X.509

I saw this line in my dmesg. Why is there a X.509 Cert from Microsoft in a linux machine?

Any ideas?

Hi All,

I want to use a Smart Card for Login purposes (Windows). There for it needs to store a X.509 Certificate.

1. What are the (minimum) Standards that such a Card needs to fulfil?
2. How to transfer the Certificate to the Smart Card? (I would imagine with a management software from the Smart Card vendor?)

I know this Card here should work :

https://www.amazon.com/PIVKey-C980-Enterprise-Smart-Card/dp/B01JQRA2JG/ref=sr_1_4?dchild=1&keywords=smartcard&qid=1602103236&sr=8-4

I ask myself if there are cheaper compatible Smart Cards around that would work for the purpose of being easy writeable and can keep a self-signed X.509?

Link:
     https://www.amazon.ca/ANYCUBIC-Printer- … 9B8GQ65623
Price:
    509.99
Discount:
    15%
Expires:
    November 22, 2020
Retailer:
    Amazon.ca

Looks to be a good deal, almost 100$ off, comes with 1kg filament, good reviews, easy to put together and a solid machine by my research

Edit: Lightning deal

Amazon product: ANYCUBIC 3D Printer, MEGA X FDM Printer Kit with Resume Print and Free 1kg PLA Filament, DIY Printer Works with TPU/PLA/ABS, Large Size 300X300X305mm
Customer Reviews:
Well packaged, easy to set up. It took me under an hour to assemble and calibrate! | I am really amazed by the quality of the printer. | It does a nice quality print. | I had best results using these slicer settings. | Speed <60ms i usually use 50ms for final prints. | Temperature for PLA: 220F Higher is better for layer adhesion (watch out for bubbling) varies per brand and colors. 220 is usually good. | Layer height 1.5-2.5 for the stock nozzle 1.5 for quality 2.5 for test prints. | I suggest you experiment with PLA first as it is an easy material to print. | Then move to PETG ABS… | Also PLA is cheaper so I like to make my test part with it. | I recommend this printer to any hobbyists | It’s easier than it seems and there are million of free files to download and print in a few clicks

Image:

Link:
    https://www.amazon.ca/ANYCUBIC-Printer- … 9B8GQ65623

I am really confused over PKCS. I am trying to understand what exactly PKCS and in extension what CMS is. I understand that PKCS was the initial specification and then it was handed over to IETF, and then evolved to CMS.

This part is the only part that is not confusing. Everything else is confusing! Perhaps someone can help clarify? :)

I stumbled on the line from the RFC 5652 defining CMS:

>This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.

How can a syntax be used to digitally sign stuff?!! I can understand if it states it is a syntax used to describe digitally signed stuff...but signing? how can a syntax be used to sign?

This all tie into my confusion with PKCS/CMS and x509. I understand that x509 is a standard that describes what should make up a certificate, how is this different from PKCS/CMS?

Can an example be given of PKCS/CMS? Maybe this will help me understand better!

Edit:

The Wikipedia entry for CMS does not also help. For example it says:

>It [CMS] can be used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data.

Okay is CMS an encryption algorithm like RSA? No!! so why then say it is a protocol used to digitally sign or encrypt stuff?

I replaced my X.509 wildcard certificate 3/7/2020 because it was expiring 3/9/2020. I imported the PFX and changed the SSL/TLS Certificate Profile. I verified the CA and intermediate were in place and the certificate is currently listed as valid.

I verified both of my GlobalProtect portals and all three Gateways were using the same SSL/TLS Service Profile. I tested the Portal webpages and checked the certificates showed the new certificate chain with new expiration of 2021. I deleted the old certificate and committed the changes.

Today the portals are showing the deleted certificate that is expired. No one is able to connect. This has been working fine for two weeks.

This is a PAN-850 running PAN-OS 9.0.6 with Global Protect 5.0.7. Panorama is running 9.0.6.

