I know from this page that there should be a way to use self-signed certificates in my LAN in order to establish encrypted connections between my computers and my local synology NAS.
In essence it says:
It has two prerequisites:
Your Diskstation must have a fixed IP address on your LAN. You must be
able to add or assign certificates to devices you want to approve your
SSL. If you can satisfy those conditions, proceed with the following
steps:
In DSM 6.0 -> Control Panel -> Security -> Certificate
Click “Add” to start the process and choose “Create self-signed
certificate”
First you create a Certificate Authority (CA) which is the master key
that will sign the site usable SSL.
However in my case (DSM 7.0-41890) I cannot see any options saying "create self signed certificate"
Does anybody know how to do this with DSM 7?
I don't need 100% security, I just want the communication between devices in my network to be encrypted. I don't want any malicious program in my network to be able to see passwords in clear text by just monitoring network traffic...
There should be a subsection called "Add a new certificate", in which you can create a new self-signed certificate. A friend told me about this, I wasnt able to check it myself, so I apologize in advance in case it does not work.
I think they remove this possibility in dsm 7, it was in 6
Related
I'm trying to logon to domain joined computer using certificate only,
I wonder if it's possible, i read allot on smart card and virtual smart card and both requires ping code.
From what i understand kerberos allows authentication using PKI certificate, so the basic question Is it possible to login the user to the domain using certificate only?
Thanks
Yes. You need to deploy a CA that can issue certificates for users, and configure Active Directory to support certificate authentication. This involves registering a KDC certificate on each Domain Controller and issuing certificates to users. Certificates for interactive logon can be stored in smart cards or TPMs for classic authentication scenarios as well as using e.g. Windows Hello for more modern scenarios.
The basic process is along these lines:
Spin up a Certificate Authority and generate the kerberos/user auth/smart card certificate templates (Example steps
Request certificates for each DC for KDC auth
Request certificates for a given user (enroll cert on smart card)
From there you can require certificates for interactive logons on a per-user basis. There's a bunch of guides on how to do this such as the one linked above.
for my new task I have to use SCOM to monitoring non-domain server/computer. My company told me to do it with only 1 server management that contains others SCOM features. So I have a server Windows 2016 with SCOM with a local domain, and I have to connect the others devices. It seems easy, but I have a problem with certificates: when I try to certificates my server & computers, and I'll import the certificate with MOMCertImport, in Event Viewer I see the event id 21007, that tell me "The OpsMgr Connector cannot create a mutually authenticated connection to 'PC-NAME' because it is not in a trusted domain." So I have the certificates installed but I can't anyway connect Agent to SCOM, What will I do? I search anywhere for this problem, but any solution not work with me!
There are few things you need to look at.
The certificate: must have both client auth and server auth purposes.
Authentication is MUTUAL, i.e. you agent confirms its identity to a gateway, or to a management server, AND the gateway or management server confirms its identity to the agent.
Certificates must be issued to EXACT conputer FQDN. If you rename, or join domain, or change DNS suffix => this will invalidate certificate, because FQDN changes.
Install and bind certificates at both participating servers (i.e. agent and (MS or GW)). This is because #2.
Obviously, you need individual certificates for each server, because of #3.
Ensure, that both servers can maintain trust chanin to own certificate and to other party's one. Ideally, if you have a single root/issuing CA, which used to issue both certificates. In this case, just install root/issuing CA certs in appropriate storages in local computer account. If using self-signed, you need to install them as trusted at other party.
I am supposed to do a performance test for a Hybrid App.
First, from my adroid device i have modified the proxy settings by choosing Manual option and entered my system IP address as proxy server 192.168.1.10 and entered Port as 8080.
And then from Jmeter 3 i took Recording Controller Template from HTTPS Script Recorder I entered the port as 8080.
After Starting HTTPS Script Recorder when i opened my hybrid app it was not working. "Unfortunately we cannot find your account information". This means that Hybrid apps is not connecting internet through Proxy mode.
But i am able to get response from other apps installed in my android device.
I tried Neoload, Blazemeter as well https://guide.blazemeter.com/hc/en-us/articles/207420545-BlazeMeter-Proxy-Recorder-Mobile-and-web-.
But the same issue i faced every where.
Please provide me a solution to make the Hybird App work even after connecting internet through Proxy Mode.
