Microsoft Certificate Authority
Earn a technical certification that shows you are keeping pace with today’s technical roles and requirements. Skill up, prove your expertise to employers and peers, and get the recognition and opportunities you’ve earned. Download our guide to all role-based certifications.
Aug 31, 2016 Certification Authority Guidance.; 25 minutes to read; In this article Applies To: Windows Server 2012 R2, Windows Server 2012. A certification authority (CA) is responsible for attesting to the identity of users, computers, and organizations. The CA authenticates an entity and vouches for that identity by issuing a digitally signed. Oct 03, 2018 Install the Certification Authority. Click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. (RSA#Microsoft Software Key. Microsoft Learning Partners offer a breadth of solutions to suit your learning needs, empowering you to achieve your training goals. Microsoft Certified Trainers have completed rigorous training and have met stringent technical certification requirements. Mar 25, 2014 Learn to deploy a Windows Server 2012 R2 CA in this post, including installing Active Directory Certificate Authority and more. HOWTO: Move a certificate authority to a new server running on a domain controller; How to remove manually Enterprise Windows Certificate Authority from Windows 2000/2003 Domain; Custom extensions in the CAPolicy.inf file does not take effect after you renew the root CA certificate by using a new key. Certificate Services supports the renewal of a certification authority (CA). Renewal is the issuing of a new certificate for the CA to extend the CA's life beyond the end date of its original certificate. You can renew a CA as a task within the Certificate Authority MMC snap-in or by using the Certutil.exe tool (with the -renewCert command).
Explore the most sought after job roles
Select a job role to discover certifications paths.
Developer
Microsoft developers design, build, test, and maintain cloud solutions.
Developer CertificationsAdministrator
Microsoft administrators implement, monitor, and maintain Microsoft solutions.
Administrator CertificationsSolutions Architect
Microsoft solutions architects have expertise in compute, network, storage, security.
Solution Architect CertificationsFunctional Consultant
Functional consultants leverage Microsoft Dynamics 365 to anticipate and plan for customer needs.
Functional Consultant CertificationsBecome Microsoft Certified
Microsoft has certification paths for many technical job roles. Each of these certifications consists of passing a series of exams to earn certification. Microsoft certifications are organized into three levels: Fundamental, Associate, and Expert.
Recommended start
Ideal for individuals just starting in technology or thinking about a career change.
Downloadable pc games free ea games. Find EA Games software downloads at CNET Download.com, the most comprehensive source for safe, trusted, and spyware-free downloads on the Web. Download and play the best ea group games for free. GameTop offers you legally over 1000+ high-quality free full version PC games without any restrictions. Every 60 hours we release a new free full version game. Explore video games for PC Download from Electronic Arts, a leading publisher of games for the PC, consoles and mobile. Browse Games Library Free-to-play Shop on Origin Competitive Gaming About EA News Studios Careers Help Forums Games Free-to-Play Shop on Origin About Help Forums Newsletter Join EA Access Join Origin Access EA PC GAMES.
Fundamentals CertificationsTwo years of comprehensive working experience.
It is helpful to have related Fundamental certifications but is not required.
Two to five years of deep technical experience.
Many Expert certifications require a specific Associate level certification.
Popular certifications
Select a certification to begin learning valuable job role skills.
High-growth opportunity
Upon earning a certification, 23% of Microsoft certified technologists reported receiving up to a 20% salary increase. What’s more, certified employees are often entrusted with supervising their peers—putting them on the fast track for a promotion.
Download the whitepaper >
2017 Pearson VUE Value of Certification white paper
How to prepare for certification
Microsoft understands everyone has different learning preferences, we provide certifications and training options throughout your certification journey.
Free learning paths to prepare
With Microsoft Learn, anyone can master core concepts at their speed and on their schedule. They’ll have access to training materials, code samples, and be able to test-drive products at absolutely no cost to them.
Prepare with instructor-led training
Microsoft Learning Partners offer a breadth of solutions to suit your learning needs, empowering you to achieve your training goals. Microsoft Certified Trainers have completed rigorous training and have met stringent technical certification requirements.
Practice before the exam
Microsoft offers official practice tests designed to help candidates prepare for and pass certification exams. Our practice tests are written by industry experts in the subject matter to ensure that all objectives of the exam are covered in depth.
