Using libssh2 with CryptoNG and ECDSA
Until recently, libssh2’s CryptoNG backend didn’t support ECDSA. But now it does. Continue »
You can use libssh2 with CryptoNG… unless you need ECDSA
Libssh2 lets us choose between multiple different crypto backends. But that doesn’t mean these backends are interchangeable – there are also some functional differences. Continue »
Keeping track of SSH keys using IAP Desktop 2.26
When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Docking and floating RDP windows in IAP Desktop 2.25
IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »
Using a CNG-backed key as service account key in Java
One of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23
By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Exporting RSA public keys in .NET and .NET Framework
.NET and .NET Framework don’t provide any methods to export RSA public keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. Continue »
Importing RSA public keys in downlevel .NET and .NET Framework versions
In .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key. Older .NET Core versions and .NET Framework don’t offer that functionality – but with a little help from CryptoAPI, we can fill that gap. Continue »
Encoding public keys in PEM format
Storing or exchanging public keys is one of the most common uses for the PEM format. But there is more than one way to encode a public key. Continue »
What's inside a PEM file
One of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats. Let’s take a closer look at the most common one, PEM. Continue »
Do browsers use client certificates to authenticate the user, the device, or both?
Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? Continue »
Playing certificate authority: Using Cloud KMS to sign certificate signing requests
Last time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »
Using a Cloud KMS asymmetric signing key to create an X.509 certificate
After you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »
Limiting the validity of service account keys
When you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »
Why use CNG instead of CryptoAPI to store keys
In the last posts, I talked a bit about using CryptoAPI and CNG to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question – is that extra work justified? Continue »
Using a CNG-backed key as service account key
Last time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account key
Using service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Using libssh2 on Windows: lessons learnt
Documentation is not where libssh2 shines most. Continue »
Building libssh2 on Windows: lessons learnt
Libssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done. Continue »
Certificate enrollment: Creating a certificate signing request by using CertEnroll
Having covered the basics of certificate enrollment and relevant Windows APIs in previous posts, this post will look at how you can programmatically create a certificate signing requests by using the Certificate Enrollment API (CertEnroll). Continue »