Link to home
Create AccountLog in
Avatar of Netsol-NOS
Netsol-NOS

asked on

SSL Certificate Version and Configuration

Dear EE,

How can we verify that which SSL certificate is currently installed on our server.

1) SSL 2.0 or
2) SSL 3.0

What will be the steps.

Secondly we have certificate issued by CA how can we bind that certificate with IE browser. So that our application which is build on EAServer runs with Https://xxxx on IE.

Thanks
Netsol-NOS
Avatar of Pradeep Kini
Pradeep Kini
Flag of India image

to find whether a certificate is V2 or V3 template based, access the certificate and look at the version. In the screen shot, I am using the certificate used by Gmail and its a V3
second part of your questions is certificate issued by a CA. Is the CA internal (your own CA server) or a Public certificate authority like verisign, symantec, Godaddy etc.

if it is internal all machines (clients ) that access the site should have the certificate chain, i.e they need to have your intermediate and root certificate installed in the computers local certificate store. the steps are same for public CA as well, but in most cases the CA root and intermediate are already there

on the client
start ---> run --->MMC , add/ remove snapin . choose certificate and computer account and then local computer. if you look at the screenshot. ensure that the root and intermediate are installed in their respective store
google-cert.PNG
cert-store.PNG
Let's see if there is a cert even assigned to your IIS server.
Open IIS Manager > click on the server> Click on Server Certificate.
If you see one there you have a cert imported to your IIS server.
User generated image
You can double click that cert and then click on the Details Tab.

User generated imageUser generated image
You will see V2 or V3 for the Version line.

You do not bind the cert at the browser level.  This is done at the server level.

Expand Sites > right click the site that you want to see if a cert is bound to >Edit Binding

User generated imageUser generated imageUser generated image
If nothing is bound click the drop-down and assign the cert you wish to use for SSL.
Avatar of Netsol-NOS
Netsol-NOS

ASKER

Dear All,

I have found V3 (Which i think is SSL 3.0 please correct me). But i need V2 (SSL 2.0) then i will test the application and then upgrade it to V3 (SSL 3.0).

Thanks again for your support.

Please help how can i get V2 from local CA.

Thanks
Moreover can you please also confirm that "How we can bind SSL certificate with EAServer 5.5" ?
I install fresh installation of EAServer and open console with https and it works
with out installing any CA certificate.

https://130.0.15.11:8001/console and it works.

After that i just deploy me application and open it on IE and it works as you can see below.

User generated image
AS YOU CAN SEE HERE THAT IT IS BY DEFAULT CONFIGURED WITH TLS 1.0
I NEED TO MAKE IT UPGRADE ON SSL 2.0
I HAVE CREATED SELF SIGNED CERTIFICATE.

BUT DO NOT KNOW HOW TO EMBED NEW CERTIFICATE INTO EASERVER.

Thanks.
TLS is secure when compared to SSL 2.0 or even 3.0 and even TLS 1.0 Most Organizations donot support SSL 3.0 so if you can refrain from Using SSL 2/3.0 further more these are also governed by the server where you could block the weak ciphers as well as support for SSL.

https://support.microsoft.com/en-us/kb/187498

The certificate version is the Certificate Template version and should not be confused with SSL/ TLS versions here. The steps provided above are for installing the certificate as well as configure it in your website/ application. when you access the web application on https and it shows the certificate it means its already configured for the website.
can you explain what you mean by embeding it in EAserver. I am not sure what your EA server server is but the above holds good for IIS
We are not configuring SSL for IIS.
We are trying to configure the SSL 2.0 Certificate on Windows 2008 R2 where there is EAServer installed.

@Kini: You are very right about the security details of TLS, But right now we are trying to configure SSL 2.0 on this server.
ASKER CERTIFIED SOLUTION
Avatar of Pradeep Kini
Pradeep Kini
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi All,

@ Kini:

Can some one please recommend me below steps in PRODUCTION Server.


