Increasing the expiry date of automatic certificate rollover in ADFS 2.0 - single-sign-on

In a new implementation, we had a requirement to increase the certification duration from the Default one year to a bigger number in ADFS 2.0 . Is there an easy way to do this ?

This blog gives us a detailed explanation about Self signed certificates and pro's/cons while using it.
Use the below command (excerpt from the blog) to increase certificate duration to 3 years (1095 days):
Set-AdfsProperties -CertificateDuration 1095

Related

Usage of nbf in json web tokens

nbf: Defines the time before which the JWT MUST NOT be accepted for processing
I found this definition about nbf in json web tokens. But still wondering what the usage of nbf is? Why we use this? Does it relate to the term of security?
Any idea would be appreciated.
It definitely is up to how you interpret the time.
One of possible scenarios I could make up is literally - when a token must last from some particular point in time til another point in time.
Say, you're selling some API or resource. And a client purchased access that lasts for one hour and the access starts tomorrow in the midday.
So you issue a JWT with:
iat set to now
nbf set to tomorrow 12:00pm
exp set to tomorrow 1:00pm
There is one more thing to add what #zerkms told, if you want the token to be used from now, then
nbf also need to be current time(now)
Otherwise you'll get error like the token cannot be used prior to this particular time.
It can be given a time of 3 seconds from time of creation to avoid robots and allow only humans users to access the API.
'nbf' means 'Not Before'.
If nbf=3000, then the token cannot be used before 3 seconds of creation. This makes a brute force attack nearly impossible.

Progress database one time password

I am using progress 4gl and progress database.
I need a one time password procedure for security purposes.
Do you have any idea.
I need two options. how can I generate random password and how is the process method ?
My progress version is 10.2b on windows platform.
My project is producing financial trasaction. Client and server side according to a specific algorithm (for example, 1 3 minutes) should produce the password. The generated passwords should continue with the same client process.
hikmet bey soruyu algılayamadım.nasıl yapacağınıza dair kod yardımı mı istiyorsunuz yoksa mantığı nasıl kurarım mı diyorsunuz.

Certificate Revocation List

There are many fields on a certificate revocation list (CRL) like Algorithm, Parameters, Issuer Name, This update date, Next update date, user certificate serial #, etc. While I understand the purpose of most of the fields, of what purpose is the field "next update date" on a certificate revocation List?
See RFC 5280: http://www.ietf.org/rfc/rfc5280.txt
Something similar to the latest date when the next CRL / version of the CRL will be published.
This is the expiry date. Beyond this date this CRL is no longer valid.
It is called "next update" because in normal operations the CRL is supposed to be updated regularly.

PKI client behavior when delta CRL has expired

I have an internal Windows Server 2012 Enterprise Root CA and a couple of CDPs. I am trying to ensure a .NET client application running on Windows Server 2012 does not fail when it builds a certificate chain because the CRL and Delta CRL files it uses as part of the process have expired.
So far it seems like a possible solution would be to have overlapping CRLs being issued, to extend the time during which a failure preventing Base CRL publishing can kill an app depending on them (still looking for detailed/non-theoretical explanation on how exactly that is done, if you have examples, please let me know)
Another possible solution (or even in combination with overlapping CAs) would be to have a long CRL publication interval (e.g. 2 weeks) and a short Delta CRL interval (e.g. 1 hour). The question here is - what happens in scenario like this:
A client has cached the Base and Delta CRLs
For one reason or another the Delta CRL cannot be published to the CDPs for, let's say 6 hours - way past the validity of the Delta CRL, but (in most cases) before the Base CRL has expired
After an hour or so (providing the Delta CRL publishes every hour) the last successfully published Delta CRL would have expired, so the only valid one (for some time) would be the Base CRL. Would the client then continue processing since it has cached the Base CRL? Or would it fail? The closest explanation I have found is from this old article: "If a valid base CRL exists and is available, but no delta or time valid delta is available, the certificate chaining engine returns a warning that no delta CRL is available". It seems the client should continue processing and not throw exception and that makes sense, but this is a very old article and I would feel more comfortable with something more up-to-date... :)
So, bottom line, does the above article still hold for modern systems? And if you have any detailed info on how to setup Overlapping CRL publishing on a Windows Server 2012 Enterprise CA, please share... :)
Thanks!

How to determine the root of a certificate?

My root certificates are stored as several files in ASN.1 format.
Assume I have a chained end entity certificate in the same format. How do I efficiently determine the root certificate of this certificate?
Currently I have to take a brute force approach which extracts the public key of the end entity certificate and validates that against all root certificates and the first match is considered the root certificate. Is this the right approach??
To find the issuer of a certificate, you should use the "Issuer DN" and match it with the "Subject DN" of the certificates in your CA store. This should reduce significantly the number of signature verification.
It is possible to have different CA certificates with the same "Subject DN" (with different public keys, validity dates, etc.), so your algorithm should be prepared to handle that. The "Subject Key Identifier" and "Authority Key Identifier" can also help to reduce the number of candidates.
Finding the issuing authority is only a small part of the "right approach" to validating certificates. I would advise you to look at part 6 of http://www.ietf.org/rfc/rfc5280.txt "Certification Path Validation". Some parts are most probably overkill (i.e. most things having to do with policies).