In 2017, security researchers around the world started seeing a sudden increase in code signing certificates being used as a layered obfuscation technique for malicious payload distribution campaigns. Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

As an example, we will use it to perform OCSP validation for an SSL certificate presented by a secure website, namely https://shipit.ubuntu.com, which at the time of this writing is signed by GoDaddy. The certificate is a chained certificate, meaning that there are several levels of trust in the certificate chain, and thus several certificates sent from the server to the client. We can verify them all using OCSP in our test.

Everybody loves PEM and the very documented ASN.1 structures that are used in saving cryptographic keys and certificates in a portable format. Well.. Everybody would if they would actually be documented. But it is rather a big feat to find what the structure is inside each DER or PEM formatted file.

As we need this information, we will share it here as well, to help others in their quest for knowledge and understanding ;)

SSL-Zertifikate sind für alle Plattformen bestimmt und von Zeit zu Zeit ist es erforderlich, das Zertifikat zwischen Servern zu übertragen oder mit ihm auf eine andere Weise zu arbeiten. Besitzer der GeoTrust- und RapidSSL-Zertifikate können ihr Zertifikat für mehrere Server verwenden, die Anleitung für den Transfer der Zertifikate kann für sie also sicherlich nützlich sein.

Die Infrastruktur auf dem Server bereitzustellen, um Webmastern zu erlauben, ihren Usern die Option einer Authentifizierung per SSL Zertifikat anzubieten, ist Thema dieses Howtos.

In addition to the verification of the chain through the “s_client” command demonstrated earlier in the series, one can also use the ” verify” command to the same. It is easier in the case when the certificate chain is not already installed on a web server (in that case we can use the verify option with the “s_client” command) or it is a chain for the client certificates.

openssl req -new > server.cert.csr openssl rsa -in privkey.pem -out server.cert.key openssl x509 -in server.cert.csr -out server.cert.crt -req -signkey server.cert.key -days 365

The problem we are tackling in this article is about X509 client certificate authentications. By definition and for security, a HTTPS request clear content cannot be spied. This is why when putting a reverse proxy behind the client and the internal web application, the HTTPS stream will be broken and we will loose all the client certificate data. -==- Here is some tips to forward without many efforts the client certificate data to the web application:

The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

Wer kennt es nicht, man möchte gerne seinen Mailserver oder Webserver absichern mit SSL, weiss aber nicht wie er die SSL Zertifikate erstellen soll. Durch das benutzen von SSL wird die Kommunikation zwischen Client und Server verschlüsselt. Dadurch werden alle Daten, wie zum Beispiel Passwörter, Email Inhalte verschlüsselt übertragen. Der Vorteil von selbst signierten Zertifikaten gegenüber gekauften ist ganz einfach, sie kosten NICHTS! Um dies zu bewerkstelligen, benötigt man Openssl und in unserem Fall eine Linux Machine. In diesem Howto wird ein Debian Lenny 64Bit benutzt.

The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. -=- Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for the Extended Validation (EV) SSL Certificate standard as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

The Adobe Approved Trust List is a program that allows millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Adobe® Acrobat® 9 or Reader® 9 software and later. Essentially, both Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted "root" digital certificates.

Aus Sicherheitsgründen hat die israelische Certificate Authority (CA) StartSSL sämtliche Dienste zum Ausstellen von Zertifikaten vorerst abgeschaltet. Offenbar haben Angreifer versucht, die Sicherheitssysteme zu überwinden und in die Server einzudringen.

Public Key Infrastructures (PKIs) are one of the most widely accepted musts of the future. The problem is that most applications can be secured with certificates and keys but it is really difficult and expensive to setup PKIs, the reason being that flexible trustcenter software (especially for Unix) is expensive. This was the starting point of OpenCA. Our goal is production of an open source trustcenter system to support the community with a good, inexpensive and future-proof solution for their base infrastructure.

Apache ist der weltweit am häufigsten eingesetzte Web-Server, was Untersuchungen von Netcraft stets aufs neuste belegen. Ein Apache-Server stellt anfragenden Clients verschiedene Daten zur Verfügung, auf die auf unterschiedliche Art zugegriffen werden kann. Teilweise ist es wünschenswert, dass die Daten nur von dazu autorisierten Clients abgerufen werden können. Apache bietet hierzu zwei verschiedene Lösungsansätze, auf die im weiteren Verlauf näher eingegangen wird.

The purpose of this guide is to clearly explain the reasons you may want to use a Secure Socket Layer (SSL) certificate on your webserver. While researching SSL certificates for use on our site we were constantly bombarded by useless marketing nonsense. What we really needed was a single page with clear and concise facts. This guide is here to provide an understanding of the basics involved in deciding what type, encryption strength and seller of SSL certificates you have access to. At the end of the page are some security recommendations and known vulnerabilities of SSL implementations.

Seit OS X 10.3 (Panther) beinhaltet Apple Mail eine Unterstützung zum Signieren und Verschlüsseln mit X.509-Zertifikaten und dem Transportformat S/MIME.

To better protect Microsoft customers from security issues related to
the use of public key infrastructure (PKI) certificates and enhance the
experience for Windows users, Microsoft is moving to standardize and
clarify the criteria for root certification

Um Zertifikate zu bekommen, stehen Ihnen drei Wege offen: -=- 1. Betreiben Sie Ihre eigene CA -=- 2. Bezahlen Sie für den Dienst einer kommerziellen CA CA -=- 3. Treten Sie einem freien Programm bei

Informatiker der TU Darmstadt haben nach eigenen Angaben einen Exploit für eine kürzlich entdeckte Schwachstelle in SSL-Implementierungen entwickelt, die seit Ende August bekannt ist. Damit sei es möglich, "in weniger als 10 Minuten" ein gefälschtes S

The openssl application that ships with the OpenSSL libraries can perform a wide range of crypto operations. This HOWTO provides some cookbook-style recipes for using it.

This is a HOWTO on creating your own certification authority (CA) with OpenSSL.

Free server certificates. Goals: Inclusion into mainstream browsers and providing a trust mechanism to go with the security aspects of encryption.