Thanks
N Ali
You need to find out the main error using i.e. Logcat Command to narrow down the possible reasons as there could be too may of them.
The below hints are applicable for HTTPS traffic only, however I'm pretty sure that modern applications use HTTPS protocol.
You may need to use a 3rd-party application in order to set up HTTPS proxy, i.e. ProxyDroid
You will definitely need to install JMeter's self-signed certificate onto device so JMeter could decrypt and record secure traffic.
Locate ApacheJMeterTemporaryRootCA.crt under "bin" folder of your JMeter installation and transfer it to your android device (i.e. send it to yourself via the email)
Click at the attached certificate
Follow android system certificate installation dialog to get it set up
Be aware that JMeter's certificate has limited life time (7 days) so you won't be able to record secure traffic if it is expired.
More information:
HTTPS recording and certificates
Load Testing Mobile Apps Made Easy
In addition to Dimitri's answer reg JMeter, NeoLoad also has a similar CA certificate which needs to be added to the device.
You can locate this certificate from
C drive -> Users -> Username -> Appdata -> Roaming -> Neotys -> CA certificate
Copy this certificate to your device (or mail it to yourself) and install it either by directly selecting it or from the security settings.
Once the certificate is installed in the device, you should be able to record the HTTPs traffic from the application via proxy.
P.S. Ensure that you are able to view all hidden files coz by default Appdata is hidden.
I'm writing a utility Mac OS X app that basically acts as a web server accepting incoming HTTP requests (think of it as a mock REST API server). I want to be able to support HTTPS, but ideally I'd like to remove the requirement for my users to have to purchase their own SSL certificates.
I've been thinking a little on how I might achieve this. Let's say I register a domain called myapp.com. I then purchase an SSL cert for myserver.myapp.com that is signed by a registered CA. I ship my app with those SSL cert details embedded within it. All my users have to do is update their /etc/hosts file to point myserver.myapp.com to whatever IP address my app is installed and running on.
In fact, by far, the most common scenario would be my app running on the same machine as the client, so I'm considering updating the main DNS entry for myserver.myapp.com to point to 127.0.0.1, and most users wouldn't have to change anything.
So, that's the basic theory. What have I missed that would make this an unworkable plan? A couple of things that have crossed my mind:
I could use a self-signed cert. However, many SSL clients barf (or throw up warnings) if the cert doesn't have a valid CA chain. I'm happy to pay the money for a real cert to alleviate this inconvenience for my users.
I would be embedding the private key for my SSL cert into my app. In theory, someone could extract that and use it to impersonate my app. I guess my reaction is "so what?" My app is a small productivity app, it isn't an e-commerce site. It doesn't collect sensitive info. It literally just simulates web server responses so devs can test their apps.
Any advice/feedback would be greatly appreciated. Thanks.
This won't work - but for nontechnical reasons.
Distributing an SSL certificate to your users along with its associated key will violate the issuance terms of your SSL certificate provider, and they will revoke the certificate when they discover what you have done. (This happened, for example, when Pivotal tried to offer SSL service for developers through sslip.io.) This will, of course, cause your application to stop working.
If your users have administrative access to their machines, they can create and trust their own self-signed CA using Keychain Access. Once they have done so, they could create a certificate (again, using Keychain Access) and insert that into your application to enable SSL.
As said in the other answer you can't ship the same certificate for everybody. What you could do is generate different for everybody:
The application ask them the domain name they want to use (a domain they must own, like myapp.example.com)
The application use the ACME protocol to get automatically a trusted certificate from let's encrypt
Note: you can provide them subdomains of a domain you control (like [clientid].yourappname.yourdomain.com) ONLY of you can register yourappname.yourdomain.com in the public suffix list (because let's encrypt have rate limits)
I'm trying to get a certificate for myself, paying $200 to get it. Before I go buy it, does anybody know if installation of a kernel mode driver (that requires the code to be signed) has to have network access, how does it verify the authenticity? Etc.
Network access is not needed. The authenticity is verified by checking the digital signatures and certificates themselves. Network access is only used to update certificate revocation lists (in case any certificates have been revoked), and an operation won't fail just because the CRL couldn't be updated.
You don't need to buy a certificate to test Windows drivers, you can turn on Test-Signing mode. Check out http://msdn.microsoft.com/en-us/library/windows/hardware/ff547660(v=vs.85).aspx for more info.