SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi Experts,

I have bought a wildcard certificate from COMODO.
Now I need a certificate for my application but it must be a named certificate like:
MDM.DOMAIN.COM

Is it possible to extract a certificate from my wildcard certificate ?
0
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

We have a 3 year Starfield cert which just auto-renewed.  I am able to download a new cert with the new expiry.  I imported the cert and see that the "Subject Key Identifier" is the same as the expiring cert.

The new certificate does not have the key symbol in certificates MMC indicating the new cert does not have a private key which is expected.  

My question: how is the private key linked to the new certificate?  Should I simply load the new certificate on all servers and bind it to the applications and expect everything to work fine or should I rekey?

I have had some trouble finding a good explanation for how this process works.
0
We have a series of servers at a clients site that runs Exchange, dedicated Terminal server (2008 R2), Webserver and Application server.

Their UCC certificate thats used for Exchange, autodiscover, and terminal service connection has lapsed and I am in the process of updating it across the board.

I've already generated, and completed the CSR request from Godaddy, imported into Exchange (confirmed its working on new cert), exported that from IIS uploaded to the Terminal server and imported into Personal store.

However when I go to Remote Session Host configuration under General > Certificate > Select...
It only shows me the previous certificate, does not give me any other option aside from the old certificate I'm replacing.

Where might I find the option for replacing the RDP-TCP certificate for 2008 R2 Terminal server?

Furthermore the server does not have Connection Broker Tools or Remote Desktop Gateway Tool features installed at this moment. I've looked online found a couple promising guides however they either don't pertain to my scenario or they are for a different version of Server than I have.
0
Hello,

If you connect to a secure bank site, or even Facebook using HTTPS, on an open non secure WiFi, is the data between your computer and the site secure?
1
Good afternoon,

Mozilla seems to have stopped displaying images on our website.  We noticed it today, but not sure when it started.

Our website is https://ppar.com.  This is a 2012R2 Server running IIS 8.5.9600.16384.  Our websites reside on this server.  We have a valid cert for this website.  The images reside on another server running Server 2016 with IIS 10.0.14393.0.  The images server also has a valid cert.  The time on both servers is correct and both certificates have not expired.

When I try a valid link ( https://photos.ppar.com/matrixlarge/11/8120075-1.jpg ) in both Chrome and Firefox, it works in Chrome and fails in Firefox with the following error:
"An error occurred during a connection to photos.ppar.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT"

I'm beating my head against a wall...any help?

Attached images.
FireFox.JPG
FireFox1.JPG
Chrome.JPG
0
The GoDaddy SAN certificate for an Exchange 2013 server has been revoked.  I have re-keyed the certificate and a new one has been issued and downloaded, but I'm unable to access the EMC due to the revocation of the old certificate, and am at a loss as to how to go about installing the new cert.  This is something I know little about, so step by by step help would be much appreciated.
0
I have created an Amazon S3-compatible server that is being used purely for backing up my data (using ARQ, etc.)   However, I am only able to connect to it using HTTP as a URL not HTTPS.   If I use HTTP (not HTTPS) as my URL, are my S3 credentials and data transmitted in plain text, or is encrypted?  

Thanks.
0
I have a IdHTTPServer and i want implement the support for handle both http and https request. There are my consig

FSSLHandler := TIdServerIOHandlerSSLOpenSSL.Create(nil);
FSSLHandler.SSLOptions.CertFile     := 'certificate.pem';
FSSLHandler.SSLOptions.KeyFile      := 'key.pem';
FSSLHandler.SSLOptions.RootCertFile := 'chain.pem';

FIdHTTPServer.Bindings.Add.Port := 443;
FIdHTTPServer.IOHandler := FSSLHandler;

FIdHTTPServer.Activate := true;

Open in new window


in the server directory i have ssleay32.dll and ssleay32.dll v1.0.2l (Win32) downloaded from http://indy.fulgan.com/SSL/

when i make a request from Chrome, in the security tab of the developer tool i see:

YLrb4.png
Also, analyzing the server with sslyze i have some others security issue (see VULNERABLE label):

> sslyze --regular local.XXXXXXXXXXXXXX.com:4343

SCAN RESULTS FOR LOCAL.XXXXXXXXXXXXXX.COM:4343 - 127.0.0.1
 --------------------------------------------------------

 * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

 * TLSV1_1 Cipher Suites:
     Preferred:
        None - Server followed client cipher suite preference.                                                            
     Accepted:
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits                                    
0
Hi,

I have configured SSL in tomcat,i am able to access the server using https.