I have IP addresses on all my portals and Gateways.

https://live.paloaltonetworks.com/t5/General-Topics/Global-Protect-presents-wrong-TLS-certificate-of-another-portal/m-p/302642#M78858

I opened a case on the Palo Alto Networks support site. The support site would only let me pick my PAN-220-LAB. Lab devices have 8x5 support not 24x7 support, Big WTF on support portal. I am using a PAN-850 with full support. I called into support and cannot get to a person to tell them this is a PAN-850 with support. I cannot wait until Monday. My SE has not answered any of my emails since November.

I am getting ready to start power cycling, factory resetting, and replacing.

Ran into this question a few times:

Windows has an installed certificate and private key, but the private key is marked as non-exportable, even as administrator I cannot get it to export.

Is there any way to still export it?

Yes there is. Provided the private key is not on a TPM or smartcard, this tool will allow you to export any certificate and private key, even when its marked as non-exportable:

https://github.com/iSECPartners/jailbreak

Linux mint is working flawlessly but this pops for an instant while booting, should I be worried ? (mint 20, didn't happen with mint 19).

I have performed a clean install of Tumbleweed and every time I boot I see this error: "integrity : problem loading x.509 certificate -65" I looked for the reasons why it happens and I found that the problem is caused by a UEFI certificate. If I run "mokutil --db" the last key is unknown. So is there a way that I can remove the certificate?

Hey there... So I have been playing around with X.509 certificates and I started my own certificate authority in my homelab. I got my devices to trust my CA root certificate. Now I'd like to be able to do WPA2 Enterprise on my WiFi network, with EAP-TLS (which I think is supported by a lot of devices at this point).

I'm sure this project will involve setting up a FreeRADIUS server.

My hunch is that the big challenge here will be getting client certificates to devices. For example, I'd love to be able to issue short-lived client certificates to guests when they come over, maybe via a captive portal?

Whatever I do, it's probably not going to be as easy as having them open the camera on their phone and point at a QR code with my WiFI info on it. But I'd love to make it as easy as possible. Has anyone set something like this up? Is EAP-TLS the best option? (I know there's EAP-PEAP and EAP-TTLS also.) Any tips or resources?

When I try to boot I get sent to emergency mode with the following error at the top. I have tried UEFI boot mode with secure boot disabled, but no difference. When I switch to legacy mode I get "pxe-media test failiure", and don't even get into emergency mode. I switched back to UEFI. There was this one time when I randomly repeatedly just did "systemctl default" to exit emergency mode and it worked (logged in and everything), but can't reproduce it.

At this point I was afraid that my drive had failed so I did a badblocks test (sudo badblocks -sv <drive>). I have a primary SSD with my OS Ubuntu, and a secondary HDD. My SSD showed no errors. My HDD is quite big and I didn't have the patience to let badblocks do its thing, but there seems to be at least 17 badblocks (at 5% in). However, since my OS is on my SSD I cannot see how this would stop me from booting.

Edit1: Ok I was booting my laptop on my USB and got a notification saying that my secondary HDD was "about to fail soon". So I guess it solves that? But as I stated earlier, my OS is on my primary SSD so Idk why it would affect my booting. However, I migrated my home folder (and consequently a few other stuff over the years) to my secondary drive to save space, so perhaps something essential got shifted to my HDD? IDK still seems weird to me.

Edit: Another thing is, I have a way to safely backup my files, so erasing and reinstalling ubuntu is an option for me. Given that, would that be something that could solve this problem if all else fails?

Hey everyone

I'm very new to all of this, but I'm interested in understanding what x.509 is and how to understand the data from such a certificate.

I'd like to know how to see what port the certificate was served, how I can see the trust anchor and how I would go about making a certificate signing request.

I hope someone can help me with this!

Hoping this is the right sub!!! (Please please please.) I’m looking for a Digital Certificate that meets the requirements for TX Online Notary... but the state cannot refer me to a provider.

