Lmst

One of the things that I find really interesting about #privacy and #identity is that privacy is often at odds with authorization and #accountability .

It seems to me that a world of perfect privacy, meaning no identity information is even provided, let alone stored or used, even if limited to just online spaces, is fundamentally at odds with providing accountability to people.

Stuff like asymmetric cryptography can provide non-repudiation through public key-private key stuff, but that in and of itself does not provide accountability, requiring the full #PKI ecosystem to function properly, and even then accountability is not guaranteed if no identity information is used.

And that is not even accounting for privileged access and #trust

It seems incredibly hard to balance as much privacy as possible to everyday people without compromising the whole entire chain of trust and authorization that the internet and basic services needs to function

And that provides the necessary excuses that identity capitalism and authoritarian regimes would want to keep our data for nefarious uses. That has been the purpose of the internet long before it was the internet, and continue to do so after the internet as we know it has died off, probably and sadly.

If anyone knows a good resource that talks about this balance of privacy vs trust and similar, I would love to read more about it.

Most “certificate automation” stops at issuance. That’s how you renew a cert and still serve the old one.

With the CertKit agent, we can now do all three. Renew certs, deploy files, restart services, verify the correct certs run in production.

https://www.certkit.io/blog/certkit-agent

#PKI #DevOps

Диагностика ошибки клиентов Microsoft Configuration Manager CCM_E_NO_TOKEN_AUTH

В этой статье мы обсудим диагностику и подходы к решению ошибки подключения клиентов к серверу ConfigMgr при использовании PKI. Вы узнаете: - как понять, какая именно ошибка скрывается за 403 Forbidden - где хранится информация IIS о CDP и как вручную проверить сертификат клиента - как отключить в IIS верификацию сертификатов по CRL

https://habr.com/ru/articles/995422/

#SCCM #ConfigMgr #pki

Как «вшить» модули в NCALayer, если штатный установщик не работает

На практике NCALayer нередко устанавливается «успешно», но без нужных модулей: ЭЦП не определяется, внешние системы не работают, а повторная установка не помогает. Разбор конфигураций, Java-параметров и логов — путь рабочий, но не всегда оправданный по времени.

https://habr.com/ru/articles/994250/

#NCALayer #ЭЦП #НУЦ_РК #PKI #Java #OSGi #системное_администрирование #электронная_подпись #Windows

🥩🥩Mr T-Bone tip!🥩🥩[New from Tech Community]
Ever wondered how to keep your root certs safe? Dive into ADCS Offline Root CA best practices! PKI legends, get in here!

#cybersecurity #PKI #MVPBuzz #Security #MicrosoftTechCommunity
👉👉 https://tip.tbone.se/sYOAt3
[AI generated, Human reviewed]

Every server managing its own certificates made sense when you had three servers. But with web farms, load balancers, and VPN appliances, you end up with rsync cron jobs distributing certs everywhere. CertBot doesn't scale. Especially at 47-day lifetimes.

https://www.certkit.io/blog/servers-shouldnt-need-acme

#ACME #PKI

The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.

https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/

#SBOM #SPDX #CYCLONEDX #OWASP #CYBERSECURITY #PKILOVE #pki

Adventures in PKI: :blobCat_nom_wire:

Ok so here is the story so far as a recap....
* The starting point was Crowdsec. Crowdsec has three components: agents which parse logs/events, remediation engines, which act on decisions, and a local API (lapi) which the first two connect to, and tracks the decisions and pulls from public block lists
* I realized I could also get external hosts involved, and also wait Crowdsec can parse logs from an aggregator, in this case Loki
* Awesome, step one, get logs into Loki. This lead to a whole chain of events that caused me to deploy Grafana/Alloy to collect those logs
* At this point I realized that shit, the remote nodes need auth and I'd need to copy around tokens everywhere
* Right, tokens everywhere, on remote nodes, etc. but wait, both alloy and Crowdsec support mTLS, all I need is client certs

record scratch

* Right so this would be easy if it wasn't for the pesky external nodes
* This lead me to setting up smallstep's step-ca with an ACME provider
* I got rsyslog setting logs to a central log server via mTLS! Even without the rest of this the log collection is a win.
* (Aside, I also got ssh certs working)
* And I got the Traefik bouncer plus agent to lapi connections working over mTLS but there was a little bit of strangeness there
* Crowdsec's components do not understand cert lifespans,and will not reload certs if they're renewed, hilarious. Fine they get certs with a lifespan measured in "eh, I'll probably reboot a node before then"

Ok and here we are caught up with current day. The very last part is getting the various non cluster nodes connected so their ssh is covered by the block lists. I go to edit the config, and...

nothing

In the logs of the lapi there is a bad cert error. After some browsing of the issue tracker I see mention of and allowed OU setting. Huh. Yeah. The certs created by the helm chart have an OU setting.

Ok but can I ask for a specific OU via ACME?

Whelp.

:neocat_flop:

@homelab@fedigroups.social
#Homelab #Suffering #PKI #Grafana #Crowdsec

PKI tradizionali sotto pressione: identita’ digitali a rischio e interruzioni di servizio per oltre la meta’ delle aziende: Le infrastrutture a chiave pubblica (PKI) continuano a essere un pilastro della sicurezza digitale, ma i modelli tradizionali mostrano sempre piu’ limiti di fronte...
#CyberArk #PKI #PonemonInstitute #identitàdigitale #security http://dlvr.it/TQg8xb

Still the Internet seems to be working despite Let's Encrypt putting IP addresses in certificate common name.

