I nedd to create a self signed certificate for my desktop app. What do I need to enter in these fields?
Organization unit
Organization name
Does Organization means my agency's name?
As Flextras pointed out these are optional on self-signed certificates. When purchasing a certificate from a certificate authority like thawte or verisign they are used to verify the existence of your company. In this case
Organization Name is the legal name of your business
Organization Unit is the specific branch within your business
This PDF from thawte touches on it and this article explains it more explicitly.
For Organization Name I put my company's formal legal name; DotComIt. For Organization Unit I think I either left it blank.
If memory serves me neither of them are required; so you can leave them both blank.
Related
I’m building a web application where users can create their own websites. Users have the option to point their own domain names at these sites. A prototype for the application already exists; Apache accepts requests on all hostnames and the actual domain mapping and resolution happen at the application level (a simple database lookup grabs the site that matches the requested hostname).
Where I’m stuck is how users’ SSL certificates might fit into this equation. What steps would I need to take to allow a user to upload their SSL certificate such that the application could successfully handle secure HTTP requests to their hostname? Is this even something the application alone could handle?
I think you cannot handle this in your application alone.
It's a CA problem, except you are an intermediate CA company, or you cannot get the user's domain SSL certificate and sign for user's domain.
The typical user, and IMHO even more the user's who are going to create a web site of this system as opposed to setting up their own WordPress or other site on their own server (or their own paid shared server hosting account), will have absolutely no idea how to setup a proper SSL certificate, so getting it to your securely so that you can install it wouldn't even be an issue because they will never get that far.
However, you should be able to use Let's Encrypt to do exactly what you need. As part of the process of adding a domain, once the domain is pointing to your server (the users will have to figure out how to do that with their domain registrar), you can create a Let's Encrypt certificate and validate it. My favorite web hosting company (I won't name it as that is not relevant - anyone can do this with some effort) provides this capability as part of their Control Panel. They also provide paid certificates with a few of the big issuers, as they have for many years, but for most small sites Let's Encrypt works very well and is totally free. The setup literally takes only a minute. The key is that you have to give the user an IP address or CNAME first so that they can point the domain. Once the domain is resolving to your server, you can get the Let's Encrypt certificate.
Sorry for my bad English. I have read about Security and understood how RSA work.
But how can RSA keep Authentication, a man in middle can use public key and fake message back. And how it keep Non-repudiation, someone who send you a message encrypted by public key can say that it is not from him and it is faked?
There is some math behind RSA PKI (public key infrastructure) but I will try to keep it simple. Though this scenario is described in many other sites and questions/answers. What exacly you don't understand?
The idea is, that it is easy to encrypt with the public key, but not possible to decrypt. The decryption is possible only with the private key.
Seems your question is aiming somewhere else. What you are missing (and is not part of the RSA itself) are certificates. Certificates may use RSA. A certificate is information about a holder of the public key. Still - there is a problem. If an entity (person, website) provides you a certificate, how can you be sure the cretificate really belongs to the website, person or organization?
That's why there is defined term Certificate Authority (CA) - there are organizations which you (or your browser) should trust.
So when a website creates its RSA keypair, some certificate authority issues a signed certificate (bound to the public key) that the certificate is really from the website, person or organization.
a man in middle can you public key and fake message back.
Your client (browser, application) must have a list of trusted Certificate Authorities. Usually it is already stored in your system. So the real web page can provide its public key and certificate and use encryption based on the public key. The browser checks that the certificate is valid and it is issued by a trusted authority.
The "man in the middle" would not be able to provide valid and trusted (signed by CA) certificate.
And how it keep Non-repudiation, someone who send you a
message encrypted by public key can say that it is not
from him and it is faked?
The same comes to the signing. Once data are signed (or authenticated) using the private key, the signature can be validated by anyone using the public key. A certificate is bound to the public key. Usualy the signing certificate is issued only when identity is verified by the certificate authority (for example for electronic ID cards, code signing certificates, ..). So anyone could verify the signature was created by someone who was verified by a trusted authority.
I'm looking to sign a jar that will be launched via jnlp from different servers behind a firewall on an internal network. The jar file needs to be signed with a trusted certificate so as to avoid the security warning.
I've set-up keystores and SSL certificates in the past, but only to be used for web applications. Typically the Common Name used when setting up the key-pair should be the domain name pointing to the web application (e.g. mysite.example.com).
How does this change when signing a jar that will be served via jnlp from different servers that typically do not have domain names assigned to them. Is the Common Name as important here? Can we set-up and sign the jar using a single trusted certificate with one Common Name, to be used for all servers?
Thanks!
Normally we sign something with private key and we verify by public key. Then it is a little bit different than trust a web (SSL) server.
The procedure:
create (get) key pair certificate
import on keystore
sign the jar
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html
I am trying to create my own certificate for a adobe air application, I created one already based on this link: http://help.adobe.com/en_US/AIR/1.5/devappshtml/WS5b3ccc516d4fbf351e63e3d118666ade46-7f74.html
But when I install my application the publisher field is still set with unknown, which is at the end what I am trying to do, I need to set the publisher with one specific value.
Thanks a lot!
You need to buy a code-signing certificate from a company like Verisign orThawte or another Certificate Authority.
Read this blog by Christian Cantrell for more info on how to get the certificates.
The pages where you can buy the certificate from Thawte and Verisign.
I don't think Thawte allows individuals to buy the certificate, but Verisign does.
Remember, you need to buy the Adobe AIR code signing certificate
I need to access a third party application that requires a JKS Certificate (which I have).
My client application is an ASP.NET one. How do I go about this?
(I would have liked to provide more information, but unfortunately I have none!)
First, import the certificate to the windows certificate store. Have a look at http://tjworld.net/software/codesigning/JKS2PFX.html for this. If you need to use it from the aspnet account you might prefer to import it to the machines-store (instead of your accounts cert store). Use the MMC, certificates addin to check it.
Then use this certificate in your application. In most cases you will select it by its "DN=...." property (which you will also see in MMC).
HTH,
Thomas