I found an SSL certificate when I decompiled a firmware of an IOT. I am curious what can pentesters do with this certificate?
Related
I would like to set up a TLS connection between a host and an hsm thales payshield. On the HSM I have generated the RSA key pair but I can only get the csr.
Can't I generate a self signed certificate? Are there alternative
methods?
first of all, you need to create your own ROOT CA, use it to sign the CRT of the payShield, then create a client certificate using your ROOT CA.
The certificates you generate need to be version v3!
Then you can finally upload them to your payShield using the payShield Manager or though USB stick (I tried on the 10k).
You need to upload to the payShield three certificates:
the CRT of your CA
the CRT of your payShield obtained signing the certificate request of it
the CRT of your client.
Kind regards,
Marco - StockTrader
I have Send Port with Dynamic Solicit-Response type.
Everything needed for the Send Port is dynamically configured inside the Orchestration and Security Mode is set to Transport.
Encryption Certificate for the Send Port is not configured. (I guess IIS already handling it?)
Decryption Certificates for Host and IsolatedHost instances are also not configured. (this is the part where i believe that BizTalk will trust certificates depending on current certificates in Trusted Root Certification Authorities)
Yes, the Send Port will make request on endpoint that uses self-signed certificate.
What I tried:
I tried importing the self-signed certificate in Trusted Root Certification Authorities, Other People under Local Machine and Current User (User that owns the BizTalk host)
I tried manually setting up the Encryption certificate to use the self-signed certificate
Nothing works...
If the security mode is Transport, then the certificate that is needs will be one which contains the public key and that matches the target server. If this is a self-signed certificate then it needs to be in the Trusted Root Certification Authorities, Certificates for the BizTalk Host User.
why do we need to do server certificate validation at the of SSL renegotiation? thought process behind of my question is that when ssl tunnel is already created and all the handshake would happen through existing tunnel and moreover we already trusted the server then why do need to do the certificate validation again?
This is because security certificate status can be changed. For example, the certificate is expired and new revocation information is available and SSL certificate is no longer trusted. And this is one of the reasons why renegotiation is ever used (besides key management questions).
Update:
Server certificate is used only during SSL tunnel negotiation. Once it is done, a symmetric session key is used to protect entire session. Server certificate no longer play a role there until next negotiation.
I have website hosted on IIS. My main issue is that I want only users with a specific certificate installed to be able to access the site. I tried to follow some tutorials but I can't find anyone covering both server and client side, since I can't get it to work.
I have some questions to the main issue:
What kind of certificate should I use (domain/selfed signed in IIS 7.5)? I do have access to a Active Directory Certificate Services where I can create other types of certificates (CA), but the problem is when trying to import them to my IIS ("certificate cannot be used as an ssl server certificate")
I would like to use a CA certificate, but is that possible when using IIS? Or do I need to write all the code the check if the user has the right certificate?
When created a certificate for the website (e.g. though IIS)..How do I create user certificates that are trusted by the server certificate?
As you may noticed by now I'm not sure how to do all of this, and would really like some help..
Server should use SSL server certificate. This certificate has to have Server Authentication extension in Extended key usage. Server certificate should have SAN extension (Subject alternative name) with domain name of server as DNS name (i.e. somesite.com)
CA certificate has to be imported to Trusted root store (preferably Local Machine) on both server and client machines.
Client certificate should contain Client Authentication extension in Extended key usage.
All EndEntity (client and server) certificates should have CRL distribution point in them where there is URL to CRL that is issued by CA. CRL has to be accessible by both client and server and should be always valid.
You can use XCA for training purposes. It has a nice GUI and it has templates for CA, SSL server and SSL client certificates by default. Then you can mimic these certificates in your Active Directory Certificate Services. Documentation and some guides can be found here.
I was wanting to use a SSL certficate but now I understand there is something new called TLS. When I look on the web site for goDaddy for example I don't see mention of TLS.
Is this something that I need to specify or is it something only some certicate sellers provide?
Also when I am setting up my server are there different things I need to do if I am using a TLS certificate?
SSL and TLS are used together and with certificates they mean the same. SSL and TLS are merely the protocols used for the connection. The certificates you are purchasing are X.509 (http://en.wikipedia.org/wiki/X.509) certificates.
By the way, calling TLS 'new' is a bit wrong. TLS 1.0 was finalized in January 1999 (http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0) and it is recommended to disable SSLv2 and SSLv3 (see: http://en.wikipedia.org/wiki/POODLE) on your servers.
You tagged your question with "azure". On Microsoft Azure will take care of most of the technical details if you use web/worker roles or websites to host your site. Just upload the certificate in the management system and Azure will do the rest. You can read all about it at http://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/