similar to: Chaning domain pass influences the certificates in IE

Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote: > No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre-authentication paths of our code. We're very happy to > be able to

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, So this question means you need to do some more reading about all SSL/TLS services. On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote: > Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for

How can I revoke one SSH certificate without having to replace the root certificate and all certificates signed by it? Regarding the second statement, do you have sources? On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: > On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: > >> SSH certificates provide no >> way to

With PKIX validation the certificate should match the hostname. With SMTP, the hostname should match the reverse IP though often it does not. Using subdomains gives you flexibility. with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is a need for the hostname in the cert to match anything, but DANE validation is currently not used by

On 04.07.2018 18:37, Alice Wonder wrote: > On 07/04/2018 08:54 AM, Walter H. wrote: >> Hello, >> >> the RPM >> >> ca-certificates-2018.2.22-65.1.el6.noarch >> >> has a big problem ... >> many certificates were removed - my proxy uses this as source and isn't >> able to validate correct any more - >> most sites show this: >>

On 07/04/2018 08:54 AM, Walter H. wrote: > Hello, > > the RPM > > ca-certificates-2018.2.22-65.1.el6.noarch > > has a big problem ... > many certificates were removed - my proxy uses this as source and isn't > able to validate correct any more - > most sites show this: > > /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > > /Self-signed

mick crane wrote: > Apache2 default install has this snake oil certificate > Can make a new one for apache I won't go over some of the excellent points in previous posts, but I will mention SAN as a third type of certificate you can make. LetsEncrypt supports this type of certificate. This is halfway between single CN and wildcard certificate where you can combine many hostnames (up

Hello, I'm running dovecot 2.3.1 (c5a5c0c82) and trying to experiment with using both RSA and ECDSA certificates. My configuration is as follow: ssl_alt_cert = </path/to/my.rsa.key ssl_alt_key = </path/to/my.rsa.key ssl_cert = </path/to/my.ecdsa.pem ssl_key = </path/to/my.ecdsa.key Both certificates are let's encrypt certificate, so both are using the same intermediate CA.

2013/10/30 Shiva Bhanujan <sxb075@gmail.com>: > Hi Daniel, > > thanks for the reply - The procedure I use is the same as I use for > XenServer, and the certificate exchange works just fine. The only thing I'm > a bit unclear on, is the location of the CA cert, which in the case of > XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd > daemon,

Hi Igor, You certainly don?t want a different CA for each DC, and you typically do want an individually generated certificate and private key for each server. PKI is typically a tree hierarchy, which is a critical feature in the trust relationships across any environment. You want one (root) CA, and possibly 1-3 intermediate CAs depending on the complexity of your infrastructure ( intermediate

Version: 2.1.4 OS: Gentoo stable/amd64 OpenSSL version: 1.0.0h I'm having a slight problem with the client certificates in Dovecot 2.1.4. I've set-up the client certificate verification/authentication, and it seems that Dovecot is choking on the trustchain with CRL's that I'm providing to it (attached to this mail). When I enable the client authentication using certificates, and

31 aug 2018 kl. 21:31 skrev Michael Schumacher <michael.schumacher at pamas.de>: > Leo, > >>> I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. >>> I am assuming I'll need to pay a CA to generate what I need, but >>> I'm confused about what I need. I am running dovecot at teh moment, >>>

Hi, I'm experimenting with certificates for users, giving access via the TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of one certificate per SSH key on the user's side, which prevents using the same key for hosts using different TrustedUserCAKeys. Is there a clean way around this? To make the above clearer, consider the following situation: A collection of hosts

Hi, I have, in one customer, a web server running on a Verisign-signed certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid. yes i'm using,

On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote: > Hello, > > I'm using certtool to generate the server certificates for ESXi - > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server > certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. > And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh

I suggest deprecating proprietary SSH certificates and move to X.509 certificates. The reasons why I suggest this change are: X.509 certificates are the standard on the web, SSH certificates provide no way to revoke compromised certificates, and SSH certificates haven't seen significant adoption, It's also a bad idea to roll your own crypto, and own certificate format seems like an example

Greetings, For those interested in using certificates with hostbased authentication, I have just submitted an enhancement request[1] to the OpenSSH bugzilla site with a preliminary patch that adds support for this. Despite the fact that hostbased authentication is, by default, disabled for both the client and server, there are environments where hostbased authentication can be very useful. One

What problem are you seeing? It uses the correct SSL certs when I connect. prompt> gnutls-cli --port 993 mail.nimmini.de Processed 149 CA certificate(s). Resolving 'mail.nimmini.de:993'... Connecting to '46.38.231.143:993'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=nimmini.de', issuer `CN=Let's Encrypt

That's not a very good source, since it's only available to one person. On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: > On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> How can I revoke one SSH certificate without having to replace the >> root certificate and all certificates signed by it? > >

Hello, we're running RC2 and seeing a problem with the way SSL certs are handled by Dovecot. We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no. Using this setup we get (rather interesting) log entries like these: Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA