Solved

Enterprise CA TLS 1.2 Template

Posted on 2016-08-03
4
125 Views
Last Modified: 2016-09-10
Hey,

I'm looking to sign a requested certificate from an application through our Enterprise Root CA.
The third party application is only supported to run on TLS1.2 for SSL Communication, so is there a way to sign this certificate request with our CA using a template settings to have it compatible with TLS1.2 instead of the common SSLv3.

Thanks in advance for your input on the subject.
0
Comment
Question by:Hani_SA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 64

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41741956
Actually using iiscrypto tool to set to best practice will already allow TLS1.2. As long as the cipher in the link is as what is in the CSR for encryption and key exchange, TLS1.2 will already be supported. I do not think you need any special template at your CA as long as your CA is also supporting TLS and have SSLV3 and below disabled.

Tool
https://www.nartac.com/Products/IISCrypto

Cipher suite
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Example - how to enable TLS v1.2 for IIS to increase the cipher strength to 256-bits.
http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher-strength/
1
 
LVL 62

Assisted Solution

by:gheist
gheist earned 100 total points (awarded by participants)
ID: 41747762
wire protocol (SSLv2 or TLS 1.3) has nothing to do with RSA certificate used for key initialisation.
0
 
LVL 64

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41766306
TLS 1.2 cipher should have the below hence the reordering will allow the system to take those as priority ones

TLS v1.2 cipher suites

 
TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256

 TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256
 TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256
 TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384

 TLS_DH_RSA_WITH_AES_128_CBC_SHA256        DH-RSA-AES128-SHA256
 TLS_DH_RSA_WITH_AES_256_CBC_SHA256        DH-RSA-AES256-SHA256
 TLS_DH_RSA_WITH_AES_128_GCM_SHA256        DH-RSA-AES128-GCM-SHA256
 TLS_DH_RSA_WITH_AES_256_GCM_SHA384        DH-RSA-AES256-GCM-SHA384

 TLS_DH_DSS_WITH_AES_128_CBC_SHA256        DH-DSS-AES128-SHA256
 TLS_DH_DSS_WITH_AES_256_CBC_SHA256        DH-DSS-AES256-SHA256
 TLS_DH_DSS_WITH_AES_128_GCM_SHA256        DH-DSS-AES128-GCM-SHA256
 TLS_DH_DSS_WITH_AES_256_GCM_SHA384        DH-DSS-AES256-GCM-SHA384

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384

 TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256
 TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
 TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384

 RSA_WITH_AES_128_CCM                      AES128-CCM
 RSA_WITH_AES_256_CCM                      AES256-CCM
 DHE_RSA_WITH_AES_128_CCM                  DHE-RSA-AES128-CCM
 DHE_RSA_WITH_AES_256_CCM                  DHE-RSA-AES256-CCM
 RSA_WITH_AES_128_CCM_8                    AES128-CCM8
 RSA_WITH_AES_256_CCM_8                    AES256-CCM8
 DHE_RSA_WITH_AES_128_CCM_8                DHE-RSA-AES128-CCM8
 DHE_RSA_WITH_AES_256_CCM_8                DHE-RSA-AES256-CCM8
 ECDHE_ECDSA_WITH_AES_128_CCM              ECDHE-ECDSA-AES128-CCM
 ECDHE_ECDSA_WITH_AES_256_CCM              ECDHE-ECDSA-AES256-CCM
 ECDHE_ECDSA_WITH_AES_128_CCM_8            ECDHE-ECDSA-AES128-CCM8
 ECDHE_ECDSA_WITH_AES_256_CCM_8
  not all cipher may be supported in Windows, this is just a guide on those applicable when you check on the suite.

https://www-origin.openssl.org/docs/manmaster/apps/ciphers.html
0
 
LVL 64

Expert Comment

by:btan
ID: 41792436
As explained to have the supported cipher in the CSR.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question