I am new to certificates. I am learning about certificates using Google. I have an overview about certificates. Now I've started going through SCEP.
Before starting it I am trying to get to know how SCEP is used in real world. In Google I couldn't find the exact use cases for it.
Can anyone help me on this?
You can check the following links..
For full information on SCEP
Visit https://datatracker.ietf.org/doc/html/draft-nourse-scep-18#page-5
Highlevel information on SCEP
visit http://www.slideshare.net/iveslaaf/3-scep
Related
I have been working on this task to sign a CSR (generated by third party) to be signed by a root CA, which is stored in a token. Sounds like a straightforward job, except that there is a requirement to add a set of extensions as well as subject alternative name to the certificate based on the specification. Since there is no way to alter the CSR to include these information, I assume this should be done during the signing process. However, I have spent lots of time reading the documentations of certutil and certreq to no avail. There seems to be no way to add information for an existing CSR.
Additional information: This has to be done using Microsoft CA due to the limitation of the security token, so OpenSSL is out of question.
I hope someone can help me in this tricky task.
Yes it is possible, check out he below link it is a good starting point
http://blogs.msdn.com/b/alejacma/archive/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c.aspx
In my web based application I'm looking for a way that enables only
some of the user to connect how have special client certificate installed
on their browser.
I'm very new to this field and already searched it on Google but all resources found are confusing and failed to provide what should be done to setup this kind of structure, I'm just looking for any expert who have ground knowledge on this any education links and articles suggested are welcome.
You are probably looking for two-way (or mutual) authentication with TLS.
Here is a step-by-step guide for a manual trial on Linux-derived systems.
I have been looking for a way to protect my RESTful APIs. This appeared simple, but it seems to not be so simple. First off, I am writing an iOS app connecting to a Play Framework server. None of this has anything to do with Google, Facebook, Twitter, or LinkedIn (shocking I know). Oh, and my current plans do not require custom apps to use my APIs, its just my apps for the time being.
Basic Authentication
What appeared to be simple was a basic user/pass on a /auth method managing a cookie session. That may draw some groans as being too simple or weak but mostly it moved identity to a session key quickly verified. My initial setup was to expire the sessions every day, but that lead to the iOS app forcing a login daily proving to be an annoyance.
OAuth
I posted a question on an iOS board and received a blunt direction towards OAuth. My research of OAuth began but holy sh*t is that complicated and there does not seem to be any server side examples... just plenty of people complaining about how frustrating it is. All the client examples show connecting to Google, Facebook, Twitter, and LinkedIn. Oh Joy!
After watching Eran Hammer's rant about OAuth1 and OAuth2, it seemed fruitless to continue and his OZ idea (which looks really clean) is only at the early stages in node.js.
Question
So, my question to the broad StackOverflow community is... what do you do for securing your REST APIs?
I'd suggest to consider approach used by biggest players i.e. Amazon Web Services or Windows Azure - HMAC. Although it isn't comfortable in implementation, as you can see it's trusted technique.
The general idea is to sign the request's parts (i.e. headers) in the iOS with secret key and try to recalculate it on the Play app to verify that request is authentic and not manipulated. If it won't fail, you can be (almost) sure, that was sent from somebody, who uses valid secret key.
Take a look into Windows' document to get the concept (I think that for common task, you can use the less number of elements used for signing).
There is also other interesting post (based on AWS authentication) which describes whole process even better.
Edit
Of course you should realize that authentication in iOS and securing API requests are different things, even if you'll expire your session every 15 minutes, you can't be sure that somebody won't overhear it and then will be able to send a fake request from the outside. Signing every request should minimize the risk.
On the other hand, if you'll prepare clear rules for signing the requests and will write short doc (which I recommend even for yourself), you can deliver it to the other developer and he'll be able to implement it in (almost) any platform supporting SHA256, so you will have API ready for using from 3-rd party apps - if you'll decide to publish it in the future.
Since Play Framework is in Java, you could use Apache Shiro
I haven't used it yet.. (I am planning to though) So I don't know if it's the best option.
Just do something simple, send the authorization code / password in a custom header over HTTPS .
So the only problem with the Basic Authentication approach was that the user has to login every day? Why not offer the user an option to save his username/password on the device? That way he can choose between security and convenience.
here is a old version:https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen
I need to do the same with that latest version of CAS i.e. 3.5 . Can anyone provide me the steps for the same
We are doing now basically what you're asking here in my company. We have a Sharepoint website that in background is using the RESTful services for doing the real login. I wrote some posts about them in my blog and recently we used it to get access from a iOS application which contains a link to a sample program.
Important!!! We have a modification in our CAS that offers the possibility to use it for more than one domain. So wherever you find a reference to something called "Domain" in my samples just remove it, as it will not work on standard CASes
Here is a nice solution to your problem.
Just enable restful access.
How to fetch the expiry date from PKCS12 certificate using iOS security framework?
Alternately can I use openssl? if yes, please point me towards relevant API's
Thanks
Great question! If I were doing this coding, I would first try to think of a solution using Keychain Services.
First, you'd need to fetch the keychain item. Say, via `SecItemCopyMatching()'.
This returns a reference to the found items. Preferably a SecCertificateRef (which is described more in detail in Apple's Keychain Services Reference guide).
I don't see an easy way to explicitly fetch the metadata (or expiration date) from a SecCertificateRef off the top of my head. There's a code snippet I found on books.google.com from "IOS 5 Programming Pushing the Limits: Developing Extraordinary Mobile Apps" called "Checking Certificate Validity" (pages 218 & 219 -- I've linked it for you) which basically checks to see if a certificate allows usage based on matching keys (in their example, it's the subject or domain name; for you, it would be the expiration date). Their technique may help you out.
As for using OpenSSL, I found an answer where you can come up with the expiration date from the command line using the openssl tool. If you can get a handle to your certificate, I'm pretty certain this can be done programmatically as well.