I just had that same issue while running git clone … to download source code from a private Git repository in BitBucket into a Docker image. I solved it by disabling the SSL check like so: GIT_SSL_NO_VERIFY=1 git clone … Notice that there is no && between the Environment arg and the git clone command. … Read more
The Export function of the X509Certificate2 class allows you to export a certificate with the private key to a byte array. The following code demonstrates exporting a certificate with the private key: X509Store store = new X509Store(StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2 cert = store.Certificates[1]; // Export the certificate including the private key. byte[] certBytes = cert.Export(X509ContentType.Pkcs12); To … Read more
You can use the normal validation routines (see How do you verify a public key was issued by your private CA?), like the -verify function in OpenSSL does. You need to create a lookup method (X509_LOOKUP_METHOD) like X509_LOOKUP_file(), but which works with a character string instead of a filename. The code for X509_LOOKUP_buffer() is as … Read more
As mentioned in crypto/x509/root_unix.go, Go (which is what Docker uses) will check CA certificates in “/etc/ssl/certs/ca-certificates.crt”, // Debian/Ubuntu/Gentoo etc. “/etc/pki/tls/certs/ca-bundle.crt”, // Fedora/RHEL “/etc/ssl/ca-bundle.pem”, // OpenSUSE “/etc/ssl/cert.pem”, // OpenBSD “/usr/local/share/certs/ca-root-nss.crt”, // FreeBSD/DragonFly “/etc/pki/tls/cacert.pem”, // OpenELEC “/etc/certs/ca-certificates.crt”, // Solaris 11.2+ Make sure those files are available and not corrupted. There can be also sporadic issue with the … Read more
When you say “is there an easier way to… trust this cert”, that’s exactly what you’re doing by adding the cert to your Java trust store. And this is very, very easy to do, and there’s nothing you need to do within your client app to get that trust store recognized or utilized. On your … Read more
I don’t know of any “don’t bother” options, but here is how you can setup a quick demo CA: #!/bin/bash CAROOT=/path/to/ca mkdir -p ${CAROOT}/ca.db.certs # Signed certificates storage touch ${CAROOT}/ca.db.index # Index of signed certificates echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number # Configuration cat>${CAROOT}/ca.conf<<‘EOF’ [ ca ] default_ca = ca_default [ ca_default … Read more
This is PKCS#1 format of a private key. Try this code. It doesn’t use Bouncy Castle or other third-party crypto providers. Just java.security and sun.security for DER sequece parsing. Also it supports parsing of a private key in PKCS#8 format (PEM file that has a header “—–BEGIN PRIVATE KEY—–“). import sun.security.util.DerInputStream; import sun.security.util.DerValue; import java.io.File; … Read more
The following steps are a guide to get you started: 1) Firstly, you need a Root Authority to generate your client and server certificates. You can either use an external Authority Provider (e.g. Verisign) or you can generate your own using something like Microsoft Certificate Server. To generate a development Root Authority certificate you can … Read more
I realise this question is a bit old, but I think I can shed some much-needed light on the question. The non-repudiation value in the keyUsage attribute relates to the whole certificate, not any purpose in particular. The presence of the non-repudiation flag indicates that the private key has sufficient protections in place that the … Read more