Category Archives: PKI

Myths #2: PKI edition.

image

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe.

 

BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not?

Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features.

A good example of it was windows 2003: while you weren’t able export the certificate through GUI you could do this with… some certificates. Furthermore, in Windows 2008 R2 (or Windows 7, as it goes) even some GUI instruments can export such a key. So you cannot restrict your user from exporting and moving the certificate.

Be careful and take care to think if you can trust what you see Winking smile

Creating self-signed certificate for code-signing

imageJust in case you cannot google it or you don’t like solutions longer then two strings of command line…

Sometimes you need to assure yourself that scripts or code you are about to run are the same as you’ve created them. One of the ways to achieve it is to put a flash drive with them into a safe. Another – get them signed. The second option seems to be a more convenient mean, but it requires a code-signing certificate. Buying one is quite an expense: I have failed to find any cheaper then $99 per two years. Well, it is not actually a huge sum of money, but will you care to pay if the only target is to be sure that it is your code? Maybe yes, maybe no and in case the answer is “no”: you can create your own certificate for code-signing without paying money and this certificate will be no worse unless you try to prove someone else, that this is your code =)

Here I’ve found a couple of brilliant answers, but somehow they involve creation of two certificates: one for your very own CA and the second – code-signing itself. While it is a good choice to create such a structure, some (like me) will prefer just a two-line solution, here you are:

1) Download windows SDK (it is a part of all the solutions, because here we get our makecert utility), install it and go to its installation folder.

2) makecert.exe -cy end -pe -r -n “CN=You Fancy Certificate’s Name” -sky Signature –sv path_tokey.pvk path_tokey.cer

3) pvk2pfx.exe -pvk path_tokey.pvk -spc path_tokey.cer -pfx path_tokey.pfx

4) Import key.pfx into your private certificate store. Or onto your smartcard.

Use it anywhere you need it. Notice, that in bold+italic are the parts you may want to change in your case.

I hope it will work for you as it worked for me.

Descriptions for makecert and pvk2pfx are here and here.

Why my SSL connection doesn’t work?

It is a very frequent question, which, nevertheless, lead to the same answer: the SSL certificate has to be issued for the same name which a connection is being established.

For example: if your certificate is issued for www.domain.com, then every connection to the site by aliases like www1.domain.com or www.not-domain.com will result in error. In the very best case it is the user, who sits on the other side of connection and is able to process the error. Otherwise, in case it is, say, Windows Update client or some other piece of software, it may lead to a fault.

IE7 & SSL

I’ve received a question through the Russian TechNet Forums, answer to which is to be widespread. The fact is that the CRL checking process has been change in IE7 in case CRL is not reachable. While IE6 shows the warning in that case, IE7 by default doesn’t show anything. It is easy to think up the situation (which is, fortunately, harder to implement) which will lead to some problems due to such a behavior of the browser.

It is quite easy to switch the thinks back, just add the following key to the registry:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_WARN_ON_SEC_CERT_REV_FAILED]
"iexplore.exe"=dword:00000001»

After that we will receive beautiful, extremely cheerful yellow warning in the address line:

sslie7

Of course I must warn you of necessity to backup registry before the procedure.