We help IT Professionals succeed at work.

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

We have an SSL Certificate that will expire soon.  The current SSL Cert is issued from a Certificate Authority and it is used for Captive Portal (Guest) user access to allow guest users to login to our WiFi  using a username/password.

The current Domain name is something generic as "WIFI.DOMAIN.COM".  I have instructions on how to generate a new .csr for this appliance: https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025

The instructions are pretty straight-forward; but, my questions are:  

1).  Will I need to create a new SSL Certificate for a new Domain Name (example: OFFICE.DOMAIN.COM) ?  or can I re-key the existing SSL Certificate and use the same domain name?


2).  What is the difference between Re-Keying the existing SSL Certificate and creating anew one?
0
Hi.  I have an SSL certificate that I got from GoDaddy that I need to install on my dedicated Server hosted through Liquid Web and I have no idea how to do that?  Any help would be much appreciated.  I have access to my server but Liquid Web is understandably a little reluctant to help because I am only paying for the server itself.
0
Hi,

I have created CSR on Citrix Netscaler(.pem key format)
https://sivasankar.org/2018/813/netscaler-generate-csr-and-certificate-installation/
and public CA gives me option when uploading CSR to choose:
1.png2.png

Does any of this technology gives back .pem format certificate to install?

e.g. digicert has Citrix option but I have rapidssl public CA
3.pnghttps://www.digicert.com/csr-creation-ssl-installation-citrix-netscaler.htm#netscaler_vpx_install_intermediate_certificate
Any advice what is the best way to complete the process of cert installation.
Does Citrix netscaler need .pem certificate to upload?
According to this article pem format is: .pem,.crt and .ca-bundle
https://www.ssls.com/knowledgebase/what-are-certificate-formats-and-what-is-the-difference-between-them/

Thank you
0
I am trying to setup squid proxy to re-encrypt connections between old TLS1.0 enabled devices and modern web sites which mostly support only TLS1.2+
It is capable now to do TLS downgrade, like translate TLS1.3 to TLS1.2. I know that, because I can connect to a site which understands only up to TLS1.2 with the following command:
openssl s_client -tls1_3 -CAfile /etc/squid/cert.pem -connect tls12only.site.com:443 -tlsextdebug -proxy 127.0.0.1:3128

Open in new window

And s_client output contains lines:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

Open in new window

Removing the -proxy option in the command above makes the connection impossible.
So, now I need to make it work opposite - to upgrade the TLS version.
However, I found out that squid apparently does not support TLS1.0/TLS1.1 at all. OpenSSL itself does support that. The following command succeeds:
openssl s_client -tls1 -connect tls1only.site.com:443 -tlsextdebug

Open in new window

with the following in the output:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA

Open in new window

But the same does not work through the proxy:
openssl s_client -tls1 -CAfile /etc/squid/cert.pem -connect tls1only.site.com:443 -tlsextdebug -proxy 127.0.0.1:3128
CONNECTED(00000003)
140360358970496:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 46 

Open in new window

0
Hello,

need to install 3rd party certificate on the Citrix Netscaler.
https://www.digicert.com/csr-creation-ssl-installation-citrix-netscaler.htm#digicert_console_download_ssl_certificate_pem_file
I know procedure to create CSR but I’m not sure about the part when it comes to submit CSR to CA.What type of certificate should I get out after submit to CA? .PEM cert?Does publi CAs provide .PEM certs?
0
I am required to use open SSL to create a new .pfx file.

How can I do this?

I have a

- Private Key
- Server Certificate
- Chain Bundle

Do I need to download any software?  If yes what is a safe place to download the software from?
0
Hello I have a Server 2008 R2 with IE 11. IE 11 must access https://www.tempomortgage.com and I get the following error:

This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://www.tempomortgage.com  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. 