But i am getting the certificate error.I have create below files to resolve the issue.
 1)keystore.jks
2)tomcat.keystore
3)xxxx.csr

From certficate authority i have created certnew.cer and certnew.p7b.

I opened certnew.p7b and used sub and root certficate to create root.cer and root1.cer.bacically i converted the root certificates format to base 64 encoded x.509

Then i used below commands to sent the two certificates to keystore.

keytool -import -trustcacerts -alias Root -file "D:\XXXXXXX\root.cer" -keystore "D:\xxxxxxxx\tomcat.keystore"

keytool -import -trustcacerts -alias Root1 -file "D:\XXXXXXX\root1.cer" -keystore "D:\xxxxxxxx\tomcat.keystore"

then i merged the server certificate by using below command

keytool -import -trustcacerts -alias biuser -file "D:\XXXXX\certnew.cer" -keystore "D:\xxxxxx\tomcat.keystore"

I have modified my server.xml file in tomcat as attached. (PFA)


i got a message that certificate key was installed to keystore,but still iam getting certificate error.
0
I have a google visitor map that uses Geo location that has stopped working on the live site but still works @ locallhost

I'm thinking it could be because I don't have  SSL certificate!

Looking at the webhosting website they charge from £25.99 per year which seems a bit steep considering I only want it so the google works

My question is do I need a  SSL certificate?
If so do I have to go through the hosting company or can I register for free?
0
Q2 2017 - Latest Malware & Internet Attacks
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Our Exchange 2010 SSL certificate is about to expire and we are preparing to replace it.  In the past, we've had some issues with this process as far as it not being as seamless as we'd like.  Users were getting various warnings/messages, accounts had to be removed and re-added on mobile devices, etc.  What can we do to eliminate the many phone calls from users this time around?  We used EMC to generate a CSR, validated it with GoDaddy, and downloaded the new cert.  I assume it's as simple as selecting the pending cert signing request and completing it, but want to be very cautious.  I would like this to be a seamless process without the end users being aware anything even changed.  

I *think* possibly the issue at the last renewal was due to one of the SANs that had previously been used was missing from the CSR, although we didn't know that at the time and are still not sure why it was missing.  I don't know that this is the cause though so I want to make sure I've covered all possibilities.
0
I have been getting event id 403 after installing a new SSL cert  on my Exchange 2010 server.

The certificate named 'B02FEAAC45742783AA61FC8DB7D0C5E0FF415239' in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the  certificate store of the server.

What does this mean?
0
Hi,
I've added an SSL certificate to a couple of websites to make them secure but noticed that this didn't take place even though the URLs start with https etc.
These are old existing sites so I suspect that the reason might be to do with legacy image links i.e. http:// www.site.com/image1jpg.
Does the same logic apply to hyperlinks to external websites?
For example, if a page is linked to http://www.externalsite.com/ instead of https://www.externalsite.com/ and all other image links etc. are https:, would the page be considered as not being totally secure?

Any and all help and tips would be much appreciated.

Thanks!
0
Hello!

I have a problem, when I1m trying to get a https image from a web site. The page uses TLS 1.2, so I use OpenSSL and it works for all the text I want to get from the page. When it comes to the picture, then I get the "underlying crypto error, error connecting with ssl, error 1409442E: SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version.

Does anyone have any idei what is causing this? I've tryed more SSL/TLS versions, but none of them worked. I use the latest dlls.

