Windows trusting many more Root Authorities than certmgr shows

This baffled me for a while: I used certmgr to see if a Windows 10 machine had a root certificate that was needed to certify a certain digital signature, and it wasn’t listed. But then the signature was validated. And not only that, the root certificate was suddenly present in certmgr. Huh? Here’s a quick [...]

Attestation signing of Windows device driver: An unofficial guide

Introduction This is my best effort to summarize the steps to attestation signing for Windows drivers (see Microsoft’s main page on this). I’m mostly a Linux guy with no connections inside Microsoft, so everything written below is based upon public sources, trial and (a lot of) error, some reverse engineering, and speculations. This couldn’t be [...]

Generation of a certificate request from an existing P12 certificate

The goal The envisioned work flow for certificate generation is that the end user requests a certificate from a CA by first generating a public / private key pair, and then sending a request for having the public key certified by the CA. This way, the CA is never exposed to the private key. This [...]

Crypto jots on ASN.1 and Microsoft’s .cat files

Intro Crypto is not my expertise. This is a pile of jots I wrote down as I tried to figure out what the Microsoft catalogue file is all about. Not-so-surprising spoiler: It appears to be organized and elegant at first glance, but the more you look into it, it’s a mess. Of the kind that’s [...]

A sledge hammer introduction to X.509 certificates

Introduction First and foremost: Crypto is not my expertise. This is a note to future self for the next time I’ll need to deal with similar topics. This post summarizes my understanding as I prepared worked on a timestamp server, and it shows the certificates used by it. There are many guides to X.509 certificates [...]

This post is intentionally left blank

This post has been terminally removed. It’s pointless to ask me for a copy of it.

This post is intentionally left blank

This post has been terminally removed. It’s pointless to ask me for a copy of it.

fetchmail, openssl and a sudden failure to authenticate certificates

Since around the beginning of December 2017, fetchmail stopped retrieving mails form Gmail servers silently, without issuing any kind of error message. Only when starting fetchmail in the foreground, I got fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Trust Services/CN=Google [...]

Password-less SSH remote login demystified

This is documented everywhere, and still, I always find myself messing around with this. So once and for all: The files In any user’s .ssh/ directory, there should be (among others) two files: id_rsa and id_rsa.pub. Or maybe with dsa instead of rsa. Doesn’t matter too much. These are the keys that are used when [...]

Authoritative timestamping: Some silly games

Ever wanted to prove you knew something before everyone else? Here’s the way: You write it down in a file, and timestamp it. Then, when you want to prove you were there first, you’ll show the original file, the signed timestamp, and then everyone know you’re a hopeless geek. But this can help a bit [...]