tls – Do certification authorities issue an intermediate certificate for each new certificate request?

The issuing certificate of the certification authority is, simply, a confirmation that the public key that you sent to the certification authority in the Cerfiticate request really belongs to you (otherwise everyone could pretend that he is the owner of the domain google.com or amazon.com). Since the certificate contains your public key, it cannot be prepared in advance. In addition, the response time depends on the type of certificate you requested. Simple certificates that confirm that the applicant (you) really own the domain take little time to generate. Usually CA sends you a link to an email from your domain, like admin@votredomaine.org. You click on the link and confirm that you are the owner. Then CA generates a certificate and sends it to you.

But other types of certificates include much more verification, for example The certification authority should verify that your business really exists and is really properly registered, that your business resides at the particular address, etc. . This check can take many more days or even weeks. It takes a lot of effort, so the price is that much higher. But the certificate also confirms much more than other certificates.

In addition to domain certificates, there are other types of certificates, like S / MIME: to sign your emails, so the recipient can count that the email really came from you; it can also be used for email encryption. Verification and generation of these certificates takes even less time than for domain certificates. There are certificates for code signing, etc.

More details you can find on CA websites (I prefer not to promote any here).

To sign certificates:

The certification authority has a root certificate. It is the most important element of the certificate hierarchy. This is why it is stored with great security. For often practical use, this is not practical. This is why CA uses a root certificate (which is generally valid for 10 years or more) to issue certain signing certificates which have a shorter validity, such as 3 to 5 years. Shorter validity means less exposure and therefore less risk of compromise.

To the question: Yes, these signing certificates are created in advance.

google kubernetes engine – GKE Ingress high latency with SSL certificate

I provisioned a GKE cluster and successfully deployed my web services. I also deployed the entry with the enforced SSL certificate to expose the web services. After that, I ran time curl and discovered that the latency of invoking web service by entry (HTTPS) is significantly higher than HTTP, which is 10 times higher.

  • http – 10-20ms
  • https – 120-200ms

Is this something we were waiting for? because it costs too much for us to simply enforce SSL termination.

Here is the deployment yaml for entry and services.

Ingress.yaml

piVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-service-ingress 
  annotations:
    kubernetes.io/ingress.global-static-ip-name: my-service-ingress
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - secretName: my-service-ssl
  rules:
  - host: web.my-service.com
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 80

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-service 
  labels:
    app: my-service
spec:
  type: NodePort
  selector:
    app: my-service
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80

https – Apache Server – Bad X.509 certificate only on certain virtual hosts

I have two virtual hosts using the same certificate … but apache returns the localhost certificate for only one of them.

openssl s_client -connect 127.0.0.1:443 -servername domainA.com -tls1_1 shows that the Apache httpd returns the localhost.crt X.509 certificate. However, openssl s_client -connect 127.0.0.1:443 -servername fake.com -tls1_1 show the good domainA.crt X.509 certificate.

As far as I know, the configuration parameters must be effectively the same for each domain.

Listen 443 https
(... other preincluded defaults (probably) ...)

(...)
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
(... other preincluded defaults (probably) ...)

(...)
ServerRoot "/etc/httpd"
Listen 80
ServerName domainA.com:80
DocumentRoot "/var/www/html"
(... other preincluded defaults (probably) ...)

  VirtualDocumentRoot /var/www/html
  ServerName domainA.com:443
  ServerAlias domainA.com

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/domainA.crt
  SSLCertificateKeyFile /etc/httpd/conf/domainA.key
  SSLCACertificateFile /etc/httpd/conf/domainA.crt



  VirtualDocumentRoot /var/www/html
  ServerName fake.com:443
  ServerAlias fake.com

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/domainA.crt
  SSLCertificateKeyFile /etc/httpd/conf/domainA.key
  SSLCACertificateFile /etc/httpd/conf/domainA.crt

127.0.0.1 domainA.com fake.com localhost
(...)

order does not matter in /etc/hosts.

How to use Apache domainA.{crt,key} for domainA.com?

$ httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built:   Aug  8 2019 11:41:18

australia – 40 year original birth certificate

I hold my original birth certificate for Australia.

This is where I lived for the first 3 to 4 years of my life, so I have never had a driver's license or banking.

