PKI

Basic Constraints certificate extension

Hello everyone! Today I’m going to talk about X.509 Basic Constraints certificate extension. Basic Constraints is an X.509 Version 3 certificate extension and is used to identify the type of the certificate holder/subject. In the past (prior to version 3 X.509 certificates) it was impossible to identify who is the subject: CA certificate or end…

Read More

SHAKEN/STIR is Getting Real

The Federal Communications Commission (FCC) estimates robocalls will constitute more than half of all phone calls placed in the U.S. this year. In an effort to end to this, the FCC and major telecommunications companies including Comcast, AT&T, and T-Mobile have lined up behind a new standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using…

Read More

‘The handle is invalid. 0x80070006 (WIN32: 6)’ when dumping CA database

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness. Issue Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error Certutil: CertUtil: -view command FAILED: 0x80070006 (WIN32: 6) CertUtil:…

Read More

The PKI Guy talks authentication with author Ivan Ristic

Q&A with Ivan Ristic, author of Bulletproof SSL and TLS and founder of Hardenize TPG: Tell us about your book, Bulletproof SSL and TLS. What are the biggest takeaways for IT security professionals? IR: Bulletproof SSL and TLS came out of my frustrations with the complexities of the TLS and PKI ecosystem and especially the…

Read More

Certificate Requirements for Apple iOS 13 & macOS 10.15

When the next iOS and macOS major update arrives this fall to iPhones, iPads and Macs there will be changes that impact environments with TLS certificates not current with standards. Certificates with key lengths shorter than 2048, those signed with a SHA1 algorithm, and certificates without the DNS name in the subject alternative name (SAN)…

Read More