Explore certifications for role-based technical skills
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.
One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents.
- 5Issuing a certificate
- 6Industry organizations
Overview[edit]
Trusted certificates can be used to create secure connections to a server via the Internet. A certificate is essential in order to circumvent a malicious party which happens to be on the route to a target server which acts as if it were the target. Such a scenario is commonly referred to as a man-in-the-middle attack. The client uses the CA certificate to authenticate the CA signature on the server certificate, as part of the authorizations before launching a secure connection. Usually, client software—for example, browsers—include a set of trusted CA certificates. This makes sense, as many users need to trust their client software. A malicious or compromised client can skip any security check and still fool its users into believing otherwise.
The clients of a CA are server supervisors who call for a certificate that their servers will bestow to users. Commercial CAs charge money to issue certificates, and their customers anticipate the CA's certificate to be contained within the majority of web browsers, so that safe connections to the certified servers work efficiently out-of-the-box. The quantity of internet browsers, other devices and applications which trust a particular certificate authority is referred to as ubiquity. Mozilla, which is a non-profit business, issues several commercial CA certificates with its products.[1] While Mozilla developed their own policy, the CA/Browser Forum developed similar guidelines for CA trust. A single CA certificate may be shared among multiple CAs or their resellers. A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.
In addition to commercial CAs, some non-profits issue digital certificates to the public without charge; notable examples are CAcert and Let's Encrypt.
Large organizations or government bodies may have their own PKIs (public key infrastructure), each containing their own CAs. Any site using self-signed certificates acts as its own CA.
Browsers and other clients of sorts characteristically allow users to add or do away with CA certificates at will. While server certificates regularly last for a relatively short period, CA certificates are further extended,[2] so, for repeatedly visited servers, it is less error-prone importing and trusting the CA issued, rather than confirm a security exemption each time the server's certificate is renewed.
Less often, trustworthy certificates are used for encrypting or signing messages. CAs dispense end-user certificates too, which can be used with S/MIME. However, encryption entails the receiver's public key and, since authors and receivers of encrypted messages, apparently, know one another, the usefulness of a trusted third party remains confined to the signature verification of messages sent to public mailing lists.
Providers[edit]
Worldwide, the certificate authority business is fragmented, with national or regional providers dominating their home market. This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities.
However, the market for globally trusted TLS/SSL server certificates is largely held by a small number of multinational companies. This market has significant barriers to entry due to the technical requirements.[3] While not legally required, new providers may choose to undergo annual security audits (such as WebTrust[4] for certificate authorities in North America and ETSI in Europe[5]) to be included as a trusted root by a web browser or operating system. More than 180 root certificates are trusted in the Mozilla Firefox web browser, representing approximately eighty organizations.[6] Over 200 root certificates are trusted by macOS. As of Android 4.2 (Jelly Bean), Android currently contains over 100 CAs that are updated with each release.[7]
On November 18, 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let's Encrypt, a nonprofit certificate authority that provides free domain validated X.509 certificates as well as software to enable installation and maintenance of certificates.[8] Let's Encrypt is operated by the newly formed Internet Security Research Group, a California nonprofit recognized as tax-exempt under Section 501(c)(3).[9]
Microsoft Certificate Authority
According to NetCraft in May 2015, the industry standard for monitoring active TLS certificates, states that 'Although the global [TLS] ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo, GoDaddy) account for three-quarters of all issued [TLS] certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since [our] survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.'[10]
