. I know VMWare adds network adapters, but it seems to be running some MITM proxy.

Any clues?