I have a requirement where docker image needs to signed using the private SSL key generated using private CA and verified using the public SSL key of private CA.
I am using harbor as image registry.
There is already private TLS established for docker pull. On top of it client needs image signing as well using the same private root CA.
Can I use skopeo for this?
I checked the document. It uses passphrase to sign not the private SSL certificate.
If not skopeo then which tool can do this
Related
My understanding is that if i wanted to setup a read replica for a non-flexible Azure MySQL server that is connected to a virtual network using a private link, any replication will be done "over the open internet" rather then through the address exposed by the private link as private links are a "one way street" so to speak. The source IP accoridng to the replica will be that of the public IP address of the mysql server within azure (regardless if you had provided public access to it or not).
My situation on the other hand is with an Azure MySQL Flexible Server deployed in my tenant with private vnet integration. As i understand this is different then private links. I am trying to understand if replication happens the same way via some hidden public ip address or if the replication source from the private ip address assigned to the flexible server within the vnet that is deployed that i can then apply normal vnet routing rules to send it.. wherever i want be it through a private firewall or perhaps to a replication source over a VPN.
See my diagram below - im pretty confidant my understanding of the diagram on the left is correct, am trying to understand which path the replication for the flexible server will take here, via some hidden public ip, or be routed properly through the firewall?
I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
The CA certificate .crt file doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store the ca.crt in a Kubernetes Secret, it only required the private key for the server certificate.
Using Openssl, I generated my own CertificateAuthority (CA) and using this CA I generated self signed server certificate and key. This server certificate and key was used to configure Apache HTTPD proxy and Tomcat server which starts successfully and I am able to load application UI and work as expected (All functionality is fine)
Now since it is a self signed server certificate, the browser URL pane shows Certificate error / Not secure everytime. I try to import this certificate into my windows Trusted Root Certification Authorities store using chrome or IE. The certificate import is successful.
Looking at certificate in the Windows Certificate Manager (certmgr.msc) Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found" and checking the certificate name I find that instead of the CA certificate the server certificate is imported. While I can see the certificate on certmgr.msc , but on the browser the imported certificate does not even show under Trusted Root Certification Authorities. The Common Name (CN), SubjectAlternativeName (SAN) etc are all present as expected as I know they are important.
After I manually import the CA certificate (which I already have) separately from the browser, the UI loads with green padlock as expected.
I checked online for suggestions and I can see many threads exists like this0, this1, this2 this3, this4, this5 without much help. None of them have solved this import issue without any manual CA cert import.
What am I missing? With browser certificate import why is server certificate imported and not CA certificate?
What should I do to import the CA certificate directly reading from the server certificate? Should we install the CA certificate manually? If yes, then how to import this CA certificate on a remote machine when I try to access my application from outside the system (remote system browser)? kindly help.
Finally I was able to figure out how to solve this issue. Answering my own question here so that it might help anyone else facing the same issue.
Initially you generate your own CA and and server private key and then using that CA you sign the server certificate. We were using Apache Httpd proxy server and in the configuration along with SSLCertificateFile, SSLCACertificateFile needs to be set to the CA certificate. Upon loading the URL in the browser, "Certificate error" or "Not Secure" will be shown. While clicking on to importing the certificate, under Certificate details you will see CA certificate followed by server certificate. Click to save the CA certificate locally to Trusted Root Certification Authorities (save CA and NOT server certificate) so that you can install this CA (what we created) and once the CA certificate is imported successfully, the connection will be shown as secure with green padlock in the URL bar. This can be done from local or any remote machine accessing the URL.
All certificates that we newly generate and signed by this same CA will be inherently trusted thereafter.
If I put my private information into any Public PaaS (I'm currently using OpenShift environment), would it be open to Public? or to employees of the company? I fail to understand how public is a Public PaaS.
Thanks.
Your information that you upload or deploy to your gear on OpenShift is private to your gear(s), Red Hat/OpenShift employees will not access the data on your gear unless you give us your permission.
if you use GIT for this, you can deploy gitolite on virtual private server for this.
I think that a lot of collaboration tools can be deployed on VPSes or, if you do not trust it, you can bye your own PC and use it as server. I do the same, i have Rapsberry PI pc with some git repos and tasktracker / calendar/ LDAP applicaitons, that is used by me and my team.
I want to access secure service(rest style https) for credit card detail in AIR app so I want to authenticate .PEM certificate. how to use addBinaryChainBuildingCertificate() method because it accept DER encoded x509 certificate, do i need to pass private rsa key and certificate separately to addBinaryChainBuildingCertificate() method.
I tried using TLSsocket using as3crypto i connect to host for some time and then i receive close event.
if SWF running in browser do we still need to pass certificate/key or not
how flex deal keystore and certstore or uses its own?
Any help is appreciated. Thanks!