Server
If you receive your certificate file make sure it has a .crt extension, if necessary rename the file like cert.crt and store it ont he server machine.
Run the Security Manager application
Select the folder that corresponds to the type of certificate you are installing. (Select the Trusted folder for the intermediate certificate and the User folder for the SSL certificate).
Select File > Install Certificate.
Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click the Import from File box.
If you select Import from File, the cut and paste area is dimmed. Use the browse feature to locate the certificate.
Click Install.
If the certificate is of type .crt or .p7c, it is installed.
If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window displays. Enter the password that allows access to the file. This is the password you entered when you generated the certificate files (CSR and private key).
To export the certificate and its private key at a later time you must check the Mark private key as exportable checkbox.
Click Done.

Reference :- http://www.networking4all.com/en/support/ssl+certificates/manuals/sybase/sybase+easerver/install+certificate/
Hello Netsol- Nos,

could you explain the big picture, from the questions you have above it's not clear what you want to achieve?
My assumptions -

you are deploying a web based application on windows server 2008 r2 and you want this application to use SSL. for the certificate you are using a self signed certificate.It is not clear why you want to use SSL at all here and why not TLS 2.0 or better.

The steps you have provided in your last note referencing the networking4all talks about installing the certificate for Sybase EA.

a few questions - which server did you use to generate the CSR ? is it the same server as EA installation ?
was this CSR provided to the Internal CA after which you received the .crt file ?

first of all you need to figure out a few things here - The URL and the domain name for this application, certificates are not assigned based on IP addresses. This needs to be the common name of the certificate issued.
secondly you need to install the certificate first on the server / machine where the CSR was generated so that the certificate could be bound to the private key. The CA root and intermedita certificate all needs to be installed on the server such that the certificate chain is established. the inetrmediate/ root cert also needs to be there on the clients that access this URL to prevent the browser from throwing a certificate trust error.

any explanation on why and what are you trying to achieve would be helpfule
@Kini i will get back to you in detail. mean while can you please confirm that how can i check SSL 2.0 is enabled or not through NMAP.

As i did same to same steps you defined.

But when i enabled SSL 2.0 in Internet Browser and disable other as mentioned below my site does not work.

User generated image
browser will only negotiate if SSL 2.0 is supported on the server and should work. however if you really want to look at the option if SSL 2.0 is enabled as a protocol at the server level tools like NMAP or for that matter if this application is published to the internet than tool like ssl labs from qualys should help

https://www.ssllabs.com/ssltest/
if it doesnt work on the browser than its worthwile to find whether the server supports the SSL 2.0 protocol
Thanks. actually application is not published on the internet.

What i have done is .
1) EAServer has its own self signed certificate for testing.
2) We enabled SSL 2.0 in EAServer (Registry) by below steps.
Client
User generated image
Server
User generated image
Please confirm is it fine with SSL 2.0 testing.
The settings on the server look good, did you reboot after this was added in the registry ?

you could try Nmap against the server IP

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Yes i did  reboot server.

Now when i open IE on same server and enable below settings.

User generated image
it does not work. But when i add USE TSL 1.0 option CHECKED it works.

:(
hmm, that leads me to believe that SSL 2.0 is disabled at the windows Code level and might not work using a reg hack. I dont have a windows 2008 r2 server to test this at the moment but I could try this later tonight on a customer test bed and confirm. what does nmap show you ? does it list ssl 2.0 as a protocol at all on the server ?
Dear Kini,

Can you confirm me that what is the meaning of below screenshot taken from Windows 2008 R2 Prod Srv.
User generated image
Hey disablebydefault has values of 0 and 1 a value of 1 means ssl 2.0 is disabled and a value of 0 means that its not disabled by default
Special Thanks.

1) Its mean on Windows 2008 R2, SSL 2.0 will be DISABLED if any client will access this server (which is windows 2008 R2  in my case) .
And if i add below details as in below picture

User generated image
2) Then on windows 2008 R2 server side SSL 2.0 will also get disabled for clients.

3) And  if i need to ENABLE  SSL 3.0 on same server then i need to add another CLIENT with value 0 and Server with value 0.

Please correct me thanks in advance.
That would be correct Netsol-Nos
These registry settings only affects IIS. And not disabled for EAServer.
Still same results.
that is strange, I am no expert on sybase. is there a possibility you could check with Sybase/ SAP support if any additional changes are needed. if it affects IIS / windows server there is no reason why it shouldnt work
Thanks.