Open in new window


Although I can browse that site with Chrome and Firefox fine installed on the server

I have applied the right ciphers, IE Sec Settings, Rebooted server and nothing

See attachment for the respective version and settings

Server VersionIE VersionIE Security SettingsIE Page ErrorCrypto Channel SettingsCrypto Cipher Settings
Thoughts ?
0
Dear Experts
We are in process of implementing on-premise exchange enterprise email server for this we have install SSL certificate, please suggest which provider and what type of ssl certificate should we have to go for exchange enterprise email server. thanks in advance.
0
I need to create a white paper based on actual usage in the field for monitoring traffic.  In particular, monitoring encrypted traffic.  Our data center is receiveing netflow and IPFIX data from a few dozen client enterprises that we are serving.  The netflow/IFIX data that is being sent to us real-time but we do not have control over where our clients are sourcing.  It is up to them.   In other words, the "tap' they use is most likely outside their firewall, and probably outside their boundary router, but may not always be.  So in the case of encrypted traffic, obviously we are not reading their payload, but we need to be able to detect whether specific traffic is encrypted.  For both cases, for SSL traffic and for IPSEC VPN traffic, we need to identify as much as we can for our clients sake, without deciphering the payload.

Can you point me to explanations and scenarios (preferably real case scenarios) where this is done, and how the security techs, who are monitoring this in our data center, are handling this?  Especially, as is most like the cases, if the data we are receiving is from the encrypted data flow.
0
Hello All,

I have my exchange 2019 server setup and working fine for passing mail.  OWA and the wildcard cert I have works fine for OWA, mail clients, etc.  No problems with normal mail flow, or utilizing the wildcard cert I purchased from Sectigo RSA Domain Validation Secure Server .

I do have an issue when attempting to telnet into Exchange using openssl in order to run starttls.  I am able to get connected via openssl and I am passed a certificate from the exchange server, BUT it is not the certificate I am expecting.  Instead of getting the wildcard certificate from Sectigo RSA Domain Validation Secure Server , I am getting a self signed certifcate.  Which is why I believe my Ehlo after starttls fals with '501 5.5.4 Invalid domain name'.

Looking at EAC I have four certificates total
Name:  Microsoft Exchange,  self signed certificate, assigned services:  SMTP
Name:  Microsoft Exchange Server Auth Certificate, self-signed certificate, assigned to services SMTP
Name:  Wild, Sectigo RSA Domain Validation Secure Server, assigned services IMAP, POP, IIS, SMTP
Name:  WMSVC-SHA2, self-signed certificate, assigned to services SMTP.

Can I remove any of the self-signed certificates?

Is there a way to specify when using openssl to specify which certificate it should use?

my understanding is IIS needs the WMSVC-SHA2 cert....
0
Hi Experts, need to secure connection to a RDS server from users accessing it via RDP. I was thinking of going the SSL route. This is a one server 2019 RDS environment with all roles on it - RD Gateway, Host session etc. What I needed to know is which role will require the SSL cert? Do I need to generate CSR from IIS? Users will be accessing the server via domain name - remote.domain.com and then click on RDP to access. There is no chance of having VPN since all users are remote and client does not want to setup a VPN solution

Local domain matches external domain - abc.com
DFL and FFL - 2019

Thanks in advance
0
Having problems with RDP cert after changing Commercial cert to new email domain name
I just changed my email domain and have a Commercial cert for the new email domain that works fine in EX 2016, autodiscover, outlook, etc. I make RDP connections to the server hosting the Hyper-V EX 2016 server and it throws a server certificate error (name mismatch). I am not running TSS. I use the RDP connection to administer my remote server through CP Remote settings. How can I change the cert in the server to use the commercial cert for those connections?
0
I received a newly issue SSL cert from GoDaddy and I am importing it into my IIS server, but when I go to the site the old one is still linked.  I have confirmed that the new cert is bounded to the site via IIS manager. I restarted the IIS stack via IISRESET as well as restart within IIS manager.

Any reason why I am still seeing the old cert when I open the page?

Thank you in advanced.
0
I had this question after viewing URL is changing after rewrite with proxy flag.

I am having a similar issue with my Jira instance, but rather than writing :8080 after the URL, :80 is getting inserted. I am not at all an Apache guru and am stumbling along using the Atlassian guides which have not been able to assist me with this problem.

In short: I configured Jira for SSL with Apache acting as a reverse proxy. I have The configs exactly as several guides recommend and when I hit the web pages at https://my.jira.site.com/jira the URL is changed to https://my.jira.site.com:80/jira. If I remove the :80 a couple times, the log in page will come up with the proper URL and will show secure with a valid cert.

After I put in my creds, it does the :80 thing a couple more times and then runs fine.

I am completely puzzled about this.

If someone thinks that they might have a thought, I can post my configs.