A W3Techs survey from May 2015 shows:[11][12]
Rank | Issuer | Usage | Market share |
---|---|---|---|
1 | Comodo | 6.1% | 41.0% |
2 | Symantec | 5% | 30.2% |
3 | GoDaddy | 2.2% | 13.3% |
4 | GlobalSign | 1.7% | 10.4% |
5 | DigiCert | 0.5% | 3.1% |
6 | StartCom | 0.4% | 2.2% |
7 | Entrust | 0.1% | 0.8% |
8 | Verizon | 0.1% | 0.7% |
9 | Trustwave | 0.1% | 0.6% |
10 | Secom | 0.1% | 0.6% |
11 | Unizeto | 0.1% | 0.4% |
12 | Buypass | 0.1% | 0.1% |
13 | QuoVadis | < 0.1% | 0.1% |
14 | Deutsche Telekom | < 0.1% | 0.1% |
15 | Network Solutions | < 0.1% | 0.1% |
16 | SwissSign | < 0.1% | 0.1% |
A W3Techs survey from November 2017 shows:[13]
Rank | Issuer | Usage | Market share |
---|---|---|---|
1 | Comodo | 16.7% | 38.4% |
2 | IdenTrust | 13.9% | 32.0% |
3 | Symantec | 5.6% | 12.9% |
4 | GoDaddy | 3.3% | 7.5% |
5 | GlobalSign | 1.9% | 4.5% |
6 | DigiCert | 1.0% | 2.2% |
7 | Certum | 0.3% | 0.7% |
8 | Entrust | 0.2% | 0.4% |
9 | Secom | 0.1% | 0.3% |
10 | Actalis | 0.1% | 0.3% |
11 | Trustwave | 0.1% | 0.2% |
12 | Let's Encrypt | 0.1% | 0.2% |
13 | StartCom | 0.1% | 0.2% |
14 | WISeKey Group | < 0.1% | 0.1% |
A W3Techs survey from May 2018 shows that IdenTrust, a cross-signer of Let's Encrypt intermediates,[14] has risen to be the most popular SSL certificate authority, while Symantec has dropped out of the chart, due to its security services being acquired by DigiCert:[15][16]
Rank | Issuer | Usage | Market share |
---|---|---|---|
1 | IdenTrust | 20.4% | 39.7% |
2 | Comodo | 17.9% | 34.9% |
3 | DigiCert | 6.3% | 12.3% |
4 | GoDaddy | 3.7% | 7.2% |
5 | GlobalSign | 1.8% | 3.5% |
6 | Certum | 0.4% | 0.7% |
7 | Actalis | 0.2% | 0.3% |
8 | Entrust | 0.2% | 0.3% |
9 | Secom | 0.1% | 0.3% |
10 | Let's Encrypt | 0.1% | 0.2% |
11 | Trustwave | 0.1% | 0.1% |
12 | WISeKey Group | < 0.1% | 0.1% |
13 | StartCom | < 0.1% | 0.1% |
14 | Network Solutions | < 0.1% | 0.1% |
Validation standards[edit]
The commercial CAs that issue the bulk of certificates for HTTPS servers typically use a technique called 'domain validation' to authenticate the recipient of the certificate. The techniques used for domain validation vary between CAs, but in general domain validation techniques are meant to prove that the certificate applicant controls a given domain name, not any information about the applicant's identity.
Many Certificate Authorities also offer Extended Validation (EV) certificates as a more rigorous alternative to domain validated certificates. Extended validation is intended to verify not only control of a domain name, but additional identity information to be included in the certificate. Some browsers display this additional identity information in a green box in the URL bar. One limitation of EV as a solution to the weaknesses of domain validation is that attackers could still obtain a domain validated certificate for the victim domain, and deploy it during an attack; if that occurred, the difference observable to the victim user would be the absence of a green bar with the company name. There is some question as to whether users would be likely to recognise this absence as indicative of an attack being in progress: a test using Internet Explorer 7 in 2009 showed that the absence of IE7's EV warnings were not noticed by users, however Microsoft's current browser, Edge, shows a significantly greater difference between EV and domain validated certificates, with domain validated certificates having a hollow, grey lock.
Validation weaknesses[edit]
Domain validation suffers from certain structural security limitations. In particular, it is always vulnerable to attacks that allow an adversary to observe the domain validation probes that CAs send. These can include attacks against the DNS, TCP, or BGP protocols (which lack the cryptographic protections of TLS/SSL), or the compromise of routers. Such attacks are possible either on the network near a CA, or near the victim domain itself.
One of the most common domain validation techniques involves sending an email containing an authentication token or link to an email address that is likely to be administratively responsible for the domain. This could be the technical contact email address listed in the domain's WHOIS entry, or an administrative email like admin@, administrator@, webmaster@, hostmaster@ or postmaster@ the domain.[17][18] Some Certificate Authorities may accept confirmation using root@,[citation needed] info@, or support@ in the domain.[19] The theory behind domain validation is that only the legitimate owner of a domain would be able to read emails sent to these administrative addresses.
