SSL / HTTPS Help

We have an internal program that uses a public certificate for security. We need to lock down the application on devices so they do not have any access outside of the program (client connects to a server using several ports) and Logmein (for remote support).

I am using the Windows Firewall to block outbound traffic except for traffic we will allow for the program. The problem I am having is that the application will not run because the public certificate will not verify the certificate chain (for security on the user login). I have tried to turn off settings for revocation in Internet Options, but that is not what the problem is. It seems the app needs access to the internet to verify the certificate. So in Windows Firewall, I need to know what exactly do I need to open outbound?

1 Comment

Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

When I type my domain name (e.g. "example.com") into Safari on my iPhone, I am directed to the unsecured version (http://example.com).

Same behavior with Edge on desktop: if I type example.com in the URL bar, I am directed to the unsecured version.

On Chrome however if I type example.com https://www.example.com is loaded.

My site is hosted on Heroku with DNS by Google domains:

Open in new window

How do I ensure the encrypted version of the site is always loaded?

5 Comments

Question by

Goraps

7d ago

SSL CERT - CRT to PFX convert

I have a domain name that is used to connect Cisco Anyconnect clients to a Cisco ASA 5516. I just renewed my SSL cert and GoDaddy sent me 2 x .CRT files. When I called cisco for help installing this SSL CERT they said I need to have it in .PFX format. Godaddy only gives out CRT files. How do I get the PFX format that Cisco is requesting? I dont recall having to do this last year.

7 Comments

LVL 24

Question by

Mohammed Hamada

7d agoSolved

Installing multiple certificates on multiple wordpress sites on the same host

I have a Centos Server 7.0 which has wordpress installed with multiple sites (directories) under /etc/www/html/. I managed to install one certificate on one of those sites however, I have to install another certificate for another 4 sites hosted on the same server under the same directory.

I know this is done but I am not really that familiar with Centos and Wordpress.

I would appreciate any help or recommendation.

Thank you

8 Comments

Client is beginning to use Azure to develop sites for customers. They need SSL certs for security. I'm a bit confused as to what SSL(s) would be needed to cover the domains.

All of the subdomains will end in one root domain. Example:
rootdomain.com

The subdomains will go several levels deep. Examples:
Name1.rootdomain.com
Name2.rootdomain.com

AnotherName.Name1.rootdomain.com
YetAnotherName.AnotherName.Name1.rootdomain.com

Can one 'multi sub-domain' SSL cert secure every level in front of rootdomain.com?
Or do you need another cert every time you do add a period into the structure (ie, one cert for *.rootdomain.com, another for *.Name1.rootdomain.com, etc.)

Hope I've explained this clearly...

15 Comments

Question by

Sean Doolan

2018-12-03

Exchange 2013

Hi Experts ,

I have 2 Exchange servers , both running Exchange 2013 in the same domain.
1st Server is Srv3 which was the first Server setup and running Exchange 2013, the 2nd Server is Srv6 this is the 2nd Server running Exchange 2013.
I want to decommission Srv3 and make Srv6 my main and only exchange server.
I have moved my mailboxes across to Srv6 and have purchased a comodo payed cert and this is also installed on Srv6.
Srv3 has a self signed cert installed.
I am looking for some help on decommissioning Srv3 and making Srv6 my primary and only exchange Server.
if I turn off Srv3. I can access my Mailboxes and I can sent mail as now going trough Srv6, but can't receive mail or get to my e-mail remotely (owa).
if I try and setup the receive connector on Srv6 to be the same as Srv3 but it won't let me.
Any help or advise would be greatly appreciated
Thank you.

2 Comments

I am in the process of disabling medium ciphers in order to satisfy our PCI scan.

But i am running into some discrepancy on 2 different Win 2012 R2 servers which is really weird.

Server 1
Before - Grade B
Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK       256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK       128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK       112
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE       128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE       128

After removing those i got grade A

Server 2
Before - Grade A even with weak ciphers

Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK      256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK      128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK      256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK      256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK      128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK      128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK      112

After removing the same ciphers i got a Grade B complaining about this
This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B

Sure enough the scan on the 2 servers shows that Server 2 is missing these 2 ciphers

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS       256
…

3 Comments

Hello experts,

Good day to you all. I would like to have an experts opinion or knowledge-base article on how to enable ssl using self-signed certificated in windows server (iis).?

Currently, we have an active directory (****.local) domain with a child server (hrms.****.local).
In this child server Windows IIS is enabled and currently working with http binding only on port 8080 (tcp).
Now we want to implement https binding and restrict http access.
Kindly help me through this with your valuable advice.

note - It is an ASP .net application for our company internal usage.

