I'm trying to figure out how can I trust signed files which I derive from the internet to a closed environment, because from what I understand- we check their authenticity by checking their signature with the root CA. But in a closed environment, there is no network connection to that CA, so how can we check later on what files are really authenticate and don't have a forged signature?
Related
I am developing an app with a server part programmed in Go and a client programmed in C#, the connection between the two is made using TCP socket communication, and to ensure the connection I am using TLS.
My question is whether there would be any security problem in my case when using self-signed certificates for TLS communication.
I understand that for a web server that uses https it is necessary to use certificates signed by a certificate authority (CA) but in my case, when connecting my own client application I don't see why I should use one of these.
If anyone knows anything about it, it would be a great help.
Certificates are used for authenticating the end points, and usually the cert is signed by a certificate authority which your client (such as a web browser) already trusts. Using a self-signed cert in that scenario can lead to problems, as the browser won't trust it, and so will pop a warning box. However, the real issue is that for the typical user, a warning from your server is as good as indistinguishable from an attacker using another self-signed certificate. They'll click-away and KABOOM!
If this is a closed environment, and you control both the server and client, then the self-signed certificate is irrelevant. In fact, you don't even need one at all, and may be better off with one of the alternatives, like TLS-PSK, or TLS-SRP.
There are two separate CA virtual machines (Windows Server 2012):
RootCA
SubCA - created/signed by RootCA
RootCA is off and offline (no network connectivity).
How to renew Microsoft SubCA?
SubCA is valid for more than a year now, but we want to plan ahead.
Root and Sub CAs are not connected to Windows domain, it is not for used for Active Directory.
SubCA is used to generate SSL certificates for out internal servers - Apache, Nginx, IIS, etc.
RootCA and SubCA certificates are trusted on Windows and Linux machines (both servers and workstations).
Is it necessary to add newly renewed SubCA certificate as trusted after renewinig it? Or it will be already trusted, but now it is just renewed?
The renewed SubCA will be trusted as it will be signed by the already trusted RootCA - that's how PKI works.
Never add the new SubCA certificate into your trust-store as it mustn't be explicitly trusted. It is only implicitly trusted because it's issuing CA (the Root in this case) is trusted. Remember that if you were to add it to the trust-store and you subsequently decided that the SubCA was compromised and therefore required revoking, you would have to manually remove it from all trust-stores - a laborious process.
Instead, you will need to give all subscribers this new SubCA certificate when you next renew their end-entity certificate so that they present the correct chain when relying parties connect (as required by the TLS protocol).
In the Windows world you can add it to the Intermediate CA store (not the Root CA store remember!) so that servers have it to hand when their end-entity certificate is renewed by the Sub CA. Windows will figure out which CA certificate to send when the end-entity certificate is renewed.
In the non-Windows world you have to read the documentation for the application to ascertain where the CA certificates should be installed. Quite often, they are appended to the file containing the end-entity certificate, but it can vary - so do check.
when some players enter our game, they meet this error in all browsers
We have changed the certificate recently. So I check one player's certificate on our game page,
It is the lastest certificate. So what may cause this problem? Should we do something after change the certificate?
EDIT1
Did CDN cache the certificate? After we refresh the CDN, some player can connect to the game immediately.
EDIT2
We found the player's browser has such an option "block unsafe certificate", when the option is enabled, he can't connect to the server and he can connect to server when the option is disabled. We export the intermediate certificate and send it to the player for import. After that, the player can play the game with the option selected.
EDIT3
Finally we found the intermediate certificate is right on the nginx side,but on the server side, the ca is missing. After add it, the websocket could work. And When I asked same question on another forum v2ex,I found a good way to test if the certificate chain is complete. you can visit the site and change the domain and port with your site.
https://cert.catbox.io/api/v1/queryChain?domain=s41001-ad-tanwan.zlgl.17tanwan.com&port=8085
If your server is correct, you will find the server side certificate and the intermediate certificate.If you can't find the intermediate certicate, you need to check your server config.
Your server https://s41001-ad-tanwan.zlgl.17tanwan.com/ provides only the last certificate in the chain, the actual certificate of the server.
