SSL

SSL issuer certificate not found after installation

Ouch! With Go Daddy Certificates: I ran into this issue on a server when trying to apply a new Certificate and its intermediate Certificates The issue seemed to be from not having a complete Certificate Chain installed in my servers Certificate Store.

The solution to fix this issue was simple. Download and install the root bundles from here or here: https://certs.godaddy.com/anonymous/repository.pki

This in no way is the fault of Go Daddy; the Server I am hosting on; Server 2003 lacks the much needed certificate store updates so it doesn’t know about the newer root CA’s.

That said; Go Daddy is still the best in my book

IIS 7 Error “A specified logon session does not exist. It may already have been terminated.”

I was in the process of updating an IIS7 Website with its newly issued Certificate when I encountered the following issue: “A specified logon session does not exist. It may already have been terminated.”

To resolve this issue:

  • Opened the MMC (start > run > type: mmc)
  • Add\Remove Snap-ins > Select Certificates > Click Add >
  • Choose Computer account > Next > Local computer > Finish
  • Then Clicked OK

Now under Certificates (Local Computer)

  • Select Personal > Certificates
  • Removed the Certificate that was giving me the problem

Again under Certificates (Local Computer)

  • Select Personal > Certificates
  • Right Click Certificates > All Tasks > Import…
  • Click Next > Browse to the new certificate (*tip: use all items view)
  • Select the certificate to import and click Open > Click Next
  • After entering your password; ensure the following are selected: Mark this key as exportable…., and Included all extended properties.

Once done, I returned to IIS and attempted to change the certificate to my new one, and it works without issues. I think this is some sort of bug with IIS7, perhaps there is a fix. For now this works and that’s all I need.

Good luck.

 

Added Note:

The following system event ID was shown 36870: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

What is an intermediate certificate?

I just completed a new CSR (Certificate Signing Request). Upon its completion I was issued my new cert along with an intermediate certificate to be installed on my host server. This gives me the perfect opportunity to share with what an intermediate certificate is.

An intermediate certificate is used to bundle “chains” to your SSL certificate leading back to a root certificate authority. This of it as a proxy or gateway to the source of where all certificates are signed. They provide maximum browser and server coverage to ensure visitors won’t receive “invalid SSL” warnings when they visit your site.

For example, if a certificate issued to “example.com” and issued by “Intermediate CA1”, and the visiting web browser trusts “Root CA”, trust may be established in the following manner:

Certificate 1 – Issued To: example.com; Issued By: Intermediate CA 1
Certificate 2 – Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 – Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 4 – Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts “Root CA”, and a secure connection can now be established. Since this process is often called “certificate chaining,” intermediate CA certs are sometimes called “chained certificates”. For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. -source

For more info have a look at the following links:

Certificate authorities

Public-key cryptography

Cryptography stubs

Assign an SSL Certificate to Services in Exchange Server 2013

Switching Exchange 2013 over to a public accessible address requires a valid FQDN and a valid SSL Certificate. After installing the certificate on the server we need to find our way to the Exchange Administration Center. Once here do the following:

  • Select Servers, then Certificates
  • Choose the valid Certificate you plan to use and Click edit (double click seems to work also)
  • Select the services to be used by the Certificate – SMTP, IMAP, POP, IIS
  • After making your selection click Save

You will get a warning about the existence of the previous certificate, click Yes.

Now you should be able to test your Outlook Web App by going to the https:// address of your site

How secure are the apps you use on Smart Phones

In my last post I wrote a very brief how-to on how to Capture Traffic from Smart Devices with Fiddler by making it a network proxy. I did just that and the results for a few app’s have upset me. Mainly because it exposes not only my password and user id, it exposed the content that I upload or download. Not Good!

Above is me logging into an application, later followed by my download of content stored on the device. What was shocking at first is that the log on process is all over HTTP, along with all of the communication between my smartphone and the remote server. A man in the middle would love this.

In the /auth_client URL my password along with my email address (user id) was exposed and could be seen clear as day

And then we have the image I downloaded could be captured by the network peeping Tom.

