08-05-2014
In the first case, Verisign has given a certificate to SomeSmallerCA. If you trust Verisign, you can be sure that you are talking to SomeSmallerCA. This does not mean that Verisign assures you that SomeSmallerCA knows what they are doing. So in the first example you have to trust that SomeSmallerCA has verified that example.com is who they say they are. The Verisign certificate only guarantees that you are talking to SomeSmallerCA.
In the second example Verisign is saying that they did an extended validation. There are two levels of validation and "extended" is the better of the two. I'm not sure of the details.
10 More Discussions You Might Find Interesting
1. Forum Support Area for Unregistered Users & Account Problems
TO WHOM IT MAY CONCERN:
I am Ayanda Fuzile, I would like to request my UNIX Certificate, I completed my course in 2000. My email adress is removed, my postal adress is also removed.
Kind Regards,
Ayanda Fuzile (1 Reply)
Discussion started by: afuzile
1 Replies
2. UNIX for Advanced & Expert Users
A client application is encrypting a text using private key and sends through socket.
My application(server written in c/c++,unix) receives the chiper-text through socket.
I have client's digital certificate.
now, how do I decrypt(may be using openssl library) this ciper-text using client's... (1 Reply)
Discussion started by: johnbach
1 Replies
3. Web Development
Dear All
Anyone know how to issue two different certification on apache virtualhost fyi i have one virtualhost eg 69.192.1.25:443 already signed with verisign how can i configure another virtualhost 69.192.1.25:443 which signing with another certificate which self signing. i search net not... (1 Reply)
Discussion started by: netxus
1 Replies
4. Cybersecurity
Hi guys.
I have some questions about ssl certificates.
I looked at SSL providers and saw that they are providing 2 types of certificates: per server or per domain.
my server host name is: srv1.example.com
I have a smtp, imap, web server on this box. but all services accessed by different... (1 Reply)
Discussion started by: majid.merkava
1 Replies
5. UNIX for Dummies Questions & Answers
Hi all!
I wanted to look at the key length of a certificate chain we have. When I do the conventional export command using keytool I will only get the end user cert.
keytool -export -alias aliasname -file filename.cer -keystore keystorename
The above code will only give me the end user... (2 Replies)
Discussion started by: Keepcase
2 Replies
6. Cybersecurity
Hi,
I would like to know if certificate for mydomain.com would work as well for www.mydomain.com and for all subdomain of example.com?
I ask this because I want to buy a certificate and I was not what domain should I ask the certificate for? (0 Replies)
Discussion started by: programAngel
0 Replies
7. Cybersecurity
Hey everyone, I'm trying to get a lay of the land for OS and Application Certificate Stores. Can someone confirm that I have this concept right?
If the application you're using say Firefox has it's own trusted CA store, it uses that exclusively. So if you're running firefox in Windows, Firefox... (4 Replies)
Discussion started by: Lost in Cyberia
4 Replies
8. HP-UX
We are running HP-UX 11v1 and are about to upgrade sendmail to 8.13.3 to allow support for TLS. Enabling TLS seems pretty straightforward, but I'm wondering if an SSL certificate is required for this. Our MS Exchange server does use a certificate. Do I need to arrange for a public certificate to... (3 Replies)
Discussion started by: jduehmig
3 Replies
9. UNIX for Advanced & Expert Users
:rolleyes:I am trying to setup all certificate based client-server environment in Linux using vsftpd and curl with openssl.
I would like to make a user access with vsftpd certificate and user own client certificate (self-signed) with private/public key.
I don't see google posts about the my plan... (4 Replies)
Discussion started by: gogogo
4 Replies
10. Shell Programming and Scripting
I can view the openSSL certifcate with this command
openssl x509 -text -in myCertificate.pem
I just wanted to see when the cert will expire only. The line which I want to read is,
Not After : Jul 28 14:09:57 2015 GMT
I tried using the grep command but it doesn't display anything.
grep... (1 Reply)
Discussion started by: Loc
1 Replies
LEARN ABOUT CENTOS
ldns_dane_create_tlsa_owner
ldns(3) Library Functions Manual ldns(3)
NAME
ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr
SYNOPSIS
#include <stdint.h>
#include <stdbool.h>
#include <ldns/ldns.h>
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name, uint16_t port, ldns_dane_transport transport);
ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type);
ldns_status ldns_dane_select_certificate(X509** selected_cert, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store,
ldns_tlsa_certificate_usage cert_usage, int index);
ldns_status ldns_dane_create_tlsa_rr(ldns_rr** tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector,
ldns_tlsa_matching_type matching_type, X509* cert);
DESCRIPTION
ldns_dane_create_tlsa_owner() Creates a dname consisting of the given name, prefixed by the service port and type of transport: _<-
EM>port</EM>._<EM>transport</EM>.<EM>name</EM>.
tlsa_owner: The created dname.
name: The dname that should be prefixed.
port: The service port number for wich the name should be created.
transport: The transport for wich the name should be created.
Returns LDNS_STATUS_OK on success or an error code otherwise.
ldns_dane_cert2rdf() Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data choosen by the selector and encoded using matching_type.
rdf: The created created rdf of type LDNS_RDF_TYPE_HEX.
cert: The certificate from which the data is selected
selector: The full certificate or the public key
matching_type: The full data or the SHA256 or SHA512 hash of the selected data
Returns LDNS_STATUS_OK on success or an error code otherwise.
ldns_dane_select_certificate() Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage
and index.
selected_cert: The selected cert.
cert: The certificate to validate (or not)
extra_certs: Intermediate certificates that might be necessary during validation. May be NULL, except when the certificate usage is
"Trust Anchor Assertion" because the trust anchor has to be provided.(otherwise choose a "Domain issued certificate!"
pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer-
tificate and, in case of "CA constraint", select the CA. When pkix_validation_store is NULL, validation is explicitely turned off
and the behaviour is then the same as for "Trust anchor assertion" and "Domain issued certificate" respectively.
cert_usage: Which certificate to use and how to validate.
index: Used to select the trust anchor when certificate usage is "Trust Anchor Assertion". 0 is the last certificate in the valida-
tion chain. 1 the one but last, etc. When index is -1, the last certificate is used that MUST be self-signed. This can help to make
sure that the intended (self signed) trust anchor is actually present in extra_certs (which is a DANE requirement).
Returns LDNS_STATUS_OK on success or an error code otherwise.
ldns_dane_create_tlsa_rr() Creates a TLSA resource record from the certificate. No PKIX validation is performed! The given certificate is
used as data regardless the value of certificate_usage.
tlsa: The created TLSA resource record.
certificate_usage: The value for the Certificate Usage field
selector: The value for the Selector field
matching_type: The value for the Matching Type field
cert: The certificate which data will be represented
Returns LDNS_STATUS_OK on success or an error code otherwise.
AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben.
REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html
COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs.
Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO
ldns_dane_verify, ldns_dane_verify_rr. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035.
REMARKS
This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl.
30 May 2006 ldns(3)