Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • Finding a Certificate Chain (and more with X.509, PKI and TLS/SSL)

    Manoj Chaurasia

    Attached is a PPT in PDF form that covers a good amount of ground on X.509, PKI, and TLS/SSL.

    1. All Browsers will validate a chain, but when you go to find the chain, the browsers will pick the first certificate based on the Distinguished Name.  Many CA cert vendors are re-releasing 'same-named' CA certs, so the chain can be a 'false chain'.  Why is this?  It is cryptographically cheaper to parse a public key and certificate than it is to validate the signature, and it is not always possible to trace serial numbers, so Browser vendors look to the DN/CN and pick the first one they find...Bob is Bob, even if the DNA is different? No.

    2. Sites are not under any obligation to send the full chain.  I have many examples of partial chains, usually missing the self-signed ROOT.

    3. Some sites are 'rooted' (pun intended) with a very old CA - X.509v1-based - and modern infrastructure may reject them for valid security reasons.


    User Feedback

    Recommended Comments

    There are no comments to display.

  • Create New...