Thanks for any help in advance!
0
Hi
We have exchange server 2007 on site and few year before we wanted to upgrade to Exchange 2010 one of the company built the exchange 2010 server and was completed and a  SSL certificate was also installed on this server.
On the exchange server when I open the EMC ,
Later we changed our mind and wanted to go with office 365 and now I am planning to migrate to office 365 in early next year.

Now the SSL certificate on the Exchange 2010 is expired and whenever the client PCs are restarted or sometimes when outlook is opened these is SSL certificate security Alert pops up.
Please see the attached and it is annoying the users and Is it possible to stop this alert from popping.

Any help would be great
Thanks
SSL-popup.jpg
0
Hello all , we are being PCI Scanned an are failing on a few items, one being a self signed cert in Exchange

the X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Exchange has a 3rd party SSL certificate installed already which is assigned to
IMAP, POP, IIS, SMTP

the self signed cert is assigned to
IIS, SMTP

Im unable to de-select these options.

Do i need to delete the self signed certificate? if so how would i go about it

thanks
0
The large image of the four Canada stamps on this page is causing Firefox to tell me the page is not secure due to non-secure elements on the page:

https://www.worldstampcompany.com/country/canada

However, in my HTML I am using:

https://imageshack.com/a/img923/5798/vZdd8h.jpg

If I put that URL in my browser, I do indeed get a "connection is not secure" message. However, if I then forcibly put https in my browser:

https://imageshack.com/a/img923/5798/vZdd8h.jpg (again)

...it does come up as secure.

I'm not sure what Image Shack is doing, it seems like they are redirecting to non-secure (http) but at the same time, if I can force https in, it looks like they have a certificate.

Is there something I can do to make this work, or do I have to contact Image Shack and find out what they are doing on their end?

Thank you!
0
My company owns a particular domain name mystuff.com to a site but due to some weird contract issues we don't control it. DNS control is handled by consultants and they currently have it running at amazon. If we need to add a sub domain now to mystuff.com (SSL cert and a cname), who should be responsible for this? Us or the consultants?
0
Hello everyone,

Been beating my head against the wall about this for a little bit, and other venues I've tried weren't able to provide a lot, partly due to my lack of knowledge.

We have internal DNS for ourcompany.com hosted on a Server 2012 machine, as well as public DNS for ourcompany.com hosted at GoDaddy. It seems that in the last couple months people have been having issues getting to some of our subdomains pointing to external parties, for example mail.ourcompany.com points to outlook.office365.com. Chrome seems to be the biggest offender when having issues. It seems the browser is looking for the cert for outlook.office365.com, but recognizes that it's coming from mail.ourcompany.com and obviously sees that they're not the same thing.

We only recently added the ourcompany.com forward lookup zone to our internal DNS, and it works fine off-network, so I don't know what I'm doing wrong with our internal DNS to get it to work properly.

Some have suggested pointing the DNS record(s) to an IIS box and do http redirect, rather than having DNS just point straight to the 3rd party.

It also seems that clearing Cached Images and Files in the browser clears up the problem for a few days, but I feel like there's gotta be a better solution than clearing cache via GPO.

Does anyone have any suggestions?

Thanks so much!
0
Visualize your virtual and backup environments
LVL 1
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Hi

I have an issue with users in our USA office not being able to open an Exchange 2010 shared mailbox.  We are using RSA tokens (SecurID) to authenticate - I believe what is happening is they can log into the OWA site OK but when selecting add another mailbox, they receive the error 'A server configuration change is temporarily preventing access to your account. Please close all Web browser windows and try again in a few minutes. If the problem continues, contact your helpdesk'

The user I am dealing with in the USA tells me 'Hi Jason.  I can't get to any Houston-hosted box.  So if I try to log in using https://remote.company.com/owa, I get the "A server configuration change is temporarily preventing access to your account. Please close all Web browser windows and try again in a few minutes. If the problem continues, contact your helpdesk." error as it is trying to load my personal mail box.  Instead I log in with https://remote.company.com/OWA/ukmailbox@company.com/ so that it takes me straight to UK.  Once in UK, though, I get the same "A server configuration change..." error if I try to navigate to Houston@company.com'

I'm new to this position and there isn't much in the way of documentation - as far as I can see the client access for OWA setup is using forms based authentication -  there is a Forefront TMG 2010 acting as the Exchange Edge server - as far as I can tell the firewall rule in place for OWA on the TMG is doing what it should - however, weirdly if I …
0
Due to how our website is configured, and the fact we have many novice outside people accessing our FTP server (they are sales reps), it may prove difficult to force them to switch to an SFTP or SSH method to access the server.  So I wanted to pose the question - if FTP is the best I can do for now, what is the best, most secure way to configure it?  Is SSL fairly secure?  Any other ways to do it?