So thinking about this more… How many of us use the same passwords for various services online. If one is captured the would be ‘smart guy’ hacker could use the information they gathered here: email address (log on info) and password and attempt to use them for other known sites. If you are one to use the same password and user id’s then you would have been compromised along with your data

I am not a app developer but I do read up on the guidelines and its clear that many developers are not taking this into consideration when pumping out their app’s to the market place for us to use.

And while SSL helps, the application needs to also validate the SSL Certificate, as some applications do require SSL to be used however they don’t necessarily care if its theirs or the self signed certificate of a would be hacker.  The true test is to force the application to take a SSL cert that isn’t an authoritative it knows (self signed). If it rejects this then your good to go, otherwise you are taking a big risk in using that application on  networks unknown to you.

More so, if you want security then perhaps you (I included) need to use VPN technology on the smart device to ensure the security, and the integrity of the data we value.

This is just one of a few examples I have found. I hope this sparks you to look for others as I have and perhaps reach out to the developers to make the necessary change to protect us all

Google SSL Certificates going to 2048-bit

Coming Soon! In August 2013, Google will start the process of switching its SSL Certificates over to 2048-bit for its services adding stronger security. This information was made public on Stephen McHenry’s, Director of Information Security at Google Blog.

The completion of this project is set to be completed by the end of the 2013 year.

Quoted on the blog Stephen McHenry writes

Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.

Stephen McHenry also listed a number of examples of improper validation practices that could lead to the inability of client software to connect to Google using SSL after the upgrade, such as matching any other certificate exactly or hard-coding the expected root certificate.

Change is coming soon! Don’t be left behind.

More detailed information can be found here

Disable Revocation Check on SSTP VPN Sessions

Please use the following steps:

You will need the create the following registry Key (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Setting the key value of 1, will prevent it from checking.

More detailed info below:

NoCertRevocationCheck
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: NoCertRevocationCheck
Data type: REG_DWORD

You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.

One or more intermediate certificates in the certificate chain are missing

Error:  One or more intermediate certificates in the certificate chain are missing. This is because Windows does not have enough information to verify this certificate.

When upgrading a Server 2003 IIS 6 web site to 2008 IIS7 the certificate exported from IIS6  you may have issues causing windows to give you the ‘Windows does not have enough information to verify this certificate’ error.

This is because one or more intermediate certificates in the certificate chain are missing. To resolve this issue, make sure that all of intermediate certificates are installed. For more information: http://support.microsoft.com/kb/954755  

Resolution:  This involves installing the intermediate certificates into the IIS servers, please view the following:

Download the Intermediate certificates applicable to your product:
Note: You MUST install correct thawte Intermediate CA file on your server for your SSL certificate to work and be fully supported in all web browsers.

SSL123:
Thawte DV SSL
Thawte Primary Root CA 2020

SSL Web Server / SSL Web Server Wildcard:
Thawte SSL CA 
Thawte Primary Root CA 2020

SGC:
Thawte SGC Intermediates (certificate requested before 10.10.2010)
Thawte SGC CA – G2 and VeriSign Class 3 Public Primary Certification Authority – G5 (certificate requested after 10.10.2010)

Thawte Extended Validation:
Thawte Extended Validation SSL CA
Thawte Primary Root CA 2020

 

What is the difference between Implicit SSL and Explicit SSL?

FTP over SSL (Explicit)
Explicit security requires that the FTP client issues a specific command to the FTP server after establishing a connection to establish the SSL link. In explicit SSL (or in TLS) the FTP client needs to send an explicit command ( i.e. “AUTH SSL” or “AUTH TLS”) to FTP server to initiate a secure control connection. The default FTP server port is used. This formal method is documented in RFC 2228.
FTP over SSL (Implicit)
Implicit security is a mechanism by which security is automatically turned on as soon as the FTP client makes a connection to an FTP server. In this case, the FTP server defines a specific port for the client (990) to be used for secure connections.

Google SSL – Privacy I believe in

Today I got wind of a new beta from Google.  Google search over SSL.  Now you can have an end to end search that is encrypted between your computer and our friends over at Google.  This will protect your search terms and results from third parties such as your ISP, or company network admins who may be monitoring your search terms.   Stop over at https://www.google.com and give it a try.  Note:  HTTPS is for secure.

By |Personal, Technical|Comments Off on Google SSL – Privacy I believe in