sha – why CA use private key to sign a digital certificate? What is the logic behind sign a digital certificate with CA private key?

In general(PKI), encryption happens with public key and decryption happens with private key. But, how Certificate Authority sign a digital certificate with private key? How this can be validated using public key in browser? What is the logic behind CA certificate validation?

What is the role of SHA (hash algorithm) role here? How SHA and CA private key work together?

https – How to get rid of ssl certificate warning?

I’m developing mobile app in React Native and getting “Network error” when doing call to API. When I’m trying to reach URL on Google Chrome I get warning about unsafe connection, but I can normally reach it after click confirmation. So I guess that SSL is the reason.
How can I trust it, so there will be green padlock?
I imported cert on PC (i have green padlock there) and installed on Android, but nothing changed.

tls – What is the benefit of public Certificate Authority when using SSL mutual authentication?

In terms of SSL Mutual Authentication a self signed CA and a public CA provide the same functionality, is that assumption correct?


Meaning the client will be able to communicate with the server only if both of them have the certificates issued by the same CA and the server has access to the CA, right?

No. The role of the CA is to attest that an entity holding a certificate is entitled to have it. It makes sure that nobody can get a certificate for Google, except Google. That’s why a CA exists.

The CA certificate is usually shipped with your OS and your browser. After receiving any certificate, the TLS libraries will check (unless told no to check) if the certificate was issued by a trusted CA, if it’s expired or revoked, and here ends the CA involvement.

Mutual authentication does not depend on a CA at all. Does not matter if a certificate is self-signed, issued by a private CA or a public one. It only depends on the certificates. If I create a certificate myself on my computer, ship it to you and you configure your server to talk to me, it’s done.

So in this situation, the man-in-the-middle attack is only possible of the attacker has access to the self-signed CA, correct?

No, a MitM attack can only be conducted if someone steals the private key of both the certificates (client AND server). If they steal the client’s certificate, they can impersonate the client to the server, but not the other way around.

Getting SSL certificate from remote server with OpenSSL

I encountered a strange problem and I cannot spin my head around it.
I’m trying to validate a SSL certificate using OpenSSL from command line:

openssl s_client -showcerts -connect

But no matter which domain on this server I call that way it delivers always the certificate of the first (alphabetically) domain on that server even if this particular domain do have own certificate. Also when I call any of this urls in browser everything works correctly

Any idea what have I done wrong?


Germany Blue card – 1 Year Rule vs Certificate 51

I joined a German Company dated 01 July 2016. I was sent to Mexico , by my German Company dated 1 April 2018. The project comes to an end and i have to move back to work in the same company to Germany . While exiting Germany , the Foreigners office told me that if I want to keep the Blue card valid , I have to visit Germany every 1 year. Additionally i can also take the Certificate 51. Certificate 51 allows you to leave the country for more than 1 year, keeping your blue card valid.

1)Is there a way to check the validity of the Germany Blue card (Blue card Sticker says 30 June 2020)?
2)I was visiting every year in the meantime . My last travel was for a week to Munich ending 07 June. Based on the 12 month rule. I can still travel till 06th June 2020. Frankfurt Police has confirmed me the same.
3) The certificate 51 expired dated 26 03 2020 . And now Foreigners office says that since you were not back before 26032020, the Blue card has expired. It was not possible to travel because of Covid. I have already given the cancelled tickets to them. The Foreigners office is giving only importance to certificate 51, and not to one year Blue card Rule.

Please help in this case , what is more important 1 year Blue card Expiry Date of Certificate 51 ? Where can I read detailed rules for this ?
The Social Security is still running in Germany from 1 July 2016.

ssl – What happens to existing tcp sessions when a certificate is changed and haproxy is reloaded?

There may be two major reasons for changing a certificate.
1. Ordinary rotation, for example, due to expiration. In this case I would like to have a 100% high availiability. Existing sessions would use the old keys, the new sessions will use new encryption keys.
2. My private keys had been stolen and I want to drop all the exsting connections and reestablish those with the new keys.