Domain validation implementations have sometimes been a source of security vulnerabilities. In one instance, security researchers showed that attackers could obtain certificates for webmail sites because a CA was willing to use an email address like ssladmin@domain.com for domain.com, but not all webmail systems had reserved the 'ssladmin' username to prevent attackers from registering it.[20]
Prior to 2011, there was no standard list of email addresses that could be used for domain validation, so it was not clear to email administrators which addresses needed to be reserved. The first version of the CA/Browser Forum Baseline Requirements, adopted November 2011, specified a list of such addresses. This allowed mail hosts to reserve those addresses for administrative use, though such precautions are still not universal. In January 2015, a Finnish man registered the username 'hostmaster' at the Finnish version of Microsoft Live and was able to obtain a domain-validated certificate for live.fi, despite not being the owner of the domain name.[21]
Issuing a certificate[edit]
A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the certificate authority is responsible for saying 'yes, this person is who they say they are, and we, the CA, certify that'.[22]
If the user trusts the CA and can verify the CA's signature, then they can also assume that a certain public key does indeed belong to whoever is identified in the certificate.
Example[edit]
Public-key cryptography can be used to encrypt data communicated between two parties. This can typically happen when a user logs on to any site that implements the HTTP Secure protocol. In this example let us suppose that the user logs on to their bank's homepage www.bank.example to do online banking. When the user opens www.bank.example homepage, they receive a public key along with all the data that their web-browser displays. The public key could be used to encrypt data from the client to the server but the safe procedure is to use it in a protocol that determines a temporary shared symmetric encryption key; messages in such a key exchange protocol can be enciphered with the bank's public key in such a way that only the bank server has the private key to read them.
The rest of the communication then proceeds using the new (disposable) symmetric key, so when the user enters some information to the bank's page and submits the page (sends the information back to the bank) then the data the user has entered to the page will be encrypted by their web browser. Therefore, even if someone can access the (encrypted) data that was communicated from the user to www.bank.example, such eavesdropper cannot read or decipher it.
This mechanism is only safe if the user can be sure that it is the bank that they see in their web browser. If the user types in www.bank.example, but their communication is hijacked and a fake website (that pretends to be the bank website) sends the page information back to the user's browser, the fake web-page can send a fake public key to the user (for which the fake site owns a matching private key). The user will fill the form with their personal data and will submit the page. The fake web-page will then get access to the user's data.
This is what the certificate authority mechanism is intended to prevent. A certificate authority (CA) is an organization that stores public keys and their owners, and every party in a communication trusts this organization (and knows its public key). When the user's web browser receives the public key from www.bank.example it also receives a digital signature of the key (with some more information, in a so-called X.509 certificate). The browser already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it: since www.bank.example uses a public key that the certification authority certifies, a fake www.bank.example can only use the same public key. Since the fake www.bank.example does not know the corresponding private key, it cannot create the signature needed to verify its authenticity.
Security[edit]
It is difficult to assure correctness of match between data and entity when the data are presented to the CA (perhaps over an electronic network), and when the credentials of the person/company/program asking for a certificate are likewise presented. This is why commercial CAs often use a combination of authentication techniques including leveraging government bureaus, the payment infrastructure, third parties' databases and services, and custom heuristics. In some enterprise systems, local forms of authentication such as Kerberos can be used to obtain a certificate which can in turn be used by external relying parties. Notaries are required in some cases to personally know the party whose signature is being notarized; this is a higher standard than is reached by many CAs. According to the American Bar Association outline on Online Transaction Management the primary points of US Federal and State statutes enacted regarding digital signatures has been to 'prevent conflicting and overly burdensome local regulation and to establish that electronic writings satisfy the traditional requirements associated with paper documents.' Further the US E-Sign statute and the suggested UETA code [23] help ensure that:
- a signature, contract or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and
- a contract relating to such transaction may not be denied legal effect, validity or enforceability solely because an electronic signature or electronic record was used in its formation.
Despite the security measures undertaken to correctly verify the identities of people and companies, there is a risk of a single CA issuing a bogus certificate to an imposter. It is also possible to register individuals and companies with the same or very similar names, which may lead to confusion. To minimize this hazard, the certificate transparency initiative proposes auditing all certificates in a public unforgeable log, which could help in the prevention of phishing.[24][25]
In large-scale deployments, Alice may not be familiar with Bob's certificate authority (perhaps they each have a different CA server), so Bob's certificate may also include his CA's public key signed by a different CA2, which is presumably recognizable by Alice. This process typically leads to a hierarchy or mesh of CAs and CA certificates.