Thanks & Regards,

Mohamed Marzook

3 Comments

LVL 2

Question by

sara2000

2018-11-16Solved

Ent .CA private key

Hello experts out there.
I have a question about ent root CA's private key. We have a server which issues the cert to clients.
Do we have to backup the private key ?
If so what Is the reason we have to backup?

8 Comments

I get the WCF error "{"The remote server returned an error: (403) Forbidden."} The HTTP request was forbidden with client authentication scheme 'Anonymous'." when using basicHttpBinding with Transport security and certificate credential. My service is in amazon ec2 instance and my client app remotely connect to it over the internet. I am able to connect to the wcf service if I my Transport credential is set to "None" in both the web.config of the service and app.config of the client. My service certificate is like "www.example.com" is installed on amazon ec2 "local machine store" and "Personal Folder". My client app certificate is just a self-signed certificate which I installed to its "local machine and Personal Folder" and also to the "Trusted People store" in the amazon ec2 instance where my wcf service is. I have also setup "https" to my IIS site bindings and I can reach the site through like "https://www.example.com"

Below is the web.config, app.config, and the code I have on the client app.

Service Web.config:

<?xml version="1.0"?>
<configuration>

<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off"/>
</system.web>
<system.serviceModel>

<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding_Config" >
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
…

0 Comments

Exploring SharePoint 2016

LVL 12

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

How do I redirect mail.domain.com (without https and without /owa) to https://mail.domain.com/owa ?

Having either one will redirect.
Eg
https://mail.domain.com redirects to https://mail.domain.com/owa
and
mail.domain.com/owa also redirects to https://mail.domain.com/owa

mail.domain.com goes to "403 - Forbidden: Access is denied."

In IIS, I have HTTP redirect set to https://mail.domain.com/owa

2 Comments

LVL 1

Question by

Yashy

2018-11-08Solved

Locking down VPN ports for application being used....

Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Yashy

4 Comments

I have a wordpress website on AWS EC2 Ubuntu Linux. I am not good in this department of coding but I get by. I just used created a Load Balancer and attached it to my EC2 instance. I am trying to force SSL (HTTPS) on anyone who visits my site. I have 90% of it correct. if you visit:

https://www.Example.com
www.Example.com
http://www.Example.com (Redirects to https://www.Example.com)

it works perfectly with Secure. But if you go to
Example.com
http://Example.com

then it goes to a UNSECURE site. and stays on Example.com

In my ".htaccess" file at the very top I have the code below. So what is the problem? I thank you for the help.

#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^Example.com [NC]
RewriteRule ^(.*)$ https://www.Example.com/$1 [L,R=301,NC]

# Begin force ssl
<IfModule mod_rewrite.c>
# RewriteEngine On
 RewriteCond %{SERVER_PORT} 443
 RewriteRule ^(.*)$ https://Example.com/$1 [R,L]
</IfModule>

Open in new window

3 Comments

Question by

Maggi Soffa

2018-11-02

SSL for Windows where to buy

I need SSL for my website and I don't know from who I should buy it or how to add it to my Windows 2016 Webserver.
I have one main domain and several subdomains.

6 Comments

LVL 1

Question by

Yashy

2018-11-01Solved

There was a problem opening your mailbox (after SSL cert has been installed).

Hi guys

I've just recently installed a new SSL certificate for our Exchange 2010 server. People can access the site. However, nobody is able to open attachments. When they try, they are getting what I have attached. Have a look and see. All of the browsers that are trying to open are using IE8 (sadly) as they are our stores and are locked down, but they were able to do all of this before.

Is this DNS related? Is it SSL related?

Thank you for helping
Yash
Picture.jpg

11 Comments

I am trying to use an SSL certificate on a Wordpress Multi-site.

I just installed and SSL certificate for my primary domain, https://simplifychurch.com. I had assumed (albeit probably incorrectly) that the certificate would cover the network of sites since they all are on the same host, etc.

I checked my site at http://learn.simplifychurch.com and it gives the not secure error warning.

I'm a bit over my head now in testing what needs to go where, I used a WP Plugin to work on forcing the SSL to the site, and have set it up on each site however the Learn.simplifychurch.com domain is still not working correctly.

Just need some guidance and advice on how to adjust. I guess I could get a wildcard cert if necessary as there is no way on my host to install an individual certificate to each network site.

3 Comments

I have a client with a SBS 2011 server who changed the email domain from mail.XXX-uk.com to remote.XXX.com. The internet domain name wizard was run reflecting the new domain and hence the new remote domain name of remote.XXX.com and a new verified SSL certificate was installed. Outlook Web Access and Remote Web Workplace work fine. All the internal clients appear to be connecting fine but the 2 remote clients which are Outlook 2016 are not connecting when using Outlook Anywhere and they get an error message "there is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site mail.XXX-uk.com." The actual target should be remote.XXX,com.
I did have a problem with the mail.XXX being stuck on the Exchange 2010 smtp service but it appears to be cleared now.

