In these days we received the notification that our public ip's have issues with the certificate assigned to it.
My questions are :
Can you assign a certificate SSL/TLS to an public ip?
Is the service provider the one who can implement the certificate ?
THANKS IN ADVANCE FOR HELP!
Let me know if you need more detail about configuration.
I assume that you is talking about SSL certificate.
Can you assign a certificate SSL/TLS to an public IP?
Absolutely No.
I am not a public CA and also not a trusted CA.
If I issue you a certificate, the certificate is not public and it is not trusted.
Is the service provider the one who can implement the certificate ?
I assume the 'service provider' is a CA (Certificate Authority).
There are a lot of public CA that is trusted on every major devices and they are selling* certificate.
If you buy a certificate, the CA will immediatelly** issue you a certificate.
*You can only buy certificate for public IP address. No CA will issue a public IP certificate unless they get paid.
**Based on your selected certificate option. There are two option for public IP, DV or OV.
DV certificate will be issue immediately after you verifies your public IP address.
OV will verify your public IP address and your organation/company.
If you are individual, you can choose DV.
Related
I'm studying Azure IoT Hub and trying to connect my device to IoT Hub with x.509 certificate.
It worked with self-signed cert, but the official suggestion is to purchase a root CA cert from a trusted third party to sign device cert.
Get an X.509 CA certificate
I did some research, but couldn't find where to purchase.
Can you give me a link? And how much will it cost?
You probably don't want a root CA cert, as those are not available to anyone but the certificate authorities themselves.
What you seem to be looking for, is a certificate signed by a root CA.
You can get one from let's encrypt, or from any of the commercial CAs like Verisign, Thawte, etc.
A word of warning. If you purchase a certificate from a certificate authority that has been signed by a trusted root and you intend to use that to sign device s' X.509 certificates for authentication, make sure that you do not purchase an end entity certificate. That type of certificate is incapable of signing another certificate and will not work. Make sure the certificate you get is capable of signing other certificates.
AWS has it's own CA. Because AWS thinks security is important and they are capable of a decent cloud product implementation.
Microsoft on the other hand is more worried about selling defender security E5 licenses, so security implementations are weak or require premium licenses. No account expiring, no Azure CA for devices.
This 3th party can fix your problem for IOT Hub.
https://www.globalsign.com/en/blog/integrate-microsoft-iot-azure-iot-hub-and-provisioning-service
https://www.deviceauthority.com/solutions/keyscaler-identities/
https://www.keyfactor.com/platform/iot-identity-platform/
We need to setup an EDI AS2 connection with a trading partner who doesn't accept self signed certificates. As far as I know AS2 uses S/MIME certificates also known as email certificates, right?
I assume all I need is to buy an email certificate from a trusted authority like SwissSign or Digicert. But I wasn't able to find any related product to AS2. Furthermore I'm confused if buying an email certificate is the right way, because in EDI AS2 communication there is no email address.
Has anyone experience with this and can point me to the right product/certificate to buy?
It isn't an "email certificate" it is an X.509 certificate that you use to sign your messages with. I think you got confused because it mentioned MIME, which is used in email, but isn't exclusive to that. It is the same as a certificate that you can use for SSL, but with AS2 people usually don't worry about getting a CA one, as it is cheaper to self generate and send your trading partners the public key so they can verify you as the sender.
See AS2: Part 3 – Certificates
With AS2 we do not need a CA to trust the authenticity of the other party, because we have already secured its public certificate through another channel. This means it is a waste of time and money to get your AS2 public certificate signed by a CA.
Possibly if you company already has a certificate used for a web site of your company, you could potentially just use that for your AS2 as well.
When I use self-sign certificate, I made a self-CA.cer and a server.cer, server.cer is for web service and self-CA.cer is added in client code. When I check certificate , I check if server.cer is from this self-CA.cer, right?
But, if I buy a CA certificate, what I only got is a server.cer generated from CA, right? and CA certificate can generate many server.cer, and they are all trusted , what I got is one from these .
In my client code, others said I only need to change my http to https, that's it ,after I buy CA. but how can I distinguish which server certificate is from my own server? I only want trust the server certificate from my own server.
if I buy a CA certificate
you can't buy a CA certificate (with small exception, which is not your case). You are purchasing an end-entity certificate which cannot be used to sign other certificates. It is controlled by a Basic Constraints certificate. Any standard validation code will reject any certificate that is signed by non-CA certificate due to Basic Constraints extension value (isCA attribute is set to False).
RFC 5280 -- Basic Constraints
If you trust a CA you trust all certs they issue (unless expired or revoked) -- that's how PKI works.
If that CA issues certs to other sites/servers, and you make HTTPS (or otherwise SSL/TLS or DTLS) connections to those other sites/severs, you will trust their certs and thus trust them.
But if you mean you want to trust only the specific cert issued to your server for your server, that's automatic. The cert issued to your server has your domain name in it, while the certs issued to other servers have their (different) names, and an HTTPS client like a browser will only trust a cert that is issued by a trusted CA and has the correct server name in it, so it will trust only your cert for your server, and will trust other certs only for the other servers those certs are issued to.
For much more detail, see Stack's Great Ursine Epic https://security.stackexchange.com/questions/20803/how-does-ssl-work/
I have an architecture where there is a single root CA and multiple sub-CA's. Each sub-CA publishes certificates for devices in it's "domain". Within each domain is a VPN gateway (Cisco router). I would like to determine if it is possible to devise a configuration where each domain's VPN gateway would be able to check to see if the connecting device's certificate has been revoked at it's domain's sub-CA or another of the other domain's sub-CAs. I'm also looking for the most efficient solution which would require as little configuration as possible when adding new domains.
Thanks!
A CRL or OCSP response has the serial number of the revoked certificate in a list, which is signed by the issuing CA or OCSP responder. This ensures that when I revoke certificate serial no 123456789 on my CA that the certificate with the same serial number but issued by your CA isn't revoked instead. Certificate serial numbers, although long, aren't globally unique.
From a security perspective, the ability to revoke another CA's certificates would just cause mayhem and the consequences would be dire.
The only CA that can revoke a certificate is the one that issued it.
I'm using a self signed certificate for a number of SSL connections. However I have one connection that needs the cert to be CA authenticated.
Now if I use the same self signed certificate and create a certificate authority request
and import what I receive, will anything have to change on my existing direct trust SSL connections ?
what exactly will having the cert CA verified change ?
If anyone has the same question. The answer is that the certificate signing request is used by the CA to generate a public key. This can then be used on the server as a CA verified cert.
Typically your application / server should have a location / import operation for this.