Authority revocation lists[edit]
An authority revocation list (ARL) is a form of certificate revocation list (CRL) containing certificates issued to certificate authorities, contrary to CRLs which contain revoked end-entity certificates.
Industry organizations[edit]
- Certificate Authority Security Council (CASC) – In February 2013, the CASC was founded as an industry advocacy organization dedicated to addressing industry issues and educating the public on internet security. The founding members are the seven largest Certificate Authorities.[26][27]
- Common Computing Security Standards Forum (CCSF) – In 2009 the CCSF was founded to promote industry standards that protect end users. Comodo Group CEO Melih Abdulhayoğlu is considered the founder of the CCSF.[28]
- CA/Browser Forum – In 2005, a new consortium of Certificate Authorities and web browser vendors was formed to promote industry standards and baseline requirements for internet security. Comodo Group CEO Melih Abdulhayoğlu organized the first meeting and is considered the founder of the CA/Browser Forum.[29][30]
Baseline requirements[edit]
The CA/Browser Forum publishes the Baseline Requirements,[31] a list of policies and technical requirements for CAs to follow. These are a requirement for inclusion in the certificate stores of Firefox[32] and Safari.[33]
CA compromise[edit]
If the CA can be subverted, then the security of the entire system is lost, potentially subverting all the entities that trust the compromised CA.
For example, suppose an attacker, Eve, manages to get a CA to issue to her a certificate that claims to represent Alice. That is, the certificate would publicly state that it represents Alice, and might include other information about Alice. Some of the information about Alice, such as her employer name, might be true, increasing the certificate's credibility. Eve, however, would have the all-important private key associated with the certificate. Eve could then use the certificate to send digitally signed email to Bob, tricking Bob into believing that the email was from Alice. Bob might even respond with encrypted email, believing that it could only be read by Alice, when Eve is actually able to decrypt it using the private key.
A notable case of CA subversion like this occurred in 2001, when the certificate authority VeriSign issued two certificates to a person claiming to represent Microsoft. The certificates have the name 'Microsoft Corporation', so they could be used to spoof someone into believing that updates to Microsoft software came from Microsoft when they actually did not. The fraud was detected in early 2001. Microsoft and VeriSign took steps to limit the impact of the problem.[34][35]
In 2011 fraudulent certificates were obtained from Comodo and DigiNotar,[36][37] allegedly by Iranian hackers. There is evidence that the fraudulent DigiNotar certificates were used in a man-in-the-middle attack in Iran.[38]
In 2012, it became known that Trustwave issued a subordinate root certificate that was used for transparent traffic management (man-in-the-middle) which effectively permitted an enterprise to sniff SSL internal network traffic using the subordinate certificate.[39]
Key storage[edit]
An attacker who steals a certificate authority's private keys is able to forge certificates as if they were CA, without needed ongoing access to the CA's systems. Key theft is therefore one of the main risks certificate authorities defend against. Publicly trusted CAs almost always store their keys on a hardware security module (HSM), which allows them to sign certificates with a key, but generally prevent extraction of that key with both physical and software controls. CAs typically take the further precaution of keeping the key for their long-term root certificates in an HSM that is kept offline, except when it is needed to sign shorter-lived intermediate certificates. The intermediate certificates, stored in an online HSM, can do the day-to-day work of signing end-entity certificates and keeping revocation information up to date.
CAs sometimes use a key ceremony when generating signing keys, in order to ensure that the keys are not tampered with or copied.
Implementation weakness of the trusted third party scheme[edit]
The critical weakness in the way that the current X.509 scheme is implemented is that any CA trusted by a particular party can then issue certificates for any domain they choose. Such certificates will be accepted as valid by the trusting party whether they are legitimate and authorized or not.[40] This is a serious shortcoming given that the most commonly encountered technology employing X.509 and trusted third parties is the https protocol. As all major web browsers are distributed to their end-users pre-configured with a list of trusted CAs that numbers in the dozens this means that any one of these pre-approved trusted CAs can issue a valid certificate for any domain whatsoever.[41] The industry response to this has been muted.[42] Given that the contents of a browser's pre-configured trusted CA list is determined independently by the party that is distributing or causing to be installed the browser application there is really nothing that the CAs themselves can do.