Can I use it to apply for a driver's license or bank account, etc., even abroad?

What is my best route in general to relocate, so I can return to Australia to live with support infrastructure.

Generic certificate on Synology NAS

I am using Synology DSM 6.2.2-24922 Update 4 and I want to configure a generic certificate with Let & # 39; s Encrypt. It has been more than a year since I tried this and that time did not go so well. I remember trying the acme.sh script but I never really got it to work for any reason. What is the status of this now a year later? I was hoping that Synology had now added wildcard support, but that doesn't seem to be the case? Strangely enough, I did not find much information on this subject when researching the subject. Almost all of the hits are around January-February 2019 and on all of the different workarounds. But why doesn't Synology fix it? Is there a very good reason not to do it?

Where to include a pfx certificate in an http request?

I would like to understand what is going on in a request that includes a .pfx certificate to authenticate to the client with the server. I know how to implement this in python or use it in postman, but I don't understand what's going on in the background. In which part (header, body) of the request is the certificate included?

SSL certificate – Encounter a problem when trying to use certbot to create an SSL certificate for my server

Although I have already done this before, I do not remember having encountered this problem, so I do not understand which stage I am missing.

I am trying to create an SSL certificate for my server using certbot however, where I fail with acme_challenge. I receive an "unauthorized" failure. The thing is, I can't figure out how to meet the challenge in DNS. When certbot was running, I had reminded that it would stop and give you the challenge of setting in DNS, but that doesn't happen.

It throws the error in the terminal window, showing the challenge and saying it fails. The output is below.

root@systopian-web2:~# sudo certbot certonly --agree-tos --email admin@mydomain.tld --webroot -w /var/lib/letsencrypt/ -d mydomain.tld -d www.mydomain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.tld
http-01 challenge for www.mydomain.tld
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain systopian.web2.tldm
Challenge failed for domain www.systopian-web2.tld
http-01 challenge for mydomain.tld
http-01 challenge for www.mydomain.tld
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.tld
   Type:   unauthorized
   Detail: Invalid response from
   mydomain.tld/.well-known/acme-challenge/xylqef3u7PthzjE7f1cGIhdGwAMls0wWzvODkQwb_f4
   (119.28.132.32): "rn404 Not
   Foundrnrn

404 Not Found

rn
" Domain: www.mydomain.tld Type: unauthorized Detail: Invalid response from /www.mydomain.tld/auth/login (45.77.154.240): "n n n n n

What are the OpenSSL API calls to get the certificate status information passed after the (last) call to SSL_connect ()?

More specifically, I would like to determine, by querying the SSL object, which of the following cases applies:

  • No outgoing certificate has been provided.
  • Cert was provisioned but the server never asked for it.
  • The contact process ended immediately after acknowledgment of the sending of the certificate.
  • The handshake continued after the sending of the cert was accepted.

server – Obtain a TLS certificate for Exim and Dovecot which works with gmail

I have a CentOS 7 server which runs Exim and Dovecot to communicate over the SMTP and POP3 ports. I want to configure them to use TLS to encrypt all data. I already figured out how to modify the configuration files for Exim and Dovecot, but there is a problem: the certificates I wanted to use are self-signed and it seems that gmail does not accept SSL certificates which are self-signed.

Now I want to buy a DV SSHL certificate from a trusted authority, but don't know which subdomain I should buy it for. My DNS records include an MX record which says "10 emails" and then it is assigned to my server's IP address. I don't know what 10 means, but I guess it means that mail.domain.tld is the address of my mail server. Right?

So here are my questions:

  1. Do I need to get a certificate for mail.domain.tld?
  2. Can I use my certificate for domain.tld which has been issued by a trusted authority?
  3. Can I get a certificate for an IP address instead of a fully qualified domain name? Will it also work with gmail?

dns – SSL certificate but the website is still not secure?

I have a website made with Angular. I downloaded it from an Azure Static website. This static website is secure. I then created a domain name with another hosting site (from my local country) and redirected that domain name to the domain name of the Azure Static website using CNAME . When I go to the domain name (not azure), I get the website, everything works fine but it is not secure (even if I bought an SSL certificate ). When I got the Azure Static domain name, I got the same website, everything works but now it's secure.

How can I ensure that my personalized domain name is also secure?