Following on from part 1 where I explored the formative CRL and OCSP approaches to certificate revocation, I though it worthwhile to explore some of the revocation approaches that have introduced a...

Certificate revocation has always felt a bit opaque to me - I’m aware that the from a WebPKI perspective, browser behaviour has been varied and has not necessarily made revocation checking a reliab...

Having worked a fair bit with certificates in other posts, I’ve been aware that I’ve been accepting that certificate signatures work without getting under the covers of specifically how these signa...

I’ve had reason recently to consider the certificate options for client based authentication, having been challenged as to why one wouldn’t just use a Public CA signed certificate when mTLS is in u...

I embarked on writing up a post on mTLS client authentication, and effectively started writing a post that first introduces the more common webPKI model of a client authenticating the identity of a...

Having spent a little time creating dummy CAs, signing certificates and viewing lots of openssl x509 -text output, I came to the realisation that I wasn’t entirely clear which x509 certificate attr...

This page is a list of questions that emerge as I work through some of the other posts on this site. Over time, I’ll aim to address all of these through examples across the various posts. At some...