Partially trusting somebody else’s Certificate Root (Cross sign)

So when I come to a customer it isn’t that unusual that they have a Certificate Authority that they use for internal systems. But I don’t want to install their CA as a trusted CA on my laptop. Who knows what they have been up to.

There are some kinks. Not all SSL implementations have support or care about nameConstraints that I am using. But luckily for me Windows does. So I have my own CA that I use to sign all my customers CA’s and limit them to domains I see fit.

So first of lets get openssl installed on your machine. Lets go to Shining Light Productions, now you might ask why not take it from the source OpenSSL. The reason is that OpenSSL does not distribute compiled versions, so you can get the source and compile or get it from Shining Light and be happy.

Now lets start with creating our own private CA and key. We will install this one on our machine as a Root CA. The key we need to keep if we want to sign other CA’s down the road. Also if anyone gets your key they can create fake certificates to trick you, so putting it on your homepage is a bad idea.

[Read more…]

Using certreq to create selfsigned certificates

So sometimes you need to create self-signed certificates in windows. Sometimes I have done it using Openssl software, Windows 2012 and later does include Powershell support using New-SelfSignedCertificate. But all versions of Windows does include all the binaries required to do it natively. It is a two part thing, first create the INF file and then run certreq using that file.

It will create and sign the certificate. Im not really sure why it is also asking where to store the CSR (Certificate Signing Request) so I just close that dialog.

A super simple self-signed certificate

It does not get any simpler than this. It will not limit the intended purposes of the certificate and not really good key size. Sure we can make it better by adding some intended purposes and cryptology

A better self-signed certificate

But now and then we need that the certificate need answer for multiple names a so called SAN certificate.

A SAN certificate


Technet – Certreq

Check state of CRL checking.

Okey I had the need to check what values were set for the Software Publishing “State”. This is the registry value where Windows stores if it should do CRL revocation check or say all okey even if the CRL is unavailable. And some other stuff. I found all the values on the MSDN page WintrustGetRegPolicyFlags. So I wrote a small Powershell function to help decode it.

Example of running Get-WintrustGetRegPolicyFlags

And here is the function: [Read more…]