This certificate is signed by the intermediate certificate from "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" that is valid since 2020-07-16.
If the clients have not updated their browsers/operating systems for some time, they don't have this intermediate certificate, and they report this as an invalid certification authority.
Put the intermediate certificate to the certificate file, and it should fix the problem, since the intermediate certificate is signed by the DigiCert root certificate, that is in the game since 2006. Everyone has it.
You run nginx, right? The ssl_certificate instruction in nginx accepts files with certificate chains. This file should have the server certificate first, then the intermediate certificate.
I have read through this post on signing a PowerShell script with a certificate. This is more on using external certificate from VeriSign (or similar) to encode and protect the code I have developed within a PowerShell script.
I am just trying to find out if this will actually work. I would expect the process to go as:
Purchase code-signing certificate from VeriSign
Install certificate on my computer
Sign the PowerShell script
Execute the script on desired device
Since this script would be signed with a external CA wouldn't Windows be able to authenticate the certificate since Windows trust VeriSign root CA? My guess would be since Windows has the root CA for VeriSign already and trust it, if I happen on a system that does not allow Internet access that the certificate will still be verified and allow me to run it?
That should work. I've never tried it, though, but your logic makes sense.
I looked at the cert store on my Win7 machine and it has an Oracle code signing cert issued by "Verisign Class 3 Code Signing 2010 CA". That CA is an intermediate CA. The root CA is "Verisign Class 3 Public Primary Certification AUthority - G5". That root CA is in Windows trusted root CA store. So what I gather from this is:
That yes you can do it - Oracle does it
Verisign does issue code signing certs, but they are signed with an intermediate CA.
This means Windows has to obtain this cert somehow. The Verisign
intermediate cert does have the "Authority Info Access" field which
is one way Windows can retrieve an intermediate cert. But the
machine would have to be able to access the internet.
An alternative (if internet access isn't available) is to install the intermediate cert on your users' machines. Could be part of an installer. I think that must be what Oracle did on my machine
For an Authenticode EXE, another alternative (if machine can't access
internet) is to make sure intermediate cert was embedded in the
authenticode signature in the EXE. However I don't know if
Powershell would support that.
As another confirmation you could call/email Verisign to verify their support.
Executing the script on desired device still requires you to set the execution policy to at least AllSigned on that device. And you will still get a question if you want to trust this publisher, unless you add the certificate to the device or the domain. See here.
Hi all
why apple has given link of entrust ssl ,is it necessary ?
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/CommunicatingWIthAPS/CommunicatingWIthAPS.html
see at first note:
Note: To establish a TLS session with APNs, an Entrust Secure CA root certificate must be installed on the provider’s server. If the server is running Mac OS X, this root certificate is already in the keychain. On other systems, the certificate might not be available. You can download this certificate from the Entrust SSL Certificates website.
Yes, the certificate is necessary to establish a TLS session with APNs.
But you don't need to buy a certificate from Entrust. (I guess this was what you thought, because there are huge $xxx for a certificate boxes on the Entrust website)
The APNs uses a secure connection to a server that uses a certificate from Entrust. And this connection would fail when the CA root certificate wouldn't be installed on your computer. All "regular" certificates are only valid if the root certificate is known to your computer. And this is the file that they want you to download.
But most likely the Entrust Secure CA root cert is already installed. I used APNs from Ubuntu, and Arch Linux, and I installed nothing from Entrust. This is from my arch install, all necessary root ca certificates are already there:
[root#dellbook certs]# ls /etc/ssl/certs/Entrust*
/etc/ssl/certs/Entrust.net_Global_Secure_Personal_CA.pem
/etc/ssl/certs/Entrust.net_Global_Secure_Server_CA.pem
/etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem
/etc/ssl/certs/Entrust.net_Secure_Personal_CA.pem
/etc/ssl/certs/Entrust.net_Secure_Server_CA.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority.pem
It appears that you don't have to buy one of the Entrust certificates; you just have to download the certificate authority certificate (which is free) from their website. Apple should have made this more clear. I found the current link to this, which may not work forever, but for now here it is: https://www.entrustdatacard.com/pages/root-certificates-download