5 Comments

Is there a way to bypass the SSL certificate error. We have a development environment where we want to bypass the SSL certificate error rather than installing the same. Something like, installing the cert as accepted. Not sure how. Can someone tell me the step by step procedure if this is achievable.

Thanks in advance.

SSL / HTTPS

10 Comments

We're trying to set up ActiveSync for one of our customers running Exchange 2010, and it's failing the Remote Connectivity Analyzer diagnostic for "Exchange ActiveSync" at the certificate trust validation step:

"There's a missing intermediate certificate in the certificate chain. Subject = CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB. For more information, see Knowledge Base Article 927465. "

I've consulted the KB article it cites, which advises me to make sure all of the intermediate certificates are installed, and verify that nothing is expired. I went to our cert vendor, obtained the intermediate certs, and reinstalled them. Verified nothing was expired, and restarted IIS. Diag still failed. Rebooted the server to be safe, diag still fails.

Went to another customer that has working ActiveSync and an identical setup. Verified that the "Exchange Activesync" MS RCA diag passes successfully for them. Used the Certificates MMC snapin to verify that both their server and the problem customer's server possess the exact same intermediate and root certs. I looked at "Trusted Root Certification Authorities"\"Certificates", "Intermediate Certification Authorities"\"Certificates", and "Third-Party Root Certification Authorities"\"Certificates, and everything is the same. I opened and checked the certification path for each certificate in the problem customer's environment, and no errors were noted. Reverified that …

7 Comments

PMI ACP® Project Management

LVL 12

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Question by

Cian Dev

2018-10-24Solved

Exchange 2013 Security Cert Issues

Hi folks

i have an issue with MS Exchange 2013, that i cant seem to resolve, the issue is with security certs, i purchased one for our external domain "mail.comany.com" installed it and it works fine, the issue is that when users are on the internal network using Outlook 2013/2016, i keep getting a security alert for "server01.domain.local" saying the name on the security cert in invalid or does not match the name of the site

Where do i need to start to fix this

My experience level with exchange is at at a novice level, so any help much appreciated

thanks

Cian

18 Comments

On an SBS 2011 standard server, I was having problems getting a new user working on ios (but outlook 2016 worked fine and other existing users set up fine on the phone)..

I started playing with the microsoft connectivity tester and it was failing with certificate errors.

Troubleshooting some error numbers, I see pages talking about checking the certificates.

Looking in the certificate snap in, there's this user and this machine choices. looking in there, there's LOADS of certs. some expired. some YEARS away from expiration (affirm Trust Premium ECC with exp 12/31/2040 is the farthest out in trusted root certs), there's trusted root cert authories, third party trusted root certs. 'all' we use the server for is exchange and file server. Yeah, I use server/remote and server/owa... the users don't.

Can I blindly delete the expired certs (some I think are self signed) we do have a comodo cert that expires in 1 1/2 years. There were godaddy certs - I think we had that before the comodo. and other certs from companies I don't know about. They come with the server? (again it's SBS 2011).

And there's untrusted certs like diginotar Root CA G2 expiring in 2029).

Is there a list of what I can / should delete or keep? Just to reduce clutter? I just know about the comodo cert we bought. these others? No clue.

THere's a */EFGO.GOV.TR cert expiring in 2021. We are a US based company / don't do anything with other countries... ok, I see something about google …

4 Comments

Question by

ManieyaK_

2018-10-23Solved

Windows Server 2008 R2 Schannel Errors

Our server (running win server 2008 R2) has been plagued with two errors in Event Viewer-->System:
First:
Event 36888, Schannel
"The following fatal alert was generated: 40. The internal error state is 1205."

Second:
Event 36874, Schannel
"An TLS 1.2 connect request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

Not sure what's causing these errors.

7 Comments

Hi all,

Im working in a company and when we enter in the domain with admin profile, i can select the certificates, but when other users use this pc with their domain, username, certificates need to be selected from the begging. Does it exist any way of entering as admin in that pc and selecting ssl in internet explorer by default as we want them to be for all users?

Thank you,

3 Comments

Hi all,

I would like to ask if it is possible to add or better select internet explorer certificates, ssl, once and for all users that will use that pc without having to enter to their pc accounts in order to do for each them?

Thank you a lot for your help!

4 Comments

LVL 1

Question by

Kyle

2018-10-20Solved

Generate SSL CSR for ADFS

understand how ADFS & Web Proxy servers work. I'm having an issue getting a standard SSL issued to work for the configuration of the ADFS and then the Web Proxy. I'm assuming I need to generate a CSR from the ADFS server at
a minimum of 2048.

How do I generate the CSR for the ADFS domain ss0.contoso.org?

4 Comments

SSL / HTTPS

Related Topics

SSL / HTTPS

Related Topics