I am in a bit of a sticky situation. At my work we are using Windows 2003 IIS 6 to host a legacy but critical website and now I need to renew the SSL certificate with SHA2 which is basically incompatible with Windows 2003 IIS 6.
In an ideal world I would migrate to a Windows 2008 server but sadly this is not possible because it is a legacy system that runs other bespoke legacy software and I don't have the ability to upgrade the OS. Also I am a web developer for a company where the network/I.T. manager resigned.
Is there any way to get round this? I have had the idea that I would disable SSL on IIS 6 and install a simple NodeJs proxy server with SSL to locally target the IIS 6 site (IIS6 HTTP to NodeJs HTTPS). Does know if this would work or have any better idea?
Kind regards,
Robin
please follow below steps.
1) Update the Two hot fixes in windows server 2003(KB938397 and KB968730.)
2)Install a OPENSSL which supports SHA256 algorithm
3)Raise a CSR through the OPENSSL commands (http://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/)
4)generate Private key while generating CSR,And this key will be saved in the form of .key and CSR will be in the form of .csr.
5)Copy paste this CSR to request SSL certificate.Place this certificate in the OPENSSL bin folder.
6) Once you get the SSL certificate with SHA256 algorithm ,Go to you OPENSSL->bin->here convert the .key file to .pfx file using OPENSSL commands.(Is it possible to convert an SSL certificate from a .key file to a .pfx?)
7)Go to MMC and import your certificate and .pfx file.
8)Now you can see your certificate along with your private key.
-
I found the answer in this website:
https://stn28.wordpress.com/2014/09/24/sha-2-compatibility-with-windows-server-2003-and-iis6-0/
It shows that you need to download a fix that includes two components for SHA2 support in IIS 6.0
Related
I'm trying to create a SSL certificate for an "old“ website being hosted in an IIS 7 server. The website currently uses http, but I will like to start using https. I'm trying to find the best and easiest way to do this, but I'm getting confused in what to do and how to do it.
I have tried reference articles like this https://www.digicert.com/kb/csr-ssl-installation/iis-7.htm#ssl_certificate_install and some other youtube videos, but
I cannot event get the application DigiCert to open on the windows machine (to buy a certificate)
It seems I have to buy the certificate for ~ $200 ??
Are there any (free ?) or other methods to make my current http site use https. I know certbot does this for me on nginx servers, but how to accomplish this on a windows server?
Thanks
You can generate a self-signed certificate from https://www.selfsignedcertificate.com/.
You can also request a trusted certificate for free from Certbot.
Or you purchase it from a trusted CA. Eg. Sectigo.
Easiest way is using certbot from Let's encrypt. You can choose Windows there as system. Also see https://community.letsencrypt.org/t/how-to-generate-a-ssl-certificate-for-iis-7-0-or-7-5/29467 .
I deploy my CA cert via GPO into Trusted Root Certification Authorities, which I can see is deployed to my client machines. I know this part is working as Chrome no longer moans when browsing to sites using my signed SSL certs.
However, when I try and git clone or push to any repositories behind an SSL cert signed by this CA, git-for-windows bawlks and says this:
schannel: next InitializeSecurityContext failed: Unknown error
(0x80092012) - The revocation function was unable to check revocation
for the certificate.
As you can see, I've got schannel enabled, but git-for-windows is clearly not reading my CA cert from the Certificate Store in Windows. Any one know how I make gfw read from the Certificate Store in Windows? I can't manually copy this cert onto all my Windows clients, that'd take forever.
Perhaps worth noting I'm using multiple Samba 4 instances as Domain Controllers, but I don't have access to Windows Server tools such as AS Certificate Services.
nb. I know I can disable tls verification, but that surely defeats the purpose.
How do I get an SSL certificate that works on my local network? It cannot be self-signed, as this messes up AJAX calls. I haven't found an issuer that would allow me to do something like this yet.
You do not need a paid certificate for localhost.
You could make an self-signed and import it in browser certificate store. For ajax (and all other functionality) it will be absolutely correct one.
You could create such certificate with OpenSSL (command line tool) or with graphic tool as XCA on Windows OS.
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2
I'm in a situation where I need to deploy around 200 SSL Certificates to various devices around our Agency (HP iLO - such joy they bring...). At present I have a powershell script that obtains a CSR from the iLO Device, but I now need to be able to sign this with our CA in an automated manner so I can pass back to the script and import into the device.
We are using Microsoft Certificate Services and I can download the CA Certificate, Certificate Chain, or CRL if required.
I do not really care how I get the signed certificate - what I mean is, if powershell needs to call an external app to get it signed, then thats fine. I've had a look at makecert.exe in the .NET SDK but it does not appear to do the job.
I have the feeling it may be possible using OpenSSL - If someone could enlighten me, that would be great.
Cheers
Having Dealt with Microsoft Engineer this morning, the most graceful solution in doing this with existing infrastructure is using certreq.exe. Once you have a CSR, you can run this command to obtain a certificate using MS CA:
certreq.exe -attrib "CertificateTemplate:WebServer" infile.csr outfile.cer
from there, you ca get the certificate using Get-Content outfile.cer to feed back into the script.
Cheers
This article contains the steps to create a CA and sign a CSR from IIS:
Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5
You can export the CA into a format OpenSSL can read, and follow the steps after "Sign the Certificate Request".
Here's a FAQ for OpenSSL on managing a CA with the tool.
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
i've used OpenSSL successfully to create and manage a root CA, sign CSRs and generate certificates.
Powershell cannot handle this natively, but it can interact and script the whole process, definitely.
-Oisin