pki

What is the performance difference of pki to symmetric encryption?

We are looking to do some heavy security requirements on our project, and we need to do a lot of encryption that is highly performant. I think that I know that PKI is much slower and more complex than symmetric encrpyption, but I can't find the numbers to back up my feelings. ...

Encryption libraries?

I have been tasked with implementing a PKI library in C# for a company project, and have been unable to find a good implementation of it. There appear to be multiple libraries, and many broken links pointing to MSDN libraries that have been removed. I've seen people using Crypt32.dll, people building their own libraries, people using P/I...

Storing X509 certificates in DB - Yea or Nay?

I find myself needing to store public key certificates, and a single private key certificate for an in-house application. A member of our team suggested storing the X509 certificates in the database, instead of storing it in the windows certificate store, as we have been doing up until now. I don't like re-inventing the wheel, but I hav...

What system do you use to encrypt files for a group of people (OS agnostic prefered)?

Say you have a bunch of files. Say you can store meta data to these files. Say, one of these meta attributes were called "encryption" Say everyone was allowed to look at these files, but since they are encrypted, only people who know how to decrypt them can actually read the contents. Say, for every given value of "encryption", a group o...

MS CA Exit Module Code or Tutorial

Hi I'm struggling to find examples/explanations of coding a MS Certificate Authority exit module. If anybody has any help or resources they can point me at I'd be grateful. Thanks Mark ...

Are CAs allowed to modify CSRs before signing?

Can anyone please tell me if Certifying Authorities (CAs) are allowed to make modifications to the Certificate Signing Request (CSR) before actually signing the certificate with their own private key? Specifically, I'd like to know if it's valid for the CA to insert additional fields (such as EKUs) into the cert before adding their sig...

How to generate an SSL client certificate from a disconnected network?

I have a unique situation where I need to implement client certificate authentication over HTTPS between IE browser and IIS 6. The browser and IIS are separated by a firewall that only allows the browser to connect to IIS on the SSL port. We have an internal certificate server on the same network as IIS. I've generated an SSL server c...

What is the best cross-browser solution for browser based document signing (w/ digital signature)?

I need to implement a browser based component (most likely java applet since it needs to be cross-browser) that will allow us to digitally sign and verify data in the XadES format. What options are available and what is the best solution? ...

What's the difference between class 1 and class 3 roots, and the certificates signed by them?

Pretty much what the question says. What's the difference between the two classes of roots? The differences between the certificates signed by such roots? What uses would a class 1 signed certificate have that a class 3 doesn't, and vice versa? ...

Best (Free) Certificate management tools

I recently downloaded a neat java tool for managing certificate files - like PEM, PFX, etc.. From memory it was written in Java but, for the life of me i can't find it (cleared download list and non-obvious file name!). This led me to throw open the question - what free tools are there for managing certs? The aforementioned tool could ...

What does "wsse:InvalidSecurity" mean?

An error was discovered processing the <wsse:Security> header This is a WS-Security question btw... I can't see anything wrong with my WS endpoint (apart from the fact that it's running in a TIBCO BW engine!). Does someone have any 'prior' with this kind of error? I realise that the WS-Security Header could be broken anywhere presuma...

Primer for X.509 certificates on Windows

I am presently studying the topic of encrypting and signing SOAP messages via WSE 3.0 or WCF. Since I have not participated in distributed application development involving the public Internet, I find my knowledge on X.509 ceritificates lacking and how it works in the Windows certificate store mechanism. It is not about asymmetric crypto...

What type of X509 Certificate to use for XML Signature?

I'm currently developing some software that uses XML Signing to transfer files securely between two machines. We're using X.509 certificates from our own CA as keys. The CA (Windows 2003 server) offers several types of certificates (Email Cert, Server Cert, ...) Which one of those would I need to generate for XML Signature? To my knowl...

Reading private keys from oracle wallet

We use Oracle wallet for scripting Oracle releases. Using mkstore I can add or delete private keys to Oracle wallet. Either using Java or C#, I want to read the private key sitting inside the Oracle wallet. Could someone share the sample code how to do that. This post explains how to open a wallet using Java, but it does not read the...

DOD Common Access Card (CAC) Authentication

I have figured out all the necessary steps to get DOD CAC card based client certificate authentication working in Apache, but am now struggling to pull a good GUID for the user from the certificate I am receiving. Is there a GUID available on the certificate that will not change when the CAC card is renewed? I was thinking of using the...

what means subject in certificate?

Hi guys, The related link is this MSDN article. I am always confused about the term "subject", for example, sk option "Specifies the subject's key container location", sr option "Specifies the subject's certificate store location". What exactly mean subject? The certificate owner? The certificate issuer (e.g. the root CA which issue...

where is private key?

Hi guys, Two simple questions about makecert command, Suppose I am using the following command, makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine my confusion is, will private key automatically registered somewhere in cerficate manager or the private...

why do we need the pfx (key exchange) file?

Hello everyone, If we make the private key exportable (using -pe option in makecert), then in theory we have both an exportable private key and the public key (public key in certificate) -- which can be transferred or imported to another machine. So, my question is, why do we still need to create the .pfx file (key exchange file, which...

Apache authentication via DOD PKI CAC

How does one implement Apache (within Linux) authentication using Department of Defense CAC cards? I've heard it can be done but have not come across any details. Currently we use Windows Active directory for Apache authentication but only using Logins/Passwords. Soon the requirement will to be use CAC cards only. Any hints would be a...

How do I authenticate a user with the "Smart card is required for interactive logon" set?

http://support.microsoft.com/kb/892424 When the "Smart card is required for interactive logon" is set on Active Directory, it generates a random password. How do I utilize a smart card to authenticate a user over LDAP from a web application? How do I know who the user is? Is there a way to access the cert? Can I get it from the session...