This issue is the driving impetus behind the development of the DNS-based Authentication of Named Entities (DANE) protocol. If adopted in conjunction with Domain Name System Security Extensions (DNSSEC) DANE will greatly reduce if not completely eliminate the role of trusted third parties in a domain's PKI.
Software[edit]
Various software is available to operate a certificate authority. Generally such software is required to sign certificates, maintain revocation information, and operate OCSP or CRL services. Some examples are:
- DogTag[43]
- OpenSSL, an SSL/TLS library that comes with tools allowing its use as a simple certificate authority
- EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
- r509[44]
- TinyCA, which is a perl gui on top of some CPAN modules.
- XCA[45]
- XiPKI,[46] CA and OCSP responder, with support of SHA3, EdDSA and SM2.
- Boulder is an automated server that uses the Automated Certificate Management Environment[47] (ACME) protocol.
- Windows Server contains a CA as part of Certificate Services for the creation of digital certificates. In Windows Server 2008 and later the CA may be installed as part of Active Directory Certificate Services.
See also[edit]
- SAFE-BioPharma Association - an example of a non-HTTPS CA.
References[edit]
- ^'Mozilla Included CA Certificate List — Mozilla'. Mozilla.org. Archived from the original on 2013-08-04. Retrieved 2014-06-11.
- ^Zakir Durumeric; James Kasten; Michael Bailey; J. Alex Halderman (12 September 2013). 'Analysis of the HTTPS Certificate Ecosystem'(PDF). The Internet Measurement Conference. SIGCOMM. Archived(PDF) from the original on 22 December 2013. Retrieved 20 December 2013.
- ^'What is SSL Certificate?'. Archived from the original on 2015-11-03. Retrieved 2015-10-16.
- ^'webtrust'. webtrust. Archived from the original on 2013-08-18. Retrieved 2013-03-02.
- ^Kirk Hall (April 2013). 'Standards and Industry Regulations Applicable to Certification Authorities'(PDF). Trend Micro. Archived(PDF) from the original on 2016-03-04. Retrieved 2014-06-11.
- ^'CA:IncludedCAs - MozillaWiki'. wiki.mozilla.org. Archived from the original on 2017-03-25. Retrieved 2017-03-18.
- ^'Security with HTTPS and SSL'. developer.android.com. Archived from the original on 2017-07-08. Retrieved 2017-06-09.
- ^'Let's Encrypt: Delivering SSL/TLS Everywhere'. Let's Encrypt. Archived from the original on 2014-11-18. Retrieved 2014-11-20.
- ^'About'. Let's Encrypt. Archived from the original on 2015-06-10. Retrieved 2015-06-07.
- ^'Counting SSL certificates - Netcraft'. news.netcraft.com. Archived from the original on 2015-05-16.
- ^'Usage of SSL certificate authorities for websites'. 2015-05-13. Retrieved 2015-09-29.
- ^'Comodo has become the most widely used SSL certificate authority'. w3techs.com.
- ^'Usage of SSL certificate authorities for websites'. 2017-11-15. Retrieved 2017-11-15.
- ^'Let's Encrypt - Chain of Trust'. Let's Encrypt. Retrieved 2018-06-08.
.. [Let's Encrypt's] intermediate is .. cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers.
- ^'DigiCert Closes Acquisition of Symantec's Website Security Business'. Symantec. October 31, 2017. Retrieved 2018-06-08.
- ^'Usage of SSL certificate authorities for websites'. 2018-05-28. Retrieved 2018-06-08.
- ^'Archived copy'(PDF). Archived(PDF) from the original on 2015-03-23. Retrieved 2015-03-20.CS1 maint: archived copy as title (link)
- ^'CA/Forbidden or Problematic Practices - MozillaWiki'. wiki.mozilla.org. Archived from the original on 2017-07-21. Retrieved 2017-07-06.
- ^'SSL FAQ - Frequently Asked Questions - Rapid SSL'. www.rapidssl.com. Archived from the original on 2015-02-06.
