Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Exporting RSA public keys in .NET and .NET Framework.NET and .NET Framework don’t provide any methods to export RSA public keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. Continue »
Importing RSA public keys in downlevel .NET and .NET Framework versionsIn .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key. Older .NET Core versions and .NET Framework don’t offer that functionality – but with a little help from CryptoAPI, we can fill that gap. Continue »
Encoding public keys in PEM formatStoring or exchanging public keys is one of the most common uses for the PEM format. But there is more than one way to encode a public key. Continue »
What's inside a PEM fileOne of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats. Let’s take a closer look at the most common one, PEM. Continue »
Using a Google Cloud service account to authenticate to AD FSBy using certificate-based authentication, we can let a Google Cloud service account authenticate to AD FS without having to manage any client secrets. Continue »
Using a Google Cloud service account to authenticate to KeyCloakA common way to let an application authenticate to KeyCloak is to use a client ID and secret. But when the application runs on Google Cloud, we can do better. Continue »
Demystifying AutoSelectCertificateForUrls syntaxWhen a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. Chrome lets us suppress these prompts by using the AutoSelectCertificateForUrls policy. But documentation is scarce. Continue »
Do browsers use client certificates to authenticate the user, the device, or both?Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? Continue »
Authenticating to Azure by using Cloud KMS and client assertionsBy using workload identity federation, we can let applications use Azure credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on Azure and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to Azure APIs? Continue »
Playing certificate authority: Using Cloud KMS to sign certificate signing requestsLast time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »
Using a Cloud KMS asymmetric signing key to create an X.509 certificateAfter you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »
Limiting the validity of service account keysWhen you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »
Why use CNG instead of CryptoAPI to store keysIn the last posts, I talked a bit about using CryptoAPI and CNG to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question – is that extra work justified? Continue »
Using a CNG-backed key as service account keyLast time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account keyUsing service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Certificate enrollment: Creating a certificate signing request by using CertEnrollHaving covered the basics of certificate enrollment and relevant Windows APIs in previous posts, this post will look at how you can programmatically create a certificate signing requests by using the Certificate Enrollment API (CertEnroll). Continue »
Certificate enrollment: Crypto API, CNG, and other Windows APIsOne thing certreq and the Certificate Manager MMC snap-in have in common is that they rely heavily on Windows’ built-in APIs for managing certificates, encryption, and keys. This post takes a deeper look at which APIs Windows provides for cryptography, key management, certificate management, and certificate enrollment. Continue »
Certificate enrollment: Manually creating a certificate signing requestIn the last post, we looked at how certificates, private keys, and certificate signing requests relate to another. In this post, we’ll look at three common ways to create a certificate signing request (CSR) which can then be submitted to a certificate authority (CA) for signing. Continue »
Certificate enrollment: ConceptsMany of the protocols we use every day rely on certificates. The process to request and obtain a new certificate from a CA is called certificate enrollment. This post explains the basic concepts behind certificate enrollment. Continue »