I realize that this is a very late (and long) answer. But considering how well this question seems to rank in search engine results, I figured it might be worth writing a decent answer for. A lot of what you will read below is borrowed from this demo and the OpenSSL docs. The code below … Read more
First, about the distinction between key and certificate (regarding “CA key”), there are 3 pieces used when talking about public-key certificates (typically X.509): the public key, the private key and the certificate. The public key and the private key form a pair. You can sign and decrypt with the private key, you can verify (a … Read more
Note that you can limit the output of -text to just the extensions by adding the following option: -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux i.e.: openssl x509 -text -noout -in cert.pem \ -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux However, you’ll still need to apply some text parsing logic to get just the Subject Alternative Name. If that isn’t sufficient, I think you’ll need … Read more
Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not. Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, … Read more
If you’re on windows and using apache, maybe via WAMP or the Drupal stack installer, you can additionally download the git for windows package, which includes many useful linux command line tools, one of which is openssl. The following command creates the self signed certificate and key needed for apache and works fine in windows: … Read more
This depends on implementation, but the general rule is that the domain is checked against all SANs and the common name. If the domain is found there, then the certificate is OK for connection. RFC 5280, section 4.1.2.6 says “The subject name MAY be carried in the subject field and/or the subjectAltName extension”. This means … Read more
Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer. This means that it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism. From the Git for Windows 2.14 release notes: It is now possible … Read more
I suppose that you have copy-pasted the thumbprint from the Windows certificate information dialog box into your code (or to a config file if this is a simplified example). Annoyingly, the first character in the thumbprint textbox is the invisible Unicode “left-to-right-mark” control character. Try selecting the opening string quote and the first character of … Read more
If using Tomcat 6 and earlier, make sure the keystore password and the key password are same. If using Tomcat 7 and later, make sure they are the same or that the key password is specified in the server.xml file.