- ^Zusman, Mike (2009). Criminal charges are not pursued: Hacking PKI(PDF). DEF CON 17. Las Vegas. Archived(PDF) from the original on 2013-04-15.
- ^'A Finnish man created this simple email account - and received Microsoft's security certificate'. tivi.fi. Archived from the original on 2015-08-08.
- ^'Responsibilities of Certificate Authority'. Archived from the original on 2015-02-12. Retrieved 2015-02-12.
- ^'Electronic Signatures and Records'(PDF). Archived(PDF) from the original on 2016-03-04. Retrieved 2014-08-28.
- ^'Certificate transparency'. Archived from the original on 2013-11-01. Retrieved 2013-11-03.
- ^'Certificate transparency'. Internet Engineering Task Force. Archived from the original on 2013-11-22. Retrieved 2013-11-03.
- ^'Multivendor power council formed to address digital certificate issues'. Network World. February 14, 2013. Archived from the original on July 28, 2013.
- ^'Major Certificate Authorities Unite In The Name Of SSL Security'. Dark Reading. February 14, 2013. Archived from the original on April 10, 2013.
- ^'CA/Browser Forum Founder'. Archived from the original on 2014-08-23. Retrieved 2014-08-23.
- ^'CA/Browser Forum'. Archived from the original on 2013-05-12. Retrieved 2013-04-23.
- ^Wilson, Wilson. 'CA/Browser Forum History'(PDF). DigiCert. Archived(PDF) from the original on 2013-05-12. Retrieved 2013-04-23.
- ^'Baseline Requirements'. CAB Forum. Archived from the original on 7 January 2014. Retrieved 14 April 2017.
- ^'Mozilla Root Store Policy'. Mozilla. Archived from the original on 15 April 2017. Retrieved 14 April 2017.
- ^'Apple Root Certificate Program'. Apple. Archived from the original on 20 March 2017. Retrieved 14 April 2017.
- ^'CA-2001-04'. Cert.org. Archived from the original on 2013-11-02. Retrieved 2014-06-11.
- ^Microsoft, Inc. (2007-02-21). 'Microsoft Security Bulletin MS01-017: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard'. Archived from the original on 2011-10-26. Retrieved 2011-11-09.
- ^Bright, Peter (28 March 2011). 'Independent Iranian hacker claims responsibility for Comodo hack'. Ars Technica. Archived from the original on 29 August 2011. Retrieved 2011-09-01.
- ^Bright, Peter (2011-08-30). 'Another fraudulent certificate raises the same old questions about certificate authorities'. Ars Technica. Archived from the original on 2011-09-12. Retrieved 2011-09-01.
- ^Leyden, John (2011-09-06). 'Inside 'Operation Black Tulip': DigiNotar hack analysed'. The Register. Archived from the original on 2017-07-03.
- ^'Trustwave issued a man-in-the-middle certificate'. The H Security. 2012-02-07. Archived from the original on 2012-03-13. Retrieved 2012-03-14.
- ^Osborne, Charlie. 'Symantec sacks staff for issuing unauthorized Google certificates - ZDNet'. zdnet.com. Archived from the original on 2016-10-02.
- ^'Unauthorized Google Digital Certificates Discovered'. linkedin.com. 12 August 2014.
- ^'In the Wake of Unauthorized Certificate Issuance by the Indian CA NIC, can Government CAs Still be Considered 'Trusted Third Parties'?'. casecurity.org. 24 July 2014. Archived from the original on 3 October 2016.
- ^'Dogtag Certificate System'. Pki.fedoraproject.org. Archived from the original on 2013-01-29. Retrieved 2013-03-02.
- ^'reaperhulk/r509 · GitHub'. Github.com. Archived from the original on 2013-10-18. Retrieved 2013-03-02.
- ^'xca.sourceforge.net'. xca.sourceforge.net. Archived from the original on 2012-12-03. Retrieved 2013-03-02.
- ^'xipki/xipki · GitHub'. Github.com. Archived from the original on 2017-08-31. Retrieved 2016-10-17.
- ^'letsencrypt/acme-spec'. github.com. Archived from the original on 2014-11-21. Retrieved 2014-11-20.
External links[edit]
- How secure is HTTPS today? How often is it attacked?, Electronic Frontier Foundation (25 October 2011)