How does the haproxy behave?

OpenSSL fails to detect expired intermediate CA certificate in s_client SSL connection test

By accident, I have an expired intermediate certificate at the end of my chain file in my Dovecot server’s SSL configuration. It’s enough of a problem that my Android e-mail client refuses to use it, although Apple Mail lets it go (??!). Indeed, the expiration just happened hours ago. openssl x509 -in ... shows:

    Serial Number:
    Signature Algorithm: sha384WithRSAEncryption
    Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
        Not Before: May 30 10:48:38 2000 GMT
        Not After : May 30 10:48:38 2020 GMT
    Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

But this command:

openssl s_client -showcerts -verify_return_error -connect

fails to flag the problem (while outputting the expired certificate!). The OpenSSL package version is: 1.1.1g-1+ubuntu18.04.1+d

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN =
verify return:1

How do I create an OpenSSL verification test to find and flag this? I have searched online already quite a bit and found nothing to address expiration down a few rungs in a public chain. The closest question is: Why is my SSL certificate untrusted on Android? but this only deals with a missing link in a 4-certificate chain. My guess as to why Apple Mail accepts the error is that MacOS has cached its own non-expired version of the same intermediate CA.

60 SSL certificate problem: certificate has expired

Dear all,

I hope I am in the right forum. If not, please forgive me and point me in the right direction

I am using a shared hosting account with CPanel as control panel. Below the info I can get about the server.

I am running TinyTiny-Rss, which is basically a feed reader. It fetches articles from different sources so that I can read them without having to visit every single website. To do so, I believe it uses Curl.

Everything worked smoothly, until this morning, when some feeds stopped updating, with the error:
“60 SSL certificate problem: certificate has expired”

If I visit the original URL, the certificate is not expired at all.

From what I gathered after some googling, it seems that the issue is related to some curl configuration.

Being on shared hosting, there is nothing I can do, so I opened a ticket with my provider, and they insist I have to tell them how I can reproduce the error, which I can not, as the error is generated by the script.

I can connect via ssh to the server, but I have very limited knowledge in this field. I tried to “curl” the feeds with the error, but I believe I am missing some parameters that would trigger the error.

Is there anyway you can help me to reproduce the error or provide me with some further documentation that would convince my provider to correct the issue?

Thank you very much in advance for your attention.

Wish you all a nice weekend.


cPanel Version 86.0 (build 21)

Apache Version 2.4.43

PHP Version 7.2.30

MySQL Version 10.2.31-MariaDB-log-cll-lve

Architecture x86_64

Operating System linux

Path to Sendmail /usr/sbin/sendmail

Path to Perl /usr/bin/perl

Perl Version 5.16.3

Kernel Version 3.10.0-962.3.2.lve1.5.32.el7.x86_64

Issued a cloudflare SSL Certificate to ubuntu server but SSL gives error

I was given a Cloudflare SSL certificate issued by our DNS provider. As the server already has let’s encrypt, the domain I had to add is loaded the Cloudflare SSL (when I visit the site I have CERT INVALID & windows does not have enough information to verify the certificate). The SSL came with pem and key file. default-ssl.conf I added the SSL Engine On and added in the paths. It is reading the certificate but not enough information and certificate path is not showing. Please advise.

iis – Install SSL Certificate on EC2 Windows Instance

tengo una instancia de EC2 Windows en AWS. Necesito instalar un certificado SSL en uno de mis dominios. Hice todos los pasos para crear y completar el certificado en IIS, pero luego de completar la instalaciĆ³n “desaparece”. Intente ejecutar el comando certutil -repairstore my Serial_number pero me pregunta por una “Smart Card”. Intente deshabilitarla de la manera que explica el siguiente link, pero nada. Alguna idea?

Para variar el soporte de AWS no contesta en mas de 24 horas.