I like to use FireFox Developer Edition, and today I discovered that root certificates and such added to Windows (to trust self-signed certificates used with dev-servers, etc.) apparently are ignored by FireFox. At least by default:
- Go to about:config
- Find security.enterprise_roots.enabled
- Set it to true
There’s a command-line tool called certutil one can use to add (among other things) certificates to the certificate store in windows.
Some examples:
REM Add pfx-file to Personal
certutil -ent -p pfxpassword -importpfx my some.pfx
REM Add pfx-file to Trusted Root Certification Authorities
certutil -ent -p pfxpassword -importpfx root some.pfx
REM Add cer-file to Trusted Root Certification Authorities
certutil -ent -addstore root some.cer
What I did to get from zero to a good working (hopefully) secure GPG key set, usable for signing and encrypting stuff on Windows…
- Install Gpg4win.
- Create main/root key:
🔶 $ gpg --gen-key
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
🔶 Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
🔶 Key is valid for? (0) 0
Key does not expire at all
🔶 Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
🔶 Real name: Alice Person
🔶 Email address: alice.person@example.com
🔶 Comment: alice
You selected this USER-ID:
"Alice Person (alice) <alice.person@example.com>"
🔶 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key AA79CCAE marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: public key of ultimately trusted key AA77EE54 not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 4096R/AA79CCAE 2017-08-23
Key fingerprint = 98A1 5DD0 0653 55BB 3358 B35C 8C0B BECB AA79 CCAE
uid [ultimate] Alice Person (alice) <alice.person@example.com>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
- Open the key for editing:
🔶 $ gpg --edit-key alice
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Alice Person (alice) <alice.person@example.com>
- (Optionally) Add other user ids, and set the right one as primary:
🔷 gpg> adduid
🔷 Real name: Alice Person
🔷 Email address: alice@example.org
🔷 Comment: alice
You selected this USER-ID:
"Alice Person (alice) <alice@example.org>"
🔷 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Alice Person (alice) <alice.person@example.com>"
4096-bit RSA key, ID AA79CCAE, created 2017-08-23
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Alice Person (alice) <alice.person@example.com>
[ unknown] (2). Alice Person (alice) <alice@example.org>
# Select one of them
🔷 gpg> uid 1
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Alice Person (alice) <alice.person@example.com>
[ unknown] (2). Alice Person (alice) <alice@example.org>
🔷 gpg> primary
You need a passphrase to unlock the secret key for
user: "Alice Person (alice) <alice.person@example.com>"
4096-bit RSA key, ID AA79CCAE, created 2017-08-23
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Alice Person (alice) <alice.person@example.com>
[ unknown] (2) Alice Person (alice) <alice@example.org>
- Add subkeys for signing and encryption:
🔶 gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Alice Person (alice) <alice.person@example.com>"
4096-bit RSA key, ID AA79CCAE, created 2017-08-23
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
🔶 Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
🔶 What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
🔶 Key is valid for? (0) 0
Key does not expire at all
🔶 Is this correct? (y/N) y
🔶 Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/62275E24 created: 2017-08-23 expires: never usage: S
[ultimate] (1)* Alice Person (alice) <alice.person@example.com>
[ unknown] (2) Alice Person (alice) <alice@example.org>
🔶 gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Alice Person (alice) <alice.person@example.com>"
4096-bit RSA key, ID AA79CCAE, created 2017-08-23
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
🔶 Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
🔶 What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
🔶 Key is valid for? (0) 0
Key does not expire at all
🔶 Is this correct? (y/N) y
🔶 Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/62275E24 created: 2017-08-23 expires: never usage: S
sub 4096R/4AEA9524 created: 2017-08-23 expires: never usage: E
[ultimate] (1)* Alice Person (alice) <alice.person@example.com>
[ unknown] (2) Alice Person (alice) <alice@example.org>
- Save (and quit):
- Export keys for (safe!) storage:
🔶 $ set id=AA79CCAE
🔶 $ gpg -a --export %id% > %id%_public.asc
🔶 $ gpg -a --export-secret-keys %id% > %id%_private.asc
🔶 $ gpg -a --export-secret-subkeys %id% > %id%_subkeys.asc
- Export revocation file:
🔶 $ gpg -a --gen-revoke %id% > %id%_revoke_cert.asc
sec 4096R/AA79CCAE 2017-08-23 Alice Person (alice) <alice.person@example.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
🔶 Your decision? 1
Enter an optional description; end it with an empty line:
🔶 >
Reason for revocation: Key has been compromised
(No description given)
🔶 Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Alice Person (alice) <alice.person@example.com>"
4096-bit RSA key, ID AA79CCAE, created 2017-08-23
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
Source(s): blog.bravi.org
Not that we’d do such a thing of course, but here’s how to ignore all SSL certificate errors in Java.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.ssl.*;
/**
* A {@link X509TrustManager} and {@link HostnameVerifier} which trust everything.
*
* @author Torleif Berger
* @license http://creativecommons.org/licenses/by/3.0/
* @see http://www.geekality.net/?p=2408
*/
public final class TrustAllCertificates implements X509TrustManager, HostnameVerifier
{
public X509Certificate[] getAcceptedIssuers () {return null;}
public void checkClientTrusted (X509Certificate[] certs, String authType ) {}
public void checkServerTrusted (X509Certificate[] certs, String authType ) {}
public boolean verify (String hostname, SSLSession session ) {return true;}
/**
* Installs a new {@link TrustAllCertificates} as trust manager and hostname verifier.
*/
public static void install ()
{
try
{
TrustAllCertificates trustAll = new TrustAllCertificates ();
// Install the all-trusting trust manager
SSLContext sc = SSLContext. getInstance("SSL");
sc. init(null,
new TrustManager []{trustAll },
new java. security. SecureRandom());
HttpsURLConnection. setDefaultSSLSocketFactory(sc. getSocketFactory());
// Install the all-trusting host verifier
HttpsURLConnection. setDefaultHostnameVerifier(trustAll );
}
catch (NoSuchAlgorithmException e )
{
throw new RuntimeException("Failed setting up all thrusting certificate manager.", e );
}
catch (KeyManagementException e )
{
throw new RuntimeException("Failed setting up all thrusting certificate manager.", e );
}
}
} |
Usage
Would you like to grab some server-side data through an AJAX call? For example by using the handy jQuery.ajax method?
A good data format to use then is JavaScript Object Notation, more commonly known as JSON. Providing data in the JSON format with PHP is super duper simple 8)
Continue reading PHP: How to easily provide JSON and JSONP →
Sending a basic email message in a C# application is quite easy thanks to a class called SmptClient. We simply need an address to send to, an address to send from, the message we want to send and the address of an SMTP server, hand it all to the SMTP client, and you’re done:
var from = new MailAddress
("me@example.com",
"Me");
var to
= new MailAddress
("you@example.com",
"You");
var message
= new MailMessage
(from, to
)
{
Subject
= "Greetings!",
Body
= "How are you doing today?",
};
var client
= new SmtpClient
("smtp.example.com");
using (client
)
{
try
{
client
.Send(message
);
}
catch (SmtpException e
)
{
Console
.WriteLine(e
.Message);
}
} That was pretty simple, wasn’t it? But what if we need to authenticate with our server? And what if we want to send our message in a more secure manner?
Continue reading C#: How to send emails →
With a hint of Social Ineptitude
