Blog - Everything within Reason

Entries in certificates (8)

Sunday

Apr012012

Mozilla's Firefox Invalid, Yet Valid Certificate

Sunday, April 1, 2012 at 21:59

In my line of work I get to work with a lot of security devices which run self-signed certificates. Those certificates are most of the time generated when the device / appliance is installed, or configured for the very first time. When you connect to one of those devices with a web browser, you tend to see the warnings displayed by the browser that the connection is not to be trusted.

In Firefox, you can add an exception in the browser. When you've done that, the next time you go to the website, the browsers treats the website as trusted.

Click to read more ...

Willem |

1 Comment |

tagged

FireFox,

PKI,

certificates in

Annoying,

Browsers,

Tips'n Tricks

Saturday

Jan072012

Changing SSL Certificates in a ISPConfig v3 Configuration

Saturday, January 7, 2012 at 0:09

When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.

First I needed to find out where all those certificates are located, and what there formats are. In my case, there are three services that use SSL/TLS in some form;

Postfix SMTP service
Courier IMAP service
http / Apache2 webservice

Checking the configuration files will reveal their locations.

Click to read more ...

Willem |

1 Comment |

tagged

CentOS,

ISPConfig,

certificates,

ssl,

xCA in

Linux,

Wednesday

Jun082011

Microsoft Internet Explorer and IP Addresses in Certificate SAN

Wednesday, June 8, 2011 at 22:55

A fairy long title, but it describes exactly what this post is about. Once again a post about a Microsoft product and the way it works (or rather doesn't work) with your average Internet standard.

This week I was busy with RADIUS, 802.1x, PKI and the protection of websites with SSL encryption. For the implementation of 802.1x, I needed a PKI environment, so I used the Microsoft Certificate Services for that purpose. Along the way, I needed an SSL certificate for an internal website, but this particular website needed to work properly based on different FQDN's and or IP addresses without throwing warining or errors regarding the SSL connection.

The way to do this is to add Subject Alternative Names (SAN) to the certificate. This enables you to access the website in different ways, e.g.;

Access a webmail host from the internet based on its official FQDN (https://webmail.somedomain.com)
Access the same webmail host from the inside of the corporate lan based on its internal name (https://webmail.acme.local)
And access the host from legacy DNS-unaware software on its IP address (https://192.168.1.254)

Click to read more ...

Willem |

2 Comments |

6 References |

tagged

FireFox,

Google Chrome,

PKI,

SAN,

Safari,

Subject Alternative Name,

ssl in

Thursday

Aug122010

Microsoft Cryptographic Store and Passwords

Thursday, August 12, 2010 at 18:30

We've been experimenting with with the use of user certificates for VPN access to the lab. Issuing, and using them isn't the problem. The problem is that there's no way of enforcing a password on the use of the private key. You can use private key protection on the certificate template, but that still doesn't enforce a password requirement. The user still has the option to choosing for the notification instead of a password.

Certificate Template - Request Handling OptionsThere's an option to enforce a password, but that's system wide for the Microsoft Cryptographic Service Provider, and we don't want to enforce passwords for ALL certificates. We just want to enforce passwords for this specific template.

Click to read more ...

Willem |

The Problems with Apple OS X (10.6.4) Server

Monday, July 12, 2010 at 12:44

Updated on Monday, July 12, 2010 at 21:48 by Willem

It has finally been done. I've switched off the old Windows 2003 server at home and officially replaced it with an Apple Mac mini server. For now... And with 'for now' I really mean for now. It turns out that Apple OS X Server doesn't resemble its client counterpart at all. Where the client is stable and intuitive, the server edition lacks both.

I'll try to explain why I think there's lots of room for improvement. Mainly stuff I ran into while configuring the server/services.
Since the Windows fulfilled several functions, I needed these functions to be available on the OS X server as well. These were;

Networking services like DNS and DHCP
Webserver
Mailserver
MySQL Database
SSH Server
File sharing on the internal network
Public Key Infrastructure for issuing certificates
Download station

Evaluating these functions, one would think that this shouldn't be a problem. Well it actually is.... At least some of those features.

Click to read more ...

Willem | Comments Off |

tagged

OS X,

PKI,

xCA in

Apple,

Friday

May292009

SymCAImport ported to PHP

Friday, May 29, 2009 at 12:53

and moved off-site.

It's been a while, but I finally found some time to convert the SymCAImport service from Coldfusion to php. This means that the service run @ Dreamhost. The only thing that remains is migrating my mail to a hosting service. After that, the servers I've got running at home will be obsolete.

The new SymCAImport URL is http://symcaimport.redelijkheid.com/. The CA certificates which were uploaded to the old service (symcaimport.redelijkheid.com) will remain there for the maximum of 7 days, but they are also accessible under the new service (/symcaimport/ca/<certificate>.der). An automatic forwarder will be used after 7 days to redirect everyone to the new location.

New uploads can be done by using the new URL.

Errors, warning, or other questions can be placed in the comments.

UPDATE: permissions on the download location were incorrect. Should be working correctly from now on....

Willem |

SafeSign and OSX

Wednesday, December 10, 2008 at 20:27

Updated on Thursday, April 22, 2010 at 22:07 by Willem

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

Click to read more ...

Willem |

15 Comments |

tagged

PKI,

eToken in

Apple,

Security,

Software

Tuesday

Jul082008

FireFox 3 Dialog Boxes

Tuesday, July 8, 2008 at 21:40

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there's no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box 'scared' me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn't exactly does that at all. Let's see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

Willem |