I'm using Ejbca as Certification Authority management system. The private keys and public keys store in HSM furthermore a self-signed certificate stores in hsm while storing the private key and public key
I want to know how to store the CA certificate instead of that self-signed certificate or manually import CA certificate to hsm
any advice is appreciated
I'm using Ejbca 6.0.4 and the hsm is SafeNet Protect Server
Related
I have a CA pairkey and I need to sign a client pairkey for client authentication. I am using keytool for this. Based on this I have created a .p12 pairkey for my client. Then I create a CSR and then I sign it to have a .cer file.
My problem is that I want to "update" the cert in the p12 with this signed certificate. Basically, I need to import the keypair into the Personal Certificates for client authentication, but Windows will accept the p12 (which is not signed) and not the .cer (since it has no private key).
How can I update the p12 with the new signed public cert? Thanks.
NOTE: I prefer not to have any intermediate cert and I don't want to use OpenSSL, I need to use keytool
EDIT - By the way, when I try to import the signed certificate into the .p12 I get a keytool error: java.lang.Exception: Failed to establish chain from reply
EDIT - This link and this link seem to address my problem, but it is using OpenSSL and other tools, not keytool.
I was working on a sample TLS client/server program to perform certificate validation.
For a self signed certificate validation, these are the steps i followed.
#server side:
Generated a server key file serverkey.key
Generated a CSR certificate servercert.csr from the key file.
Digitally signed(using openssl x509 utility) the servercert.csr using a
generated rootCA.key and rootCA.cert. server certificate file servercert.cert
is generated.
Loaded the certificate file(servercert.cert) and key file(serverkey.key) using
SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey openssl apis.
#client side:
Loaded the server ca-file --> rootCA.cert (which was manually copied to the
client) using the SSL_CTX_load_verify_locations api.
Using the SSL_get_verify_result() api validated the certificate that server
sends in the Certificate message.
The question that i have is that if i use a trusted CA(like godaddy) to sign a server CSR certificate, will the CA be providing its public key file (something similar to rootCA.cert) as well which was used for signing ?
By which i can load the same to the trusted list at client side using SSL_CTX_load_verify_locations api.
My intention is to keep the code unchanged regardless of being a self signed certificate or a valid CA provided certificate.
When (any) x509 certificate is generated, these things happen:
Private key is generated
Public key (associated with the private key mentioned above) is embedded in the new certificate (becomes an integral part of it)
The new certificate is signed using private key of the issuer (read: CA)
In order to verify the certificate integrity (to check if nobody tampered with it) - you need to verify the signature (created using issuer's private key - see 3)). To be able to do it you need to obtain (somehow) the issuer's public key. This key is embedded in the issuer's certificate (see 2)). Usually the trusted CAs' certificates are stored in so called trusted certificate store. In case of OpenSSL you specify this "store" by using SSL_CTX_load_verify_locations function (and a few other simmilar functions - consult OpenSSL documentation).
To summarize:
In your case the location pointed by SSL_CTX_load_verify_locations should contain your CA's certificate(s) - all of them - the whole certificate chain up to the self-signed root certificate. You can obtain all of the certificates in the chain from your CA (in your case GoDaddy).
I hope that helps.
If I can clarify anything more please ask.
Let's say we have a server only running REST API services, only on HTTPS.
The only consumer of the APIs is a mobile app.
Do we need certificate from CA or a self signed certificate is enough?
You will need to use a CA certificate. Otherwise, each mobile client will have to manually set your certificate as trusted.
You can potentially embed the certificate as trusted in the mobile app itself (assuming you distribute the app), however it will be a problem when the time comes to renew the certificate, or rekey/replace the certificate for whatever issue.
Using a globally trusted certificate is the way to go.
You can :
Keep a self-signed certificate, but then you have to pin the certificate, and you can't revoke it if the private key is compromised.
Use a home made certificate authorities, but then you have to pin the certificate, and manage the revocation process (maintain an OCSP or CRL).
Use a certificate from a trusted CA, revocation will be checked for you, and if you want additional security, you still can pin the certificate.
In my opinion, the use of a trusted CA is more secure and more simple.
From ADFS and ADFS 2.0 perspective is it possible to register Service Provider metadata that is using certificate (public key) that is not issued by signing authority ? I mean on self signing certificate.
Yes - you can use a self-signed certificate for the SP and that certificate is reflected in the SP metadata.
So you can generate it with the Java keytool etc.
Also ensure that you generate the certificate for a reasonable period - at least a year otherwise you will have to co0ntinually update the metadata on the ADFS side.
It should not be as described in following document -
Certificate Requirements for Federation Servers in section Determining your CA strategy
"ADFS does not require that certificates be issued by a CA. However, the SSL certificate (the certificate that is also used by default as the service communications certificate) must be trusted by the ADFS clients. We recommend that you not use self-signed certificates for these certificate types."
I'm using a self signed certificate for a number of SSL connections. However I have one connection that needs the cert to be CA authenticated.
Now if I use the same self signed certificate and create a certificate authority request
and import what I receive, will anything have to change on my existing direct trust SSL connections ?
what exactly will having the cert CA verified change ?
If anyone has the same question. The answer is that the certificate signing request is used by the CA to generate a public key. This can then be used on the server as a CA verified cert.
Typically your application / server should have a location / import operation for this.