Search the Community

Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.

Hi, did someone know how i could decrypt a BLOB-Data from the Windows Registry? For Example there is a digital certificate stored which looks like it is encrypted. Now i want to decrypt it with java and native call the crypt32.dll (function: cryptUnprotectData()) with JNA. i tried it, but i get data invalid error. the function could have many arguments, but i did not found out which i have to use exactly. here is my little peace of code - maybe it helps.. byte[] byteArray = (byte[]) Advapi32Util.registryGetValue(WinReg.HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\02FAF3E291435468607857694DF5E45B68851868", "Blob"); byte[] protectedData = Crypt32Util.cryptProtectData(byteArray); String test = new String(protectedData); System.out.println(test); When i run this code i get: Data invalid - win32 exception. so i think something wrong with the input data. Maybe the data was not encrypted with dpapi? or i need to use some of the arguments (see here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882%28v=vs.85%29.aspx)? Hope someone could help me :) thnx!

Hi all, Is anyone familiar with invalidating PDF certificates / removing document security? I have a number of documents which require an installed certificate (which I have) and a password for said certificate. Is there a way to remove this from a PDF? I don't have the public key. I have tried invalidating the certificate using some perl script magic but the document permissions still prevent me from clearing and removing the invalid certificate.

Earlier today I realized that my domain service uses plain old FTP to transfer data. So, after watching an old hak5 ep I called their office to see if they offer SSH shells or third party discounted VPN access. I was schocked when the lady on the other end said "Please hold. I'll look into it for you." She didn't know the difference btw SSH and VPN! I was advised to log in using IE when I told her that I'm a road warrior. She couldn't answer any of my questions regarding pub wifi security. I immediately demanded to talk to a tech in tier III who speaks ENGLISH. She placed the call on hold for five mins and transferred the call to Joe. Joe had no clue wtf I was talking about. He thought I was trying to setup a plain old webpage to share cupcake and purne juice recipes. He told me to think of my website as house in cyber space. Joe for some strange reason avoided using words like encryption. To pat Joe on the back I asked him how I can send strippers to my house in cyber space without all the jeahovah's witnesses in the neighborhood knocking down the front door. He scrathed his head and then recommended establishing a secure SSL connection to their corporate network, which according to him implements 128bit SSL. To make a long story short, Joe ended up recommending a premium 400$ per yr VPS service that implements SSL and recommended developing custom scripts to run on their server. According to Joe, its possible to host a proprietary script/application on their server that encrypts info on the fly off a SSL tunnel. Imagine hak5.org stored on an encrypted server that only allows certain key holders to view info. My question here is two fold. How secure is 128bit? Most cc companies use 1024bit authentication. Secondly, Whats the best way to encrypt info stored on a hosting service using a key - like Truecypt volumes?