Well isn't learning how to run your own CA a lot of fun?
-
Well isn't learning how to run your own CA a lot of fun?
And by "fun", I mean "debugging".
And by "a lot", I mean "a looooooooooot".
I am making progress, today around SAN and Firefox, but this is a bit like plodding around in treacle.
(I'm not looking for advice, although sympathy is welcome :))
@neil The best part about debugging anything to do with certificates or encryption or security is that any useful debugging information is a security leak... so you don't get any. Either it works, or it doesn't work and it refuses to tell you why.
Sometimes it's mathematically impossible for it to tell you why. Once I lost more than a day working out why, when I hashed a string, I got a different hash value than was expected, when my hash function returned the same expected value on test data.
-
@neil The best part about debugging anything to do with certificates or encryption or security is that any useful debugging information is a security leak... so you don't get any. Either it works, or it doesn't work and it refuses to tell you why.
Sometimes it's mathematically impossible for it to tell you why. Once I lost more than a day working out why, when I hashed a string, I got a different hash value than was expected, when my hash function returned the same expected value on test data.
@neil The answer, it turns out, is that the string was being built from a GUID, and their platform serialised the GUID with lowercase hex and mine with uppercase hex, and your eye doesn't notice the case of the letters when looking at hex values, so I couldn't see that they were different.
-
@neil The answer, it turns out, is that the string was being built from a GUID, and their platform serialised the GUID with lowercase hex and mine with uppercase hex, and your eye doesn't notice the case of the letters when looking at hex values, so I couldn't see that they were different.
@neil So. Sympathy.
-
Well isn't learning how to run your own CA a lot of fun?
And by "fun", I mean "debugging".
And by "a lot", I mean "a looooooooooot".
I am making progress, today around SAN and Firefox, but this is a bit like plodding around in treacle.
(I'm not looking for advice, although sympathy is welcome :))
You can expect a riveting blogpost in due course.
And by "riveting", I mean "utterly tedious and unnecessary unless you, too, have the misfortune to want to run your own certificate authority".
-
You can expect a riveting blogpost in due course.
And by "riveting", I mean "utterly tedious and unnecessary unless you, too, have the misfortune to want to run your own certificate authority".
@neil i have it pinned in my calendar
-
Well isn't learning how to run your own CA a lot of fun?
And by "fun", I mean "debugging".
And by "a lot", I mean "a looooooooooot".
I am making progress, today around SAN and Firefox, but this is a bit like plodding around in treacle.
(I'm not looking for advice, although sympathy is welcome :))
@neil been there, done that. there are more fun things in life.
-
You can expect a riveting blogpost in due course.
And by "riveting", I mean "utterly tedious and unnecessary unless you, too, have the misfortune to want to run your own certificate authority".
@neil are you using openssl command line or some scripts/tooling on top of it?
-
@neil are you using openssl command line or some scripts/tooling on top of it?
@hannes openssl
-
You can expect a riveting blogpost in due course.
And by "riveting", I mean "utterly tedious and unnecessary unless you, too, have the misfortune to want to run your own certificate authority".
@neil I am so looking forward to it!
-
Well isn't learning how to run your own CA a lot of fun?
And by "fun", I mean "debugging".
And by "a lot", I mean "a looooooooooot".
I am making progress, today around SAN and Firefox, but this is a bit like plodding around in treacle.
(I'm not looking for advice, although sympathy is welcome :))
@neil 10 years ago I worked on a project implementing PKI including CA, time-stamping, document signers, browser plugins and an installer of all the SW for universities in Slovakia.
You have my sympathies:P
-
R relay@relay.infosec.exchange shared this topic
