Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

This is Apache 2.2.17 and it was complied into its own directory.
The Openssl version on the server was 1.0.0.
I installed a newer version 1.0.1g.

Configured the new version to be used by the OS. 'openssl version' and 'which openssl' both show the new version.

However, when I try to add the new security from OpenSSL in the httpd.conf I get this error:

SSLProtocol: Illegal protocol 'TLSv1.2'

...showing that it is still not using updated OpenSSL.
Per Redhat. httpd2.2.17 should support this:

https://access.redhat.com/solutions/65030
RHEL 6: TLS v1, v1.1, & v1.2 support

You must have at least openssl-1.0.1e-15.el6, httpd-2.2.15-39, and mod_ssl-2.2.15-39 to have support for TLSv1, v1.1, & v1.2.
TLS v1.1 & v1.2 support added to OpenSSL with release of openssl-1.0.1e-15.el6 from RHBA-2013:1585, first shipped in RHEL 6.5.
The ability to specify TLSv1.1 & v1.2 in Apache with SSLProtocol was included in httpd-2.2.15-39, released in RHBA-2014:1386-1.

What needs to be done to do this other than recompiling Apache?
0
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

We have webserver where certificate Authority webenrollment role installed and it is pointing to Issuing CA

When ever we try https://webservername/certsrv then i can able to request certificates

but when i try https://webserver<Ip Address>/certsrv then in the last step while requesting certificate the following error appears... can anyone help to resolve this

certsrv.JPG
0
Hi
I am installing AFDS on our Active Directory server is Windows 2012 for migrating our exchange server 2007 to office 365 through the Hybrid deployment.
I would like to procure a third party SSL certificate on this ADFS server. As per the link below under Create the SSL Certificate Request (CSR) – Point 8 it says Fill out the certificate request properties.
https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365/

“Make sure that the common name matches what you plan to call the AD FS server farm”

Not sure what would be the common name needs to be put in here. Please suggest and let me know if you need any further information.
Thanks in advance.
0
Hi

Our Active Directory  server is Windows 2012 and I am working on migrating our exchange server 2007 to office 365 through the Hybrid deployment .

I would like to install the ADFS on our Active directory sever .

Firstly If i have to install ADFS role , please let me know if i need to install the Active directory certificate services on the active directory server prior to installing the ADFS.

Secondly , i am planning to procure the SSL certificate from Trustico to install on the ADFS server,
Will i be able to  generate the certificate request CSR file on the ADFs server and send it to  Trustico to issue a signed certificate?

Or do i need to install the Active directory certificate services on the AD server and generate CSR and then send to Trustico.

I am doing this  migration for first time , Please correct  where required and let me know how to go about.

Thanks in advance.
0
Please help!

I have been tasked with renewing and then installing a SSL certificate on a SBS 2011 server. I have already renewed the cert and imported into the MMC console and I have ran the Certutil CMD command as per my normal steps. The next step that I usually follow is to launch the SBS Console and then via the certificate wizard 'add a new certificate' choosing the option 'use a certificate already on this computer' however the server in question has an issue whereby the SBS console crashes immediately (not when switching to the network tab but literally immediately). I have confirmed WMI is up and also ran the repair console option using the original CD media and then rebooted but still the error remains. I cannot see anything obvious in Event Viewer.

I have to install this certificate asap (within the next 24 hours) so just wondering is there a way of replicating the 'install a certificate already on this computer' method without using the SBS Console (powershell etc). Going forward clearly the SBS issue needs to be fixed but this is a secondary issue and the most important bit is getting this newly renewed cert installed and in use so the clients email is secured.

Please help! Also bear in mind I am not particularly familiar with SBS (or IT in general) so simple instructions ideally!

Note when it crashes the error reported is CLR20o3 if that helps.


Thanks in advance
0
I renewed a Godaddy SSL cert and when I install the .crt that they returned the data on the website in IIS is updated however, when I go to the site and check the SSL cert it stil has the old date. I have restarted IIS on the server but, the date hasn't updated. What do I need to do to get the SSL cert date to cjhange on the site?
0
In testing compatibility for older browsers, I am running into an issue with trying to access my site using Internet Explorer 11 and Windows 7. (Yes, I know it's a really old system, but you'd be surprised how many of our users still have those old machines).

I want to put up a message that tells them our site will not work with that old of a browser, but I can't even get to the site without getting the "This page can't be displayed" message.  We have the server locked down pretty tight and I'm sure that's the issue. Is there any setting that can be changed (e.g. .htaccess, etc). that will allow a user with an older browser to be redirected either to a different site or to a different, customized message?

My site is: https://chloedog.com.  Thanks.
0
currently we are having sts.federationdomain.com client asking to setup adfs.federationdomain.com

is there any chance to add this?? or i need to reconfigure it from the scratch with the new name.???
0
Many Google results on the topic but haven't found an explanation that works for me.  Default ssl.conf has a reference to the server's self signed cert  - SSLCertificateFile /etc/pki/tls/certs/localhost.crt.  Vhost conf has a similar references for the vhost specific cert.  This vhost cert has the alternate names for mydomain.com, www.mydomain.com and subdomain.mydomain.com.  

