I am working on VxWorks platform for enrolling the certificate and developed the code using C language. But now I want add an API, so that before enrollment I would be able to check CA status (i.e. remote CA machine). I should not provide username and password too for checking status. CA can be single or 2 or 3 tier. Please anyone help me.
Related
I am implementing windows phone MDM using windows phone 8 enterprise DM Protocol. I succeed in Discovery phase and Certificate enrolment policy web service. But in Certificate enrolment web service process i am facing problem.
While creating provisioning XML i embedded my domain CA and intermediate certificates. I also added Client certificate which i got request from device. I totally converted into base 64 format and i am sending response to the device(RequestSecuirtyTokenResponse). I am using Fiddler tool for seeing logs .
I am not getting any response from the device.
My doubts are 1) what certificates i need use in provisioning XML . 2) what is client certificate.
I am using valid ssl not self sign certificate. Still i need any certificates
Any advice would be greatly appreciated. Please guide me
finally after one month i succeed enrolment.
We have to use windows phone developer power tool for debugging.
For my questions i am answering as below.
1) We have to use Root certificate(CA) that is valid CA certificate. We need to sign client certificate(fly from device) with server certificate and key certificate. Be careful about finger print.
2) No extra certificates need for enrolment. Above two are mandatory.
I hope above will helps to others.
I have read through this post on signing a PowerShell script with a certificate. This is more on using external certificate from VeriSign (or similar) to encode and protect the code I have developed within a PowerShell script.
I am just trying to find out if this will actually work. I would expect the process to go as:
Purchase code-signing certificate from VeriSign
Install certificate on my computer
Sign the PowerShell script
Execute the script on desired device
Since this script would be signed with a external CA wouldn't Windows be able to authenticate the certificate since Windows trust VeriSign root CA? My guess would be since Windows has the root CA for VeriSign already and trust it, if I happen on a system that does not allow Internet access that the certificate will still be verified and allow me to run it?
That should work. I've never tried it, though, but your logic makes sense.
I looked at the cert store on my Win7 machine and it has an Oracle code signing cert issued by "Verisign Class 3 Code Signing 2010 CA". That CA is an intermediate CA. The root CA is "Verisign Class 3 Public Primary Certification AUthority - G5". That root CA is in Windows trusted root CA store. So what I gather from this is:
That yes you can do it - Oracle does it
Verisign does issue code signing certs, but they are signed with an intermediate CA.
This means Windows has to obtain this cert somehow. The Verisign
intermediate cert does have the "Authority Info Access" field which
is one way Windows can retrieve an intermediate cert. But the
machine would have to be able to access the internet.
An alternative (if internet access isn't available) is to install the intermediate cert on your users' machines. Could be part of an installer. I think that must be what Oracle did on my machine
For an Authenticode EXE, another alternative (if machine can't access
internet) is to make sure intermediate cert was embedded in the
authenticode signature in the EXE. However I don't know if
Powershell would support that.
As another confirmation you could call/email Verisign to verify their support.
Executing the script on desired device still requires you to set the execution policy to at least AllSigned on that device. And you will still get a question if you want to trust this publisher, unless you add the certificate to the device or the domain. See here.
Basically our iOS app needs to communicate with a server which has a self signed certificate for now. In my app, the https is failing with untrusted server certificate which is understandable. The error is like this:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “my host name here” which could put your confidential information at risk."
So I sent the self signed certificate via email to the iOS device and imported into the profiles and hoping that it would be used as part of root CA for https authentication. To my surprise, it is not and I am still getting the same error. I think that iOS would be default to use root CAs at keychain to validate the server certificate and from what I read, the imported certificate at profiles are at keychain as well. So I could not understand why my imported self signed certificate is not used as root CA.
At this point, I don't really want to trust this self signed certificate via the coding like this iOS authenticate HTTPS with self-signed certificate or In iOS, how to connect to a server using https with self-signed certificate on the server? since this won't work in customer case where they would install our server on their network and they could create their own self signed certificate.
Somehow I didn't really get much information around this from searching. Could anyone shed some lights here and what I need to do to debug this? Thanks very much.
Update on July 15:
More update around this. I also tried to use configuration profile to add a self signed CA to root CA at the iOS device by following Adding Trusted Root Certificate Authorities to iOS , from my testing on 6.0 iPad and iPhone, it doesn't work as well. So not sure if that only works on jail broken device or not. In the end, I end up by allowing user to import a self signed certificate into the app. The app would load such imported certificate for certificate verification similar to this In iOS, how to connect to a server using https with self-signed certificate on the server?. Hope that it would help others in this case.
looking at the first tutorial you linked to you should be able to use that or some more advanced form of that and once you have tested and have it working then all you have to do for a client to create and add their own certificate would be to override/replace the localhost.cer file in the apps folder where the file localhost.cer "or whatever name scheme you use" is located. there are many ways to do this but one could be telling the app a link where the certificate is online for download and once downloaded, then replace.
Any questions I'll try and help further but hopes this helps you in the right direction.
I would ask for help in this matter.
I work in a software company and we're writing a client-server application (like system of documents circulation). It will be delivered as a complete solution as two distributions: client and server.
One of the requirements is the client and server must exchange information in encrypted form.
We decided to use SSL, but have some questions:
If we use self-signed certificates then we must generate certificate pair on server side, but how does the client know the server certificate? I want to install all required certificates during installation, but the server certificate is defined only on server installation.
If we ship client and server installer with wired server root certificate signed our company certificate in server and client installer - then our company client may create new certificate signed certificate that sign out certificate, that is chain with our company certificate in root - that is bad.
How can we solve this problem?
I want to ship to client 2 distributions: client, server and after installation they may establish secure channel to exchange information and user should not need to install any certificate manually.
Noticeable, this is completely product, we want to sell them to different companies and these companies must have different certificates.
My iOS app is in development right now and the services we connect to are using a cert that is signed by our internal (company) CA. My app in many places calls secure web services using synchronous requests. It would be a large effort to switch to async and handle the cert challenge to manually accept certs from our domain.
What I would like to do is to add our CA root cert to our team's provisioning profile so that it is recognized, just in development, as a trusted CA. Can someone help me do this please?
If this is not possible, does anyone have any suggestions? Here are the options I see from best to worst.
Add internal CA root cert to trusted CAs in dev provisioning profile
Buy a cert (don't want to do this because our deployment server already has a valid cert, and i wont want to waste money on a cert that I just need in our dev/test environments).
Switch to ASI framework to bypass challenges (don't want to do this because it makes my app less secure. My code is correct and secure as is, but I cannot test in dev/test. I don't want to make my app worse just so that I can test in my dev env.)
Switch to async requests and handle challenges by accepting all certs from my domain (also don't want to make code changes for working code. Also it is a huge effort for us to switch to async, and we don't have the time).
All help is appreciated! Thanks.
Well I decided to go with 2 and just turn SSL off for our internal machines. Not the ideal solution, but I couldn't find a better one.