domain name system – Error Hostname DOES NOT VERIFY – Test certificates TLS Exchange 2016 cu21

Practicing with the certificates, in let’s encrypt win-acme normal is created, I send and receive normal mail, https in owa and the other services

Testing with checktls, it gives me an alert message :

Cert Hostname DOES NOT VERIFY:

(mail.contoso.com != mail | DNS:mail | DNS:mail.lan.contoso.com)

I don’t understand the mail.lan.contoso.com DNS error.
I thought the error was the DNS SPLIT, but reading in the forum they comment on something about the error.

I understand that the other connectors should not be changed in forums, books and tutorials, nobody changes them. That is why a new connector is created to receive from the internet, to which the FQDN can be changed.

Recommendations of this forum, my dns settings :

Private AD DNS (lan.contoso.com)

Record Type DNS Name Internal IP
A mail.lan.contoso.com 192.168.1.4
A DC01.lan.contoso.com 192.168.1.3

Private DNS (contoso.com) SPLIT

Record Type DNS Name Internal IP
A mail.contoso.com 192.168.1.4
A autodiscover.contoso.com 192.168.1.4

Public DNS (contoso.com)

Record Type DNS Name Value
A mail.contoso.com xxx.xxx.xxx.xxx
A autodiscover.contoso.com xxx.xxx.xxx.xxx
MX @ mail.contoso.com

tls – Why can’t tls1.2 server use certificate’s private key to encrypt ‘server finish’, and send if after ‘server hello’?

The Server Finished message does not contain anything relevant. It’s merely a test/validation to ensure the Server has generated proper Session Keys.

By encrypting a hash of the transcript of the handshake and sending it to the Client, the Client is able to validate that the Server has the correct Session Keys, and that both the Client and Server “saw” the same handshake records.

The Client does the same in the opposite direction with the Client Finished.

If you changed this mechanism, you’d need to add another mechanism to validate the Server has the proper session keys.

And, having the Server encrypt it’s Certificate record to the Client would only serve one purpose: Proves the Server has the matching Private Key… but that is already proven because the Server signs it’s Server Key Exchange record.

So in the end, your suggestion would take away a necessary step, and add an unnecessary step.

tls – How to use the concept of private/public key and certificates in order for the server to be able to validate the client?

I understand how public/private key and certificate is used for SSL. A client sends request to server. Server responds with certificate (and its public key). Client validates certificate, creates a new key, encrypts it using servers public key and sends it to the server. Going forward the client and server communicate using this shared secret key.

The above ensures that the client is convinced that the server is genuine.

I want to learn about how this concept can be used for server to be convinced that client is a genuine.

Please can someone explain to me like paragraph 1, how this would work? For example – client when making a POST request should be able to validate the server using the concept I have mentioned in paragraph 1 and additionally the server must be able to validate the client. In this case, would the client also send certificate? And what would be the flow of the working be like?

windows 10 – Why Is The Remove Button of Internet Options’ Content Certificates Greyed Out?


Your privacy


By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.




Is there a reason to renew host SSH certificates?

tl;dr: In certificate based SSH authorization, is there any benefit to keeping host certificates lifespan short? Do you gain anything by renewing them periodically?

Full Story
Recently I have been exploring SSH access through certificates, as opposed to the traditional means of access through public key authentication.

To me, certificate based authentication makes a lot of sense in terms of scalability and security, especially when paired with some kind of authorization with an identity platform like Active Directory. Making short lived user certificates eliminates the need for one to keep track of where their public keys live and creates narrower attack windows for any malicious actors. However, one pattern that I have seen a couple of times now is also creating short lived host certificates that are periodically renewed.

While I understand that host certificates are great because they can eliminate TOFU related issues, I am struggling to understand why I am seeing the pattern of short lifespans with frequent renewal. If anyone has insight to scenarios where this would be useful, I would greatly appreciate the explanation.

Note: Just to eliminate any ambiguity, what I mean by user and host certificates is as follows:

  • user: The certificate belonging to the client which initiates the SSH connection.
  • host: The certificate belonging to the server which is the target for the SSH connection.

certificates – Are problems expected when a subdomain CNAME target has no CAA record?

