August 14, 2010

Certificate Centre

At Red Kestrel Consulting we have developed a product to provide a single consolidated view of all your certificates. Certificate Centre can be integrated into your environment and retrieve certificate data from many disparate sources to build and present a complete and detailed view of your certificates.

Below are some screenshots of the Red Kestrel Certificate Centre product:

For more information: Certificate Centre.

- Phil

August 10, 2010

Testing for weak OpenSSL keys

During May 2008 the Debian project released a security advisory describing a bug discovered in OpenSSL by Luciano Bello. What Luciano had found was that the random number generator in the Debian OpenSSL package was predictable and had been since an erroneous software change in 2006. This meant that the cryptographic keys generated by OpenSSL were potentially vulnerable and should not be used. Our online decoder checks your CSR and certificate against a blacklist of keys known to be weak and warns you if your key appears on this blacklist.

- Phil

July 24, 2010

You can now try My Certificates without creating an account

Just a quick note to let you know that you can now try out the My Certificates tool without the need to create an account. When you go to the My Certificates page you will be automatically logged in to a shared demo account. From this account you can add certificates, delete certificates, view certificate details, and add notes. Please note that this is a shared public account so anything you add may be viewed, edited or deleted by other users.

- Phil

July 9, 2010

Keep track of your SSL certificates

Today, we've launched a new tool called My Certificates to help you keep track of your SSL certificates.

It's easy to add the certificates you want to keep track of, and by clicking on a certificate it will bring up all of its details. Furthermore, you can annotate the certificates with contact information and notes. It's free to try out the beta version; simply create an account on Cert Logik and you can start using My Certificates right away.

Please let us know what other features you need - email phil@redkestrel.co.uk or use the feedback tab on the My Certificates page.

.

- Phil

June 29, 2010

How to verify that a private key matches a CSR or certificate

Here's a quick note on how you can use OpenSSL to verify that a private key matches a CSR or certificate. Basically, the moduli of the key, the certificate, and CSR should be the same. To make the comparison a bit easier you can compare the md5 hash of the moduli using the following commands:

openssl rsa -noout -modulus -in privkey.pem |openssl md5
openssl req -noout -modulus -in certreq.csr |openssl md5
openssl x509 -noout -modulus -in newcert.pem |openssl md5

To examine the contents of a certificate you can use: Certificate Decoder

- Phil

June 27, 2010

Moving to 2048-bit RSA keys

As we mention in our CSR FAQ, several organisations including NIST recommend a minimum of 2048-bit RSA keys for SSL and other end-entity certs that expire after 31st December 2010. Here's a recent blog post from Entrust on the subject.

- Phil

June 25, 2010

SSL Certificates and Multiple Domain Names

When a browser is determining whether or not to trust your certificate, it checks that the domain name in the address bar matches your SSL certificate. Typically it does this by checking that the certificate's Common Name (CN), which is specified in the subject field, matches the domain in the address bar. So, for example, if the CN is www.example.com and the domain in the address bar is www.example.com, then everything is fine. However, if several domain names all resolve to the same server ip address (e.g., example.com, www.example.com, example.net), then any domain other than www.example.com will cause a browser error to be displayed. All is not lost ,however, because the X.509 standard includes a Subject Alternative Name certificate extension which can be used to protect multiple domains with a single SSL certificate. For example, a single certificate could protect: www.example.com, example.com, example.org and so on, provided that all domains are explicitly listed in the Subject Alternative Name extension.

There is another type of certificate, called a Wildcard Certificate, that lets a single certificate protect all first-level subdomains of an entire domain. For example, a Wildcard Certificate issued to *.example.com would protect: example.com, www.example.com, blog.example.com etc. The wildcard domain is listed in the certificate's CN and the Wildcard Certificate does not contain a Subject Alternative Name extension.

Whatever type of certificate you have, you can use our SSL Checker tool to check that the domain name is correctly listed in the certificate. It will also let you view all the domain names within a Subject Alternative Name Certificate.

- Phil

June 22, 2010

New SSL Checker feature

Just to let you know, we've added a new check to our SSL Checker tool. It now checks that the SSL certificate being tested will be trusted by most browsers. It does this by building a certificate chain from the SSL certificate to a trusted root CA.If a chain of certificates to a trusted root cannot be constructed a warning is given.

- Phil

June 19, 2010

Welcome to our blog

Hello World! We launched Cert Logik as a public beta a few days ago and we hope you are finding the tools useful. Please let us know how we can improve them for you, what features you'd like to see, what other tools you need, and any other feedback you may have. You can post your ideas and comments to our feedback forum using the feedback tab on the left side of the tools pages.

- Phil