SSL

Firefox: Add a Trusted Certificate Authority

By default Firefox has its own certificate store from well-know and trusted commercial Certificate Authorities. So today when I pushed out an internal self signed certificate; Firefox did not reconcile it as valid.

To correct this issue I did the following:

  • Launched Firefox
  • Opened the options panel and selected Advanced
  • Selected View Certificates to access the Certificate Manager
  • Then by clicking Import and browsing to your exported CA Cert you can import the internal certificate.

I hope this helps.

 

 

 

SSL issuer certificate not found after installation

Ouch! With Go Daddy Certificates: I ran into this issue on a server when trying to apply a new Certificate and its intermediate Certificates The issue seemed to be from not having a complete Certificate Chain installed in my servers Certificate Store.

The solution to fix this issue was simple. Download and install the root bundles from here or here: https://certs.godaddy.com/anonymous/repository.pki

This in no way is the fault of Go Daddy; the Server I am hosting on; Server 2003 lacks the much needed certificate store updates so it doesn’t know about the newer root CA’s.

That said; Go Daddy is still the best in my book

IIS 7 Error “A specified logon session does not exist. It may already have been terminated.”

I was in the process of updating an IIS7 Website with its newly issued Certificate when I encountered the following issue: “A specified logon session does not exist. It may already have been terminated.”

To resolve this issue:

  • Opened the MMC (start > run > type: mmc)
  • Add\Remove Snap-ins > Select Certificates > Click Add >
  • Choose Computer account > Next > Local computer > Finish
  • Then Clicked OK

Now under Certificates (Local Computer)

  • Select Personal > Certificates
  • Removed the Certificate that was giving me the problem

Again under Certificates (Local Computer)

  • Select Personal > Certificates
  • Right Click Certificates > All Tasks > Import…
  • Click Next > Browse to the new certificate (*tip: use all items view)
  • Select the certificate to import and click Open > Click Next
  • After entering your password; ensure the following are selected: Mark this key as exportable…., and Included all extended properties.

Once done, I returned to IIS and attempted to change the certificate to my new one, and it works without issues. I think this is some sort of bug with IIS7, perhaps there is a fix. For now this works and that’s all I need.

Good luck.

 

Added Note:

The following system event ID was shown 36870: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

What is an intermediate certificate?

I just completed a new CSR (Certificate Signing Request). Upon its completion I was issued my new cert along with an intermediate certificate to be installed on my host server. This gives me the perfect opportunity to share with what an intermediate certificate is.

An intermediate certificate is used to bundle “chains” to your SSL certificate leading back to a root certificate authority. This of it as a proxy or gateway to the source of where all certificates are signed. They provide maximum browser and server coverage to ensure visitors won’t receive “invalid SSL” warnings when they visit your site.

For example, if a certificate issued to “example.com” and issued by “Intermediate CA1”, and the visiting web browser trusts “Root CA”, trust may be established in the following manner:

Certificate 1 – Issued To: example.com; Issued By: Intermediate CA 1
Certificate 2 – Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 – Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 4 – Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts “Root CA”, and a secure connection can now be established. Since this process is often called “certificate chaining,” intermediate CA certs are sometimes called “chained certificates”. For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. -source

For more info have a look at the following links:

Certificate authorities

Public-key cryptography

Cryptography stubs

Assign an SSL Certificate to Services in Exchange Server 2013

Switching Exchange 2013 over to a public accessible address requires a valid FQDN and a valid SSL Certificate. After installing the certificate on the server we need to find our way to the Exchange Administration Center. Once here do the following:

  • Select Servers, then Certificates
  • Choose the valid Certificate you plan to use and Click edit (double click seems to work also)
  • Select the services to be used by the Certificate – SMTP, IMAP, POP, IIS
  • After making your selection click Save

You will get a warning about the existence of the previous certificate, click Yes.

Now you should be able to test your Outlook Web App by going to the https:// address of your site