Thank you.
0
I moved my SSRS application to a new server.  My last step was to get my SSL certificate working for the new server.  I’ve done quite a few, but cannot get this one to work. It is through Godaddy and I’ve talked to them several times.  Today I was told that they aren’t training in certificates for IIS so they can’t help me.

I’ve followed the instructions in this article:  
https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-8-server-4951

But there is some misleading steps and I don’t know if that is why it isn’t working?  Step 14 says to upload the intermediate (.p7b) to MMC.  I’ve done that.  The next steps are in IIS and on step 22 it says to find your primary certificate that you previously uploaded.  There aren’t any steps that say to import it on MMC so I’m not quite sure what that means.  I complete the install of the primary certificate (.crt) on IIS and then do the bindings.  I then restart the services.  But the website never works.  On IIS everything looks ok.  I’ve actually started the old server and compared what I see in the 2 servers and they look the same.  I’m not sure what to do?  Any thoughts??
0
Can the same 3rd party SSL certificate used in IIS/Exchange 2016 be used for RDS?
0
Hi all,
We are renewing Exchange certificate, I dont need to create a certificate request, as its just a renewal.
I have the go daddy exchange SSL certificate, I have imported it in MMC --> personal certificates, but it doesn't show the key icon on the certificate that its trusted?

How can i get the key icon on SSL certificate?

Thanks.
0
How to replace an already expired SSL Certificate.

I have always found SSL Certificates confusing and it is even more confusing if things do not work as planned from the instructions provided.  But it is a good opportunity to learn.  I have an SSL Certificate from godaddy.com and it has expired(1 month ago, or 30 days ago).  It is not a wild card certificate and we need to renew and replace it for an appliance and its  web address.  I see notes from: https://support.cartika.com/portal/kb/articles/renewing-your-ssl-certificate-godaddy-19-6-2018 on how to create a n SSL certificate and this part seems very familiar and straight forward.

Question1:  Do I need to generate a new CSR from that hosting appliance?
      a.  I am assuming yes and I found out how to do this on the appliance.

Question2:  How do I know what type of certificate to create?  Example, for Apache or Tomcat or Other?
     a.  I see from my  note s that all 3 were created last year; but, I am not sure which one was used.
     b.  From the appliance configuration I see a "key Pair" type is listed.

Question3.  I have notes on how to upload the certificate to the appliance; but, I am confused with  how to import the certificate correctly.  We had problems initially when a consultant was doing this.  Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.  
     a.  The consultant that did this last year had to "create the certificate a little bit …
0
I have a CSR file and got the certificate from our internal CA for an appliance. How do I convert this certificate as a .txt file with BEGIN CERTIFICATE  and END CERTIFICATE so I can paste this text to an appliance to install the cert?
0
Given the turf wars between Firefox and Google over how they handle and display "secure" web sites, are EV SSL Certificates of any value any more?  

To the general public user that is; I know the CAs think they are of value!

The green bar of IE was nice in its day but that has long gone. A LetsEncrypt certificate site looks pretty much the same as an EV certificate site now to all intents and purposes. I mean, how many users are actually checking this - real world users that is, not us.

And are there any policies enforcable by anything that would prevent accessing a NON-EV certificated site?
0
Hi all,

I'm trying to set up an application that uses HTTPS (port 443) on a Windows Server 2012 R2. I do not want to install IIS on the server.
When I test the connection (from outside the network) I can't seem to get through the Windows Firewall. I have tried to add a rule (TCP, 443) - but no luck. When I turn off the Windows Firewall there is no problem.

I have also installed a SSL Certificate on the server.

I have also Googled a lot - but did not find the answer.

Any chance somebody in here can help me out how to enable HTTPS on the server without IIS nor without turning off the Windows Firewall?

Thanks!
0
Mobile mail is saying cannot verify identity so users are not getting email.
0
Hi Experts

Could you give me an in general overall topics on what would be your recommendation for publishing / hosting a portal (similar that) to go into production?

A similar site


Thanks in advance.
1
Hello,

how secure is 7zip password protection?

Thank you
0
I need to import an ssl certificate into my IIS web server.  The csr was not requested by this web server but I have access to the private key, and the .pem file from GoDaddy. The certificate is also in use by a different web server.
 
I believe I need to create a pfx to import into IIS. Is it possible to create a pfx file from just the pem and private key, or any other way. Does the intermediate certificate need to be added?

Thank you.
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.