Consider the following DNS setup of example.com:

       A       89.41.169.49                # this is for redirect.pizza
       CAA     0 issue "letsencrypt.org"
www    CNAME   ghs.googlehosted.com

If I have understood correctly everything I read (in particular, https://serverfault.com/q/885952/), the CAA for www.example.com is taken from the one for ghs.googlehosted.com. However, ghs.googlehosted.com does not have a CAA record, and Google does not use Let’s Encrypt.


Edit: I just noticed that that while ghs.googlehosted.com does not have a CAA, googlehosted.com does have one.

  1. So, will the one from googlehosted.com be used for www.example.com?

I believe, no:

If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.

https://sslmate.com/caa/about

This is also in line with SSL Labs displaying the CAA for example.com for www.example.com.

So assume “no” in the following.


  1. So will the one from example.com be used for www.example.com?

(I suspect yes, see the quote above.)

  1. Is this a problem?

(I guess yes.)

If so, let’s go one step further: assume ghs.googlehosted.com does use a CAA record at one point, and all is fine. When the admins of ghs.googlehosted.com delete their CAA entry at one point, thinking that this will relax requirements – will this effectively make the requirements stricter, as now the one from example.com is used?

authentication – Microsoft deprecated cross-signing certificates, what’s the new procedure to sign kernel drivers for Windows 11 & 10?

Microsoft deprecated cross-signing certificates, however, it’s not clear from the docs what’s the new procedure.

From the docs above MS is the sole provider but their support claims you can still get one from other vendors (e.g. Digicert, Globalsign, etc…)

Does anybody know what’s the process for signing production kernel drivers for Windows 11 & 10?

Any help would be appreciated,
Thanks!

certificates – Is SNI always used in TLS connections?

I know the both DoT and DoH leak the target of the connection due to the use of SNI in the client hello (and that ESNI/ECH are proposed solutions), but what I cant figure out is does SNI get used 100% of the time (assuming a TLS connection)?

If it’s not 100% of the time, then when does it or doesn’t it get used?

  • by “used” I mean is it always present in the client hello making TLS connections ALWAYS leak their target

encryption – Seeking guidance on restoring my certificates & encrypted Windows 7 files after a Win 10 upgrade

sorry for the somewhat long explanation ahead of time:

A few years ago I upgraded from Win 7 to Win 10. The was the free upgrade for
Windows 7 users. The upgrade was done on top of my Windows 7 installation as opposed
to doing a clean Windows 10 install.

Prior to the upgrade I had a folder on my desktop which Windows evidently encrypted (without my intervention) as indicated by green text file/folder names. I’ve read that Windows will do this if the files originated from a Mac (which they originally did). Anyway after the upgrade to Windows 10, the folder disappeared from my desktop. Unfortunately I had been using this folder as my working folder so it ended up containing about 30 new files that I created, which was source code I wrote. I am wondering if it is possible for me to recover this missing folder.

My understanding is that Windows 7 uses a different set of encryption keys than
Windows 10. I think that during the upgrade I was asked to back up my keys (certificate).
I do have single .pfx file I saved off to another drive which might contain the
file key / certificate.

IF this .pfx file is a backup Windows 7 certificate can I import it into Windows 10 allow me access my encrypted files? I’m really unclear what the needed steps are and which category of
certificate this falls under (Personal Certificates?)
Please provide any explanations about what I need to do and possibly any suggestions/steps to make the file recovery happen.

A few notes about my system:

  1. A Windows 7 restore isn’t possible since I had it disabled at the time.
  2. My Windows.old folder was automatically deleted by Windows 10 days after the upgrade so it is no longer available.
  3. I am the only one using this computer and only have 1 account.
  4. My Windows username and password haven’t changed.
  5. My boot SSD drive and mobo are still the same as before the upgrade.

I’d really appreciate your help in guiding me to recover my semester’s worth of work.

Thanks,

reacher33

authentication – What are the benefits of using different certificates to identify the same service to different audiences?

Recently I was having a discussion with a team which uses a separate certificate for each different backend service that it interacts with. The backend services do client auth as well so that is what the certificates are used for.

I get that it reduces the blast radius when your certificate is leaked. But it also comes with additional management tasks. So I wonder, is there any other benefit that one gets?