The TIBCO Platform is a real-time, composable data platform that will bring together an evolving set of your TIBCO solutions - and it's available now!
A chart showing the TIBCO Platform vision
Jump to content
Articles
Read more about TIBCO use cases, product features, capabilities and more
  • Finding a Certificate Chain (and more with X.509, PKI and TLS/SSL)


    Manoj Chaurasia

    Attached is a PPT in PDF form that covers a good amount of ground on X.509, PKI, and TLS/SSL.

    1. All Browsers will validate a chain, but when you go to find the chain, the browsers will pick the first certificate based on the Distinguished Name.  Many CA cert vendors are re-releasing 'same-named' CA certs, so the chain can be a 'false chain'.  Why is this?  It is cryptographically cheaper to parse a public key and certificate than it is to validate the signature, and it is not always possible to trace serial numbers, so Browser vendors look to the DN/CN and pick the first one they find...Bob is Bob, even if the DNA is different? No.

    2. Sites are not under any obligation to send the full chain.  I have many examples of partial chains, usually missing the self-signed ROOT.

    3. Some sites are 'rooted' (pun intended) with a very old CA - X.509v1-based - and modern infrastructure may reject them for valid security reasons.

    TLS-TIBCOmmunity.pdf


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...