The server and ssl appear to work without the ssl.conf file.  However, that seems like a good place to set up cyphers so that my subdomain can inherit from a common configuration.  If I comment out the localhost cert, apache won't restart.  Assuming my vhosts are set up something like the following, how do I get apache use the vhost cert instead of the localhost cert?  

<VirtualHost mydomain.com:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/mydomain.crt
    SSLCertificateKeyFile /etc/pki/tls/private/mydomain.key
    SSLCACertificateFile /etc/pki/tls/certs/mycadomain.crt

    ServerName mydomain.com
    ServerAdmin admin@mydomain.com
    DocumentRoot /var/www/mydomain/public_html
    ErrorLog /var/www/mydomain/error.log
    CustomLog /var/www/mydomain/requests.log combined
</VirtualHost>
0
I'm trying to replace the stock certificate that vCenter uses for the web console with a local MS CA certificate so errors don't get thrown about the browsers not trusting the cert.  I have found KBs and attempted to create a cert request with the vSphere utility (vCenter is on Windows Server), then process it on a MS CA (with custom template for this vSphere cert) and then tried to install it via the vSphere utility.  It takes forever and rolls back.  I just have some questions on the fields I enter when I create the request:

It asks for Name in the first part.  Is that just an arbitrary name that doesn't matter?  Or should it be specifically the plain name of the MS server?  Or the FQDN?  Or what?

There is a part where it looks like it assumes you are using VMware based CA, and it asks for the FQDN of the VMCA.  Since I am not using a VMCA, but rather a MS CA, for this field would I enter the FQDN of the MS CA or just the name of the vCenter server?

It looks like when I try to apply the cert, it shuts down all the vCenter services multiple times?  Does replacing this cert affect anything else other than the Web-based management console?   I don't want to screw anything up by doing this.
0
On Demand Webinar: Networking for the Cloud Era
LVL 10
On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

I had this question after viewing Replacing certificate on Exchange 2010 with wildcard cert.

Team, I have a cert to expire in the coming days, I was given a new Wildcard cert, but I am not sure how to renew or replace the one that is set to expire soon...

Question - Do I simply highlight the Cert that is expiring and Select Renew Exchange Cert? or do I Import the new Cert and then assign the Services that the old Cert had to the new one?  The new Certs I was given are end in CRT...Thanks for any help you can provide
0
Hi Experts,

1. In what kind of environment , would we need to manage SSH keys?  
   Is it when we have multiple users sshing into any network device/Servers ?

2. Is there any software , that can be used to centrally deploy  different SSL certificates , and manage them (as in inform the admins about the date of expiry , etc.)


Thanks,
T
0
hi guys

So I am going to be installing an SSL certificate on a Linux Amazon EC2. I created the CSR on this instance so I will need to apply the SSL to it to complete the installation.

It is a wildcard SSL certificate. So then I will need to export this SSL certificate and install it on another instance and turn off the other machine. On Windows I know how to export it as a .pfx and install it on another instance, but I don't know how to do this on a Linux machine. It is an amazon EC2 instance.

Are you able to help me accomplish this? What commands do I have to run to export this and then install it again on the new instance?

Thanks for helping
Yashy
0
Hi guys

I've purchased an SSL certificate for an amazon EC2 instance. I am using SSH to connect to the instance.However, I can't copy the purchased files from my desktop onto the actual location /etc/pki/tls/private folder as it's almost certainly down to permissions. The username I am using is 'ec2-user'.

Any ideas how I can change the permissions so it will accept the copy? What permissions would you give it? And then have them set back again? As I know messing with these folders will probably end up with creating a host of other issues.

Any help would be much appreciated.

Thanks for helping
Yashy
0
ITKit-SocialMedia-Native.pngIT Day is around the corner! Take advantage of our free set of diagnostic and discovery tools to help you in and out of the office.
2
Hello all,

We have an RDS server in play that only a handful of people use. It seems like a self-signed certificate expires in a couple of months and new one must be created and then installed on any machine that wants to connect to that RDS server. This requires us to touch the server and every machine that needs rdweb access to the server more frequently then we would like.

My question is: Is there anyway to lengthen the self-signed certificate to over a year, 2 years, 5 years?

Obviously a trusted SSL cert would resolve this, but I am looking for other options at this point.

Server is a Windows server 2012 R2 running remote desktop services.
0
Hi guys,

I want to create a rule in IIS (server 2012/2016) that would redirect the full url from http version to https while preserving the full url.