I. Am. Not. Surprised.

#pki #cname #letsencrypt

PKI-Management: Wenn Zertifikatsverwaltung zum Kostentreiber wird

https://www.all-about-security.de/pki-management-wenn-zertifikatsverwaltung-zum-kostentreiber-wird/

#pki #tls

Let's Encrypt is moving to 45-day certificates by February 2028, a year before the industry mandate. Everyone focuses on the certificate lifetime, but the real disruption is authorization reuse dropping from 30 days to 7 hours.

That means nearly every cert request requires fresh validation. Batch operations across a day? Broken. Hardcoded 60-day renewal intervals? Expired certificates.

https://www.certkit.io/blog/45-day-certificates

#PKI #CertificateManagement

GreatEasyCert или как реализовать контейнер ключа по ГОСТу

Привет, Хабр! Меня зовут Гоша, я старший инженер-программист в Контуре. Практически любой сценарий ЭДО связан с использованием криптографии, будь то ЭДО с государством или контрагентами: где-то нужно подписать документы, где-то зашифровать архив с отчетом, где-то проверить подпись документа от контрагента. Каждый из таких сценариев хочется тестировать не на реальных данных, но на наиболее похожих в реальности. Помимо самих данных нам нужны сертификаты, имитирующие сертификаты участников ЭДО: организаций, физлиц, государственных органов. Ранее для генерации тестовых сертификатов мы использовали сервис на базе ПАК УЦ , проприетарной штуки, выпускающей сертификаты по определённым правилам, не позволяя издеваться над сроками действия серта как хочется. Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро. В этой статье хочу поделиться, какая техника скрывается под капотом такой функциональности.

https://habr.com/ru/companies/skbkontur/articles/989090/

#net #криптография #криптопро #сертификаты #pki #гост_34 #pfx #pbkdf2 #pbes2 #криптопровайдер

We need to simplify client certificates for IoT and MTLS. One way is to anchor client certs in DNS.
The IETF DANCE working group needs more energy to complete our work. Want to join? Get on the mailing list now and help out!
https://datatracker.ietf.org/group/dance/about/

#PKI #DNSsec #MTLS #IOT

Probably not useful ideas that I have bouncing around that I still want to work on as leaning exercises and something to tinker with. I shouldn't look at either of these.... I have much more important and useful things to do, like fixing backups and getting my resume ready....

1. SSH Certs via a local SSH CA.
* PKI is neat, SSH certs are different, and I could trust the CA so no trust on first use. Servers could trust the CA so no need for authorized keys files to distribute
* I'd still need a backup in case I had issues with cert management
* I have too few users and hosts for this to be actually worth the time/complexity

2. True Minimal Ceph cluster
* The docs and most users will give various minimal sized Ceph clusters. Cowards the lot of them.
* Single node cluster with 3 or 4 disks, OSD failure domain
* Or maybe a single OSD backed by a ZFS block device, replicas=1 lets goooooo!
* Backup the mon/mds directories to avoid data loss
* Gets me the ability to send data to it from another Ceph and use the object storage features without needing an entire cluster
#Homelab #BadIdeas #Ceph #PKI

Ignoranti certificati

I certificati a chiave pubblica sono la base della sicurezza delle comunicazioni online con protocolli come https o, più in generale, TLS. Benchè a livello di programmazione, gli algoritmi coinvolti e la loro implementazione non siano esattamente lineari, a livello di utilizzo come amministratore di sitema sono relativamente semplici, forse troppo. […]

https://siamogeek.com/2026/01/24/ignoranti-certificati/

One API key with access to everything is fine until a contractor leaves or a key leaks.

CertKit now supports multiple applications with scoped API keys. Split your certificates by product, environment, or team. Your marketing site automation never sees production infrastructure. If a key gets compromised, revoke it without affecting everything else.

All users can create up to 6 applications today.

https://www.certkit.io/blog/application-management

#PKI #CertificateManagement

With 47-day certificate lifetimes coming, you'll need to automate renewals. That usually means giving every system DNS credentials that can modify your entire zone.

CNAME delegation is better: point _acme-challenge to your cert provider once, they respond to challenges in their own zone. No credentials exposed, ever.

https://www.certkit.io/blog/delegated-dns-validation

#PKI #ACME

Last year a QWAC CA was discovered to have issued a test certificate for 1.1.1.1 and everyone lost their minds and some even suggested that it has something to do with QWAC.

Well, here's Cloudflare failing to properly handle ACME, and I'm waiting for people to call for dismantling Cloudflare altogether.

https://noc.social/@cloudflare/115927118835338970

Let's be honest, there is no accountability in the Web PKI. You want to be safe? Use DANE.

#ca #qwac #cloudflare #dane #pki

Thanks to a number of contributors with Jakob Schlyter in the lead, SOFTHSM has released version 2.7.0 with a lot of updates to stay up to date. We are still looking for funding for a major lift to PQC readiness.

We are very happy to be releasing a new version in the standalone project!

https://github.com/softhsm/SoftHSMv2/releases/tag/2.7.0

#SOFTHSM #HSM #PKI

#PKI

Client Info