Thanks for your input.
0
This if for Exchange Activesync.
If I create the certificate request using IIS, the CA generates a certificate with includes a "SMIME capabilities" field.
However, there is no option to generate a SAN field.

These instructions show how to add a SAN field:  https://techontip.wordpress.com/2011/06/06/how-to-create-a-san-certificate-signing-request-for-iis-web-server/

But the certificate generated has no "SMIME capabilities" field.
I think SMIME is an important part of Activesync, correct? So the certificate to use with ActiveSync must have it.

How can I generate a Certificate with both fields?
0
We have web server hosted Certsrv (ADCS Role)... Delegations has been made for FQDN, SERVER name(NetBios name) and now it is working fine with https://FQDN/certsrv 

However by calling IP Address ie, https://1.2.3.4/CertSrv it is not working. So i just want to know can we delegate IP address for GMSA?

after some googling i found this article which clearly shows kerberos does not support IP address as it is a normal behavior
https://support.microsoft.com/en-ca/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-addres
0
Points of My Scenario:
1. I am troubleshooting CRM Dynamics website failure, which occurred after 3 un-installable Windows updates (KB4025337, KB4022722, and KB4034679).

2. Users get the following error when attempting to connect to website: "This page cannot be displayed. Turn on TLS1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to <https://website> again"

3. TLS 1.0, TLS 1.1, and TLS 1.2 were all always checked (turned on) in the Advanced tab of the Internet Options dialog box.

4. In IIS (on a Windows Server 2008 R2 SP1 member server) the "Microsoft Dynamics CRM" website bindings include http (over port 'wxyz'), and https (over port 'efgh').

5. Surprisingly, the "Browse *:wxyz (http)" link works, WHILE the "Browse a.b.c.d:efgh (https)" link  fails with the generic error "Internet Explorer cannot display the webpage"

6. When the user tests the non-SSL version of the website, (s)he gets the error "Not Authorized. HTTP Error 401. The requested resource requires user authentication."

7. The https (SSL) and the http (regular, unsecure) links are identical - so, whereas the https (SSL) link complains about the absence of settings that are truly present, http complains that the user is not authorized.


QUESTION: What shall I do next to troubleshoot/resolve this failure of the CRM Dynamics website?

I am grateful for any help I can get. :-)
0
This is Apache 2.2.17 and it was complied into its own directory.
The Openssl version on the server was 1.0.0.
I installed a newer version 1.0.1g.

Configured the new version to be used by the OS. 'openssl version' and 'which openssl' both show the new version.

However, when I try to add the new security from OpenSSL in the httpd.conf I get this error:

SSLProtocol: Illegal protocol 'TLSv1.2'

...showing that it is still not using updated OpenSSL.
Per Redhat. httpd2.2.17 should support this:

https://access.redhat.com/solutions/65030
RHEL 6: TLS v1, v1.1, & v1.2 support

You must have at least openssl-1.0.1e-15.el6, httpd-2.2.15-39, and mod_ssl-2.2.15-39 to have support for TLSv1, v1.1, & v1.2.
TLS v1.1 & v1.2 support added to OpenSSL with release of openssl-1.0.1e-15.el6 from RHBA-2013:1585, first shipped in RHEL 6.5.
The ability to specify TLSv1.1 & v1.2 in Apache with SSLProtocol was included in httpd-2.2.15-39, released in RHBA-2014:1386-1.

What needs to be done to do this other than recompiling Apache?
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.