Requirements: Issued by a third party provider Must use PKI Must be X.509 compliant When affixed to a document, must render any subsequent changes as evident

Many thanks, /Crypto!

++++++++ updated ++++++++

I did get a returned call from IdenTrust and they claim that their “IGC Basic Assurance” digital certificate meets the minimum requirements. What the heck. If it doesn’t work, then I’ll let AMEX go to bat for me.

Thanks, /Crypto!

Hey, I hope this is the right subreddit for my question.

We need to implement login using client certificate for one of our projects and I am not sure what data from cert. should be saved to identify a user. We will be using not-self-signed certificates.

My guess would be to store cert's serial number as UID and connect it to a user. Is that correct?

What happens when cert. becomes expired or is close to expiration date?
Thanks!

https://smallstep.com/blog/everything-pki.html

I stumbled over this article on Hackernews today, and only began reading it to post some wise-ass corrections on technical subtleties in the comments. Well, that did not work out as planned.

If you ever felt like you should know more about this crypto (the proper kind - not fantasy money that accelerates climate change and makes GPUs unaffordable) stuff, read this. And even if you think you already know enough about this crypto stuff, you should probably read it anyway; it's just really good :)

For reference:

http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/

https://ma.ttias.be/the-broken-state-of-trust-in-root-certificates/

https://hexatomium.github.io/2015/06/26/ms-very-quietly-adds-18-new-trusted-root-certs/

http://it.slashdot.org/story/15/03/24/1730232/chinese-ca-issues-certificates-to-impersonate-google

http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gives-symantec-an-offer-it-cant-refuse/

Why the fuck does my browser ship with a root CA that trusts the government of China? Who are all these CAs? Why am I trusting some company I've never heard of in India or Tunisia? How did we end up in this mess?

Hello /sysadmin/,

Disclaimer: I am a network engineer and I rarely deal with the ins and outs of servers. I may be asking stupid questions here.

So one of our clients had a security audit performed on their internal assets. We were provided a report with remediation steps, some of which are very vague. One of the items I am failing to understand is obtaining X.509 certificates. I have a generally good understanding of how certificates work, how to obtain one from a CA, etc. I am trying to understand the practical use in this scenario.

This organization only has an internal DNS server, a backup DNS server, a NAS, and user machines on the LAN. There is no transaction data originating or being sent to the servers. They are not hosting a website on their servers, either.

Based on the recommendations, this organization needs to purchase a certificate for their local machines. This brings me to the question: What devices need a certificate and why? Under Certificates > Local Computer, which area am I installing this certificate? What is being signed here? SMB traffic?

I apologize if this is too vague. I am a bit frustrated with this.

When I try to boot I get sent to emergency mode with the following error at the top. I have tried UEFI boot mode with secure boot disabled, but no difference. When I switch to legacy mode I get "pxe-media test failiure", and don't even get into emergency mode. I switched back to UEFI. There was this one time when I randomly repeatedly just did "systemctl default" to exit emergency mode and it worked (logged in and everything), but can't reproduce it.

At this point I was afraid that my drive had failed so I did a badblocks test (sudo badblocks -sv <drive>). I have a primary SSD with my OS Ubuntu, and a secondary HDD. My SSD showed no errors. My HDD is quite big and I didn't have the patience to let badblocks do its thing, but there seems to be at least 17 badblocks (at 5% in). However, since my OS is on my SSD I cannot see how this would stop me from booting.

Edit1: Ok I was booting my laptop on my USB and got a notification saying that my secondary HDD was "about to fail soon". So I guess it solves that? But as I stated earlier, my OS is on my primary SSD so Idk why it would affect my booting. However, I migrated my home folder (and consequently a few other stuff over the years) to my secondary drive to save space, so perhaps something essential got shifted to my HDD? IDK still seems weird to me.

Edit: Another thing is, I have a way to safely backup my files, so erasing and reinstalling ubuntu is an option for me. Given that, would that be something that could solve this problem if all else fails?