SSH certification authority for the management of Github SSH certificates

Github now supports authentication via an OpenSSH certificate: https://github.blog/2019-08-14-ssh-certificate-authentication-for-github-enterprise-cloud/.

However, I can't find any recommendations for a certification authority to manage these SSH certificates.

There appear to be numerous certificate management options for server and production environments, such as: BLESS, CASSH etc.

What would you recommend to manage SSH certificates so developers can access Github?

In an ideal world, this would allow custom configuration by the developer. It could interact with an existing Active Directory to authenticate users trying to create certificates, and it would be a managed service.

Design certification by writing software application artifacts

I am Software Engineer (BEng / MSc) and Java SE 7 certified.

I would like to know if there is an option to get certified in software or generally in a computer science related subject by writing a software application artifact.

That is, I want to create and build a kind of proof of concept, a designed artifact, etc., to get a proof of qualification, such as: B. a certification.

So that's the opposite of a written test that takes questions or answers questions.

Kind regards

Certification with Advanced Electronic Signature (AdES)

For a mobile application I want to be as compliant as possible with the AdES standard.

The mobile application performs operations on behalf of the user and signs them first. A backend service checks the signature and continues with the operations.

The main question concerns the limitations of who should be the certification authority.

Can a mobile device be its own certification authority or does another entity need to issue the certificate?

In the first case, the mobile application generates both certificates (CA and signing certificate) when the user is onboarded. Both certificates are sent to the backend for later verification of the signature.

For the second case, the mobile application would generate a CSR and the backend would generate the signing certificate.

Are there any restrictions on how this process may work?

Anonymity – practicability of direct anonymous certification

DAA (Direct Anonymous Attestation) is not the only method that can be used to obtain anonymous acknowledgment. In general, these schemes allow a company to remain anonymous throughout the attestation process. It is not about the certificate, but about the revocation of the key. The TPM / FIDO DAA schema requires maintaining a list of vulnerable private keys to allow for revocation. But the assumption that the private key of a compromised device has been leaked publicly is naive. In fact, in many scenarios, a hacker can not recognize a compromised key. Such a key can be used for attacks such as denial-of-service attacks, and so on. Because the device identity is anonymous to the service provider, the service provider can not distinguish an attacker from a real user.

What makes it even worse is storing / protecting the private key using hardware key storage or HSM (Hardware Security Module). A hacker may have the knowledge to hack and extract the private key from an HSM by using a zero-day vulnerability. Because the private key is designed so that it is not output in clear text. Therefore, even if a user confirms that his device is compromised, he has no way of informing the authority because it is not possible to extract the private key as a normal user.

Therefore, DAA sounds like a wonderful technology, but is not commercially viable?

ssl – Exchange certification is missing after import into Exchange PowerShell

I'm trying to renew certification through MMC, Powershell and Exchange Powershell. After importing via the MMC GUI and Powershell I find the fingerprint no problem. However, I can not find it in Exchange PowerShell. I wonder if this is also related to my inability to validate the certification by the Exchange Server administrator.

Instead, I get the error message that the fingerprint is already in use and the server repeats this problem when I specify the path to certification.

So far, I have removed the certificate and reinstalled it using the three methods described above.

Please help.