To give you an example, let's say I have 2 domain names: domain1.com and domain2.com. I want to set up a rule that would redirect to an HTTPS version of domain2.com while preserving anything else user typed after the main domain bit.
So the rule would do this:
http://domain1.com redirects to https://domain2.com
http://domain1.com/help redirects to https://domain2.com/help
http://www.domain1.com redirects to https://domain2.com
http://www.domain1.com/help redirects to https://domain2.com/help
http://domain2.com redirects to https://domain2.com
http://domain2.com/services redirects to https://domain2.com/services
http://www.domain2.com redirects to https://domain2.com
http://www.domain2.com/help redirects to https://domain2.com/help

I know how to set up a standard redirect from HTTP to HTTPS but it redirects to the HTTPS version of domain while losing anything user typed after the main domain for example: http://domain1.com/help redirects to https://domain2.com (removes /help bit, while i want to preserve it)

The existing rule is:

<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://domain2.com/{R:1}" redirectType="Permanent" />
</rule>

Hope this makes sense and thanks very much…
0
Hi Guys,

I have configured Issuing CA 1 and Webserver 1
Issuing CA - (CA role, CA Webenrollment role, IIS)
Webserver - (Online responder)

Here my question is When i checked the IIS of webserver it show the website for OCSP running but when i click nothing opens (500 error)

Client request me to setup a website for OCSP to access externally, so any one please advise how can I proceed further.

OCSP website output should be - check the status of certificate with options yes, No, Unknown.

Can anyone guide me..?
0
I'm reviewing all of my web servers and I'm trying to figure out how to make Chrome happy with the Cipher Suites. Web Servers are Server 2012 R2 and here is what Chrome is reporting:

My Web Server
Now, if I take a look at another example website that does properly validate with Chrome, it looks like this as an example:

Proper Web Server
It is my understanding that google only views the GCM Ciphers are being secure, that being said I found AES_128_GCM on my Cipher list and moved it to the top, however Chrome still reports the same Cipher Suite as being used.

Can anyone give me some insight?
0
How to Use the Help Bell
LVL 10
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

hi guys

I'm trying to access an apache web server that I just took a copy of. The external IP is: 34.252.113.239. If you put that into a web browser, then you literally get a 'www' put in front of that IP address.

It's a linux server running apache. I'm not a developer, but could you guide me into looking at where the actual redirect might be occurring and take it out so that putting in the external IP will redirect it to the correct place? I.e. if I put in http://34.252.113.239 then that's exactly where it needs to forward to without a www. coming in front of it.

Thanks for helping
Yashy
0
Hi All,

I have configured Issuing CA and Web server.

Issuing CA Roles (Certificate Authority)
Web server (Certificate Authority Web enrollment Service and OCSP)

When I try requesting a certificate directly through (http://issuingCA/certsrv) it is working fine the certificate can be issued through web console

While I try request using (https://webserver/certsrv) Everything is coming finally when i click submit on certificate request it through below error.

Error : CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722

It is critical and really appreciated if any one can help this...

certsrv.JPG
0
Here's my environment:

Windows 2012 R2 NAT'd to public via FortiGate firewall.  Running IIS7 only for FTP.
I have one client who sends files in a batch once or twice a day.  the client supplied the SSL certificate for FTPS connection and all works well, mostly.
At some point in the transmission, FTP will stop transferring files and the Windows will log System Event 36888 from Schannel.  The TLS protocol error code is 20 and the SChannel error state is 960.

Research didn't track down an exact solution, but some folks were correcting the same error codes by replacing or 'fixing' the certificate.  I had our client generate a new certificate and installed it, but the errors/disconnects continue to occur.  

File sizes are 114KB and 36KB (they come in pairs).  Today, after replacing the cert, the client sent 240 pairs - 480 individual files - and there were five SChannel reset errors logged.  Each time that happens, the client has to restart the sending process.

the OS is fully updated.

Earlier in troubleshooting, I suspected the firewall - outdated OS/old hardware - and configured the path through our new FortiGate firewall (noted above)

I would much appreciate any input you have on how to troubleshoot further or what may be the cause

Thanks!

= k =
0
* Happens on my Mac Mini with El Capitan (up-to-date).
* Doesn't happen with all secure sites.
* Doesn't happen on my iPad which connects via the same router.
* Doesn't happen with Firefox, Opera or Chrome.
* Problem started after I had been messing around establishing a very basic user account for a student - I have double checked that Parental Controls are NOT turned on for my main account. The problem now occurs in the Student account too.
* I have tried changing the DNS setting.
* I have of course tried history & data clearing, restarting Safari, rebooting the computer.
0
Hi,
how can I disable HTTPS and enable HTTP on apache Tomcat?
Based on my researches I have to modify the server.xml in the root folder of apache tomcat. Must I modify the connector? how?
For my Webapplication I'm connecting to the port 8443
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="-1" shutdown="SHUTDOWN">
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at 

Open in new window

0
Adfs primary server is up and running... adfs service is running using seperate service account

while configuring adfs proxy (DMZ zone non domain joined) we cant complete it... event ID 393

Error : Federation service cannot established to the federation proxy server.

questions:
what account needs to be used for installing adfs proxy ( im using local admin )

How to establish connection between federation server and proxy server??

proxy server is non domain joined then how it will communicate to adfs primary. Did i missed any step??

can any one please explain clearly step by step.. what we need to take care while installing proxy..?
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.