Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [certificates]

A public-key certificate states that a specific public key belongs to a specific identity. Use this tag for all questions on certificates and authentication of public keys (not public-key authentication, which is authentication _using_ public-keys). If certificates are not a central issue in your question, then don't use this tag.

A certificate is a document that binds a public-key to an identity. This binding is done by the digital signature of the certificate issuer. The idea is that if

  • the certificates claims that some key K belongs to some identity I
  • the digital signature scheme is secure (i.e. practically unforgeable)
  • only the issuer can use the issuer's private key (i.e. the issuer is not compromised)
  • an authentic copy of the issuers public key is available
  • the issuer is trusted (in a suitable sense)

then a trusting third party must conclude that K indeed belongs to I. If the last assertion is true and the issuer is trusted, then it is commonly called certification authority (CA). A CA is part of what is called a public-key infrastructure (PKI), which typically also include directory services for the distribution of certificates and information about them and revocation status services for checking the validity of certificates.

Unfortunately, in practice life is often a bit more complex than the above idea since there are inconveniences such as certificate chains, lifetimes, and premature certificate revocation that must be dealt with. Yet, the task that certificates help to address remain: how to distribute public-keys in a trustworthy way?

Among the most famous certificates are certificates, which are ubiquitous in networking. /, and S/MIME use X.509 certificates, so whenever you use on the web, you get your hands dirty. But even some brands of can use X.509 certificates.

Another important certificate type is OpenPGP which is used by former and . These have a much simpler structure than X.509 certificates. The main difference between X.509 and OpenPGP is their underlying trust model. While X.509 is organized hierarchical where there is one and only one certification authority, OpenPGP follows the web of trust where there is no such central instance. (The user is her own certification authority.)

Interested readers may also visit the Information Security SE for questions and answers on security topics.

374 questions
161
votes
6 answers

Adding a self-signed certificate to the "trusted list"

I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings. I'm on Ubuntu 12.04. How can I take the certificate and globally…
Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
92
votes
5 answers

Get common name (CN) from SSL certificate?

I have a SSL CRT file in PEM format. Is there a way that I can extract the common name (CN) from the certificate from the command line?
Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
91
votes
5 answers

How to extract the Root CA and Subordinate CA from a certificate chain in Linux?

I have an end-entity/server certificate which have an intermediate and root certificate. When I cat on the end-entity certificate, I see only a single BEGIN and END tag. It is the only the end-entity certificate. Is there any way I can view the…
Anirban Nag 'tintinmj'
  • 1,115
  • 1
  • 10
  • 10
70
votes
4 answers

How to export CA certificate chain from PFX in PEM format without bag attributes

I have a PKCS12 file containing the full certificate chain and private key. I need to break it up into 3 files for an application. The 3 files I need are as follows (in PEM format): an unecrypted key file a client certificate file a CA certificate…
BryKKan
  • 2,057
  • 2
  • 14
  • 18
61
votes
2 answers

Do I Need to Restart Nginx if I Renew My Security Certificate(s)?

So I'm setting up an nginx server with SSL enabled with a server definition something like: server { listen :80; listen [::]:80; server_name example.org; root /foo/bar; ssl on; ssl_certificate /path/to/public/certificate; …
Haravikk
  • 1,021
  • 2
  • 13
  • 19
38
votes
2 answers

Verifying a SSL certificate's fingerprint?

I'm toying around with a Puppet agent and a Puppet master and I've noticed that the Puppet cert utility provides a fingerprint for my agent's public key as it has requested to be signed: $ puppet cert list "dockerduck" (SHA256)…
Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
34
votes
2 answers

Is it possible to have APT accept an "invalid" certificate?

I had discovered something funny today. So, I have Kali Linux and I am trying to fully update the system using the repo http://http.kali.org/kali. All is good and well until I get 403 denied for backdoor-factory and mimikatz. At first I thought it…
Alexis Evelyn
  • 556
  • 1
  • 4
  • 19
33
votes
8 answers

Unable to locally verify the issuer's authority

I am not able to open any https URLs using wget or curl: $ wget https://www.python.org --2015-04-27 17:17:33-- https://www.python.org/ Resolving www.python.org (www.python.org)... 103.245.222.223 Connecting to www.python.org…
aco
  • 431
  • 1
  • 4
  • 4
31
votes
4 answers

Create self-signed certificate with end-date in the past

I would like to create self-signed certificates on the fly with arbitrary start- and end-dates, including end-dates in the past. I would prefer to use standard tools, e.g., OpenSSL, but anything that gets the job done would be great. The Stack…
rlandster
  • 723
  • 1
  • 8
  • 22
29
votes
2 answers

How to make self-signed certificate for localhost?

I did with a password and with the following fields as root openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/apache.key \ -out /etc/ssl/apache.crt Fields Country: FI State: Pirkanmaa Locality: Tampere Organization:…
Léo Léopold Hertz 준영
  • 6,788
  • 29
  • 91
  • 193
24
votes
4 answers

Where does Chrome gets its list of certificate authorities from?

On Fedora, I'm talking about the list displayed when you go to settings > manage certificates > authorities tab. I've read that it should be in the NSS shared DB, but this command returns an empty list: [laurent@localhost nssdb]$ certutil -d…
laurent kubaski
  • 343
  • 1
  • 2
  • 4
24
votes
3 answers

How do I fix wget on an HTTP url not trusted errors in kali?

When I try to run the wget command on http urls I get this error message: ERROR: The certificate of `url' is not trusted. ERROR: The certificate of `url' hasn't got a known issuer.
Mordechai Hadad
  • 351
  • 1
  • 2
  • 4
20
votes
3 answers

script to check if SSL certificate is valid

I have several SSL certificates, and I would like to be notified, when a certificate has expired. My idea is to create a cronjob, which executes a simple command every day. I know that the openssl command in Linux can be used to display the…
Martin Vegter
  • 69
  • 66
  • 195
  • 326
20
votes
3 answers

Obtain .cer file from .pem file

I have generated RSA private key using below command: openssl genrsa -out privkey.pem 2048 And created a self signed certificate using below command: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 3650 Now I am trying to convert…
Devarshi
  • 357
  • 1
  • 3
  • 11
19
votes
3 answers

Using `openssl` to display all certificates of a PEM file

I can use the following command to display the certificate in a PEM file: openssl x509 -in cert.pem -noout -text But it will only display the information of the first certificate. A PEM file may also contain a certificate chain. How can I display…
stackprotector
  • 400
  • 2
  • 3
  • 17
1
2 3
24 25