PKI Blog

Wayne Harris

Wayne Harris
Find me on:

Recent Posts

SHA-1 is “Shattered”

Posted by Wayne Harris on Mar 22, 2017 11:41:01 AM

SHA-1 has been in the news (again). We’ve all known that the SHA-1 hash function is cryptographically weak. In fact, CSS has been pointing out the weaknesses of SHA-1 for years now.


Read More

Topics: SHA-1, SHA-2

Top 5 Root CA Key Signing Ceremony Mistakes

Posted by Wayne Harris on Aug 31, 2016 9:03:30 AM

Trust, as it pertains to most components within a Public Key Infrastruture (PKI) is earned. It’s established as the result of some sort of evaluation. An evaluation that often involves a revocation check or policy check.

In the case of the root CA however, trust is *not* earned. In the case of the root CA, trust is assigned. This assigned trust is quite often mandatory from the perspective of subscribers and relying parties.

Read More

Topics: Public Key Infrastructure, PKI, root CA, Root CA Security, Root CA Key Signing Ceremony Mistakes

The Risks of Cryptographic Anarchy

Posted by Wayne Harris on Jun 15, 2016 11:46:34 AM

Why are we talking about assurance?

‘Assurance’ in the realm of PKI, tends to be one of those topics that is almost guaranteed to send a PKI design meeting down a rabbit hole. And unfortunately, many customers prefer the blue pill, rather than committing to an effort commensurate with a rigorous examination of risk, impact and assurance in the certificate space.

Read More

Topics: PKI, Internet of Things, IoT, PKI CA, IoT Security, PKI for IoT

Safely Adding SAN Information to a Certificate Request

Posted by Wayne Harris on Apr 6, 2016 9:46:39 AM

This blog is a continuation in a series of blogs, relating to the perils of adding Subject Alternate Name (SAN) information to a certificate signing request (CSR).

Read More

Topics: certificate management, Certificate SAN

Hidden Dangers: Certificate Subject Alternative Names (SANs)

Posted by Wayne Harris on Jan 7, 2016 2:47:31 PM

Few companies have the luxury of a dedicated full time professional PKI staff. More typical are those companies that assign this duty as an adjunct to someone with a separate primary function, such as AD engineering.  As such, I find that many PKI practitioners don’t have PKI proficiency as a primary skillset.  It’s easy to understand how a “just make it work” mentality can eventually creep into a PKI operational processes. Too often, operational efficiency easily trumps perceived security risks.

Read More

Topics: certificate, PKI, Certificate SAN

Freestart Collision for SHA-1

Posted by Wayne Harris on Oct 9, 2015 12:45:15 PM

Many of you know that the cryptographic hash algorithm SHA-1 is in the process of being deprecated, due primarily to the hashing algorithm’s susceptibility to collision attacks. I first wrote about this back in 2011: http://blog.css-security.com/blog/times-up-for-sha-1-css-suggested-migration-path.

Read More

Topics: PKI, SHA-1

Why PKI in 2015?

Posted by Wayne Harris on Apr 28, 2015 1:30:00 PM

The Internet of Things (IoT), from a security perspective, ultimately equates to an ever increasing need to more securely authenticate people, services, computers and devices across a wide spectrum of platforms. This means that Public Key Infrastructure (PKI) issued digital certificates are playing an ever more important role as a secure authentication mechanism within the enterprise and beyond.

Read More

Topics: PKI, Digital Identity Management

AD/CS Web Enrollment Delegation

Posted by Wayne Harris on Jun 11, 2014 5:46:29 AM

Have you ever had a problem installing the Active Directory Certificate Services Web Enrollment role feature on a server that is separate from the Certificate Authority?

Read More

Topics: digital certificate, microsoft ca, certificate, IT Security, Microsoft Security Partner, authentication, AD/CS, Public Key Infrastructure, Active Directory Certificate Services (ADCS), web enrollment, Active Directory Certificate Services, CA, AD/CS Web Enrollment Delegation, Blog, Microsoft Certificate Authority

Publicly Trusted versus Trustworthy SSL Certificates

Posted by Wayne Harris on Apr 11, 2014 10:52:23 AM

In the wake of the Heartbleed bug, many are faced with the daunting (and expensive) prospect of replacing the SSL certificates on those vulnerable systems. This is due to the possibility that the private keys of exposed SSL certificates may or may not have been compromised. In the end, since there is no way to know for sure if your private keys have been compromised, many are opting to replace the SSL certificates of the affected system(s).

Read More

Topics: SSL certificates, cert, certificate, IT Security, Microsoft Security Partner, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, OpenSSL, Microsoft Public Key Infrastructure, Azure PKI, PKI, PKI as a Service (PKIaaS), heartbleed bug, SSL PKI, Blog

Heartbleed Vulnerability: What You Need to Know

Posted by Wayne Harris on Apr 9, 2014 10:56:36 AM

On April 7, 2014 a severe vulnerability called “Heartbleed” was announced. Heartbleed is a vulnerability within the OpenSSL 1.0.1 series software that is described in the NIST CVE-2014-0160 announcement. In short, this vulnerability allows hackers access to portions of a vulnerable system’s memory, leading to the potential exposure of passwords, sensitive data, and certificate private keys on affected systems. Heartbleed accomplishes this by exploiting a weakness in the “TLS Heartbeat Extension,” exposing server memory. Even worse, this heartbeat attack can be repeated without the awareness of the victim, and each iteration reveals another 64k snapshot of memory to the attacker. This very serious vulnerability exposes the most sensitive data of affected systems.

The good news: the vulnerability has a patch. However, the widespread adoption of the OpenSSL 1.0.1 series software, coupled with the two years that this vulnerability has existed, means that the risks attributable to Heartbleed are enormous. Current estimates predict that over 500,000 systems may be vulnerable. Specifically, the Heartbleed vulnerability affects those systems that use OpenSSL 1.0.1 (a-f). Unfortunately, since this software is so widely implemented, many popular OS platforms are affected and thus vulnerable. I would suggest visiting the CERT Web Site for a more list of affected platforms. It is worth mentioning that this is a developing story, and as such, the list of affected platforms is likely to change.

Read More

Topics: 64k, Heartbleed SSL, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, SSL vulnerability, OpenSSL, Heartbleed vulnerability, TLS Heartbeat Extension, Azure PKI, PKI as a Service (PKIaaS), NIST CVE-2014-0160, heartbleed bug, Internet of Things, Blog, heartbleed help

Posts by Topic

see all

Subscribe to Email Updates

Want to Learn more about CSS?