Revoke client X509 certificate - x509

I have ASP.NET web service on windows server 2003. I have own certificate authority. I use own client certificate on authentification in web service.
I make client certificate. I call web service, everything is ok. Then I revoke this certificate in certification authority. Certificate is in Revoked certificate.
I call web service with this certificate, but web service verify this certificate as good, but this certificate is between revoked. I don't know why? Anybody help me please?
I use this method on verify certificate.
X509Certificate2.Verify Method
I don't get any exception, certificate is between revoked, but web service verify this certificate as good.
to klausbyskov:
Thank you. So I try this :
public void CreateUser(X509Certificate2 cert)
{
ServicePointManager.UseNagleAlgorithm = true;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = true;
ServicePointManager.DefaultConnectionLimit = ServicePointManager.DefaultPersistentConnectionLimit;
if (VefiryCert(cert))
{
//...
}
}
But the revoked certificate is still verify as good

Try setting the CheckCertificateRevocationList property of the ServicePointManager class to true before calling Verify().

Try setting it in applications config file:
Maybe that helps..

Validation is based on various factors.
Does the certificate have Certificate Revocation List Distribution Point (CDP) Extensions and is the CRL accessible? (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13)
NOTE: CRLs are cached!
The only way to check the validity without almost any delay would be asking the CA itself. But I wouldn't consider this as an option.
For what you are trying to achieve the online responder protocol has been introduced (http://www.ietf.org/rfc/rfc2560.txt).
Does the certificate have an AIA OCSP Extension and do you have an OCSP Responder set up? What are the triggers/intervals of OCSP (as its data is also a CRL)?

Related

Having RevocationValidationException while integrating ADFS with service provider although the certificate is valid?

I am receiving an exception on ADFS while integrating private.xyz.com. The exception says.
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'https://private.xyz.com/sp' identified by thumbprint '****************************' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityToken.MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
at System.IdentityModel.Tokens.SecurityToken.ResolveKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
at
The signing certificate is configured in the relying party trust
Get-AdfsRelyingPartyTrust "private" | fl name,RequestSigningCertificate
The thumbprint which I am getting for the certificate is same what I am getting in the error message. And the certificate is also not expired.
What all do I need to configure so I can resolve this?
If the certificate has not been revoked or is still current, it is usually because ADFS can't locate the certificate revocation list on the Internet. You can turn this off via PS.
Also, it could be that the intermediate certificates aren't loaded into the certificate store or that the certificate itself is not trusted.
You could manually add it to Trusted Certificates.

Self signed certificate VS CA certificate for REST APIs over https

Let's say we have a server only running REST API services, only on HTTPS.
The only consumer of the APIs is a mobile app.
Do we need certificate from CA or a self signed certificate is enough?
You will need to use a CA certificate. Otherwise, each mobile client will have to manually set your certificate as trusted.
You can potentially embed the certificate as trusted in the mobile app itself (assuming you distribute the app), however it will be a problem when the time comes to renew the certificate, or rekey/replace the certificate for whatever issue.
Using a globally trusted certificate is the way to go.
You can :
Keep a self-signed certificate, but then you have to pin the certificate, and you can't revoke it if the private key is compromised.
Use a home made certificate authorities, but then you have to pin the certificate, and manage the revocation process (maintain an OCSP or CRL).
Use a certificate from a trusted CA, revocation will be checked for you, and if you want additional security, you still can pin the certificate.
In my opinion, the use of a trusted CA is more secure and more simple.

AFNetwork With Self Signed Certificate

I am trying to set up self signed SSL certificate for my IOS app which has a REST backend.
My question is should I use [securityPolicy setAllowInvalidCertificates:YES]; when we use self signed certificates? And NO with trusted certificates?
I didn't understand the exact mechanism however I read about SSL for hours.. It works with setAllowInvalidCertificates:YES but otherwise I get 1012 error.
Yes, you should set [securityPolicy setAllowInvalidCertificates:YES]; when using self signed certificates. And correct; you should use NO with trusted certificates.
You are likely still getting the error when it is set to NO because a part of your certificate chain is not trusted. Try using an app called SSL Detective to make sure the entire chain is trusted with no red (untrusted) components. AFNetworking doesn't like those.
My question is should I use [securityPolicy setAllowInvalidCertificates:YES]; when we use self signed certificates? And NO with trusted certificates?
No! This would defeat the whole purpose of SSL because it would make man-in-the-middle attacks possible. Better use public key pinning. I don't know how to do this with AFNetwork, but the linked resource has code for lots of environments.

ADFS server and service provider signing certificate

From ADFS and ADFS 2.0 perspective is it possible to register Service Provider metadata that is using certificate (public key) that is not issued by signing authority ? I mean on self signing certificate.
Yes - you can use a self-signed certificate for the SP and that certificate is reflected in the SP metadata.
So you can generate it with the Java keytool etc.
Also ensure that you generate the certificate for a reasonable period - at least a year otherwise you will have to co0ntinually update the metadata on the ADFS side.
It should not be as described in following document -
Certificate Requirements for Federation Servers in section Determining your CA strategy
"ADFS does not require that certificates be issued by a CA. However, the SSL certificate (the certificate that is also used by default as the service communications certificate) must be trusted by the ADFS clients. We recommend that you not use self-signed certificates for these certificate types."

Self signed certificate converted to CA verified

I'm using a self signed certificate for a number of SSL connections. However I have one connection that needs the cert to be CA authenticated.
Now if I use the same self signed certificate and create a certificate authority request
and import what I receive, will anything have to change on my existing direct trust SSL connections ?
what exactly will having the cert CA verified change ?
If anyone has the same question. The answer is that the certificate signing request is used by the CA to generate a public key. This can then be used on the server as a CA verified cert.
Typically your application / server should have a location / import operation for this.