r/PKI

▲ 2 r/PKI

How do I do auto provisioning with x509 cert?

If there are thousands of devices how do I create them? Isn't it risky what if a device gets the wrong certificates as it is unique? I'm working on ThingsBoard auto provisioning rn and can't figure out how to implement it if there are thousands of devices.. I need help :(

reddit.com
u/curious-techoo0 — 3 days ago
▲ 3 r/PKI

ADCS Web Enroll Download Chain Link

Hi,

I have renewed our offline root CA and deployed it to the online intermediate CA, but when I go to the web enrollment site the download chain link still provides the old (still valid) offline root certificate in the chain. Where is it pulling that certificate from?

I am still in the process of deploying the new cert so I have not updated it in AD or pushed it out to the majority of our machines yet.

Thank you.

reddit.com
u/Icolan — 6 days ago
▲ 8 r/PKI

Question: How Are Merkle Tree Revocations Going to Happen?

It seems pretty obvious that, due to post-quantum cryptography concerns, much of our public PKI is going to implement Merkle Tree certificates (while private PKI will likely be x.509 for at least the intermediate future). Merkle Tree certificates are basically blockchain for digital certificates, where many individual certificate signature hashes are hashed and presented as far fewer hashes when communicated to relying clients. My question is how revocation of Merkle Tree certificates is handled, especially when we are likely to have millions of annual revocations and accelerating with ever-decreasing certificate lifespans? I've seen a few answers that seem to vaguely answer my question, but they seem half-baked and not very scalable. Does anyone know how Merkle Tree certificate revocation will be handled at scale?

reddit.com
u/rogeragrimes — 10 days ago
▲ 7 r/PKI

Renew CA certificate with the same key as older of two CA certificates

I have a CA installed on Windows Server 2022. It has two certificates:

  • one older that is about to expire on 30.07.2026
  • second newer, to expire on 08.03.2030

I have many certificates created using the first key used on other devices.

The newer certificate was created with a new key, so certificates issued with the second CA certificate with the new key do not authorize users on device with first CA cell installed.

So I want to create a new certificate that has the same key as the old CA certificate, but will have extend the period of its usability.

How to do that on Windows Server 2022?

reddit.com
u/Slight-Ad367 — 12 days ago