We have some ethernet devices (iot project) communicating with our cloud based servers. Connection goes over SSL.
The device is using Global Sign R2 as Root CA. After google managed SSL certificates got updated few days ago, it felt out of chain of trust and the device cannot connect anymore.
Is there anything we can do on the backend side to allow the device to connect? Any source of SSL certificate with R2 in chain? I know it will expire soon, but we need to have it running just temporarily. Once the device connects, we will be able to upload new certficiates, but now it's dead. Any hints?
You can download and install the GlobalSign R2 certificate here:
Google Trust Services Repository
Related
I have a website built and running on IIS / Win 2012R2, its only accessible within my local network and will never reach the outside world.
Currently, I'm using a self-signed SSL certificate that I have installed on all my windows machines, no problem!
I now need to get the website to work on Android 7.7 tablets, without the chrome browser complaining about the use of a self-signed certificate. I'm not able to install my Self-Signed certificate on these devices so I need to use an online CA.
The question is, how can I link an online CA to our internal website? The key issue being I don't have a domain, the path to access the website is https://servername/website
Is this even possible at all?
Problem: Since Chrome updated a while back (version 58?), I'm not able to access my computer's development Express web server with HTTPS from a remote machine on the same private LAN.
I have created a self-signed certificate on the server (my laptop), and it works great from the same machine via https://localhost:8383 (the local SSL port).
In the past I could bypass the warning on a remote machine on the same network but it has stopped working.
I've gone through the steps of creating a local secure DNS server on my own router with DD-WRT, and self-signed a new certificate with SAN so I could use a DNS host name to access it without specifying an IP address.
I'm able to get to the page after bypassing the message that warns the site's SSL certificate could not be verified. But that's not good enough because while the site will load, the underlying websocket service I'm using on the same port does not work, and so the application loads but is broken on the remote machine. Still works on the local machine because the certificate is valid.
It seems the issue centers around Websockets within Express.
Any guidance would be greatly appreciated! This is a strictly secure environment that's meant to be used on a private network and it makes no sense for me to spend a bunch of money on a public certificate if that even matters.
Thank you.
It appears that the issue is with mobile Chrome and Safari on IOS -- I can get untrusted SSL certificates to work with websockets from another computer on the same network with the latest versions of Chrome and Safari. But on IOS (ipads and iphones), the page will load after being prompted, but Websockets FAIL to function whatsoever.
I've found a couple other people finding this issue.
My workaround for this problem was to revert away from SSL for my private network and completely avoid self-signed certificates.
In a private environment this is OK.
I followed the RabbitMQ SSL guide meticulously.
https://www.rabbitmq.com/ssl.html
And it works, of course. But I've had to install the Certificate Authority on the computer running RabbitMQ server and on the PC connecting to the server.
What was not clear to me on the guide is what happens next. My self-created certificates are just for development. What do I do next to make this a production system?
Normally in production systems you have a internal CA maintained by
your organization. Get your certificates signed by the CA.
Also make sure to use TLS v1.2.
We have the MobileFirst platform running on our Linux machine. Business Logic Web services are running on a separate Server. The Certificate is issued by our Business Server.
We have overwritten the MobileFirst certificate mfp-default-cert.crt with the certificate issued by our Server. This certificate is used to establish the HTTPS SSL connection between the MobileFirst adapter and the web service.
We have successfully integrated this encrypted web service (using SSL) between MobileFirst (using HTTP Adapter) and Server in a Native app.
Now we want to implement/configure SSL connection between Mobile Device/emulator and MobileFirst server for secure communication using the same issued certificate.
Can anyone please advise how to do that?
As we know for SSL Connection, there should be a proper handshake to happen between the server and client.
Client(Device/Emulator) which you are trying to connect with server should have a corresponding CA Certificate installed on it so that it will have a successful secured communication with sever machine .
so you should have the client side certificate(example.crt) installed on your device/emulator to connect the server on HTTPS port.
And it depends even on the Device u are using to connect .
For iOS devices from 9.0. Apple mandates more secure way of connection
https://developer.ibm.com/mobilefirstplatform/2015/09/07/preparing-ibm-mobilefirst-platform-server-app-transport-security-ios-9/
Hope this serves your purpose. :-)
I have the following implementation in testing environment,
Front-end Server [IBM HTTP Server + IBM Websphere plugin],
WLServer1 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1] and
WLServer2 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1].
plugin-cfg.xml has been generated from each Worklight server and merged.
The request[http] from multiple devices has been directed to worklight server's alternatively, once the merged plugin-cfg.xml has been deployed in Front-end server's IBM Websphere plugin.
How I can implement the same to serve HTTPS request.
And also I have implemented the "UserCertificateAuthenticationProject" from the Worklight modules which connects the device[HTTPS] to Worklight server directly.
Note Tested it on Android only.
Help me to understand, How I can achieve HTTPS in Test environment via IHS.
What should be the procedure in Production environment?
Note IBM Worklight 6.2 supports Android, IOS, Blackberry & Windows, so I have to implement in all platforms.
It sounds like the problem you are having is similar to this one: https://stackoverflow.com/a/21914147/2245921 The Unresponsive Host error occurs for one of two reasons:
Your device cannot reach your server (they are not in the same network)
The device does not trust the server's certificate
Since you can connect to your HTTP connection, it is not #1, so it should be #2. The answer to the other question I pointed to above should fix your problem. Make sure to turn on trace-level logs in the WL Logger so that you can see the exceptions regarding untrusted certificates.
Edit: To expand on this answer; to use HTTPS, your server needs an SSL certificate to identify itself, otherwise the device has no proof that it is connecting to the right server and not to some random server that could be malicious. You should already have a certificate that you are using in your server; if you don't, then read on.
You usually get an SSL certificate from one of two places: you either use a certificate issued to you by a trusted Certificate Authority (e.g., Verisign), or you create one for internal testing purposes. In your case, you probably want to create your own, so you should follow the "Client X.509 Certificate Authentication and User Enrollment" getting started here, specifically the parts that talk about generating the server certificate.
Once you have that certificate set up, you should configure your server to use it; for that, follow the instructions here. After doing this, the last step is to have your device trust your server's certificate. For this, follow the last part in the getting started above, which shows you how to make your iOS/Android device trust the server. You would have to look up how to do this on Windows and Blackberry, too.
After this, you should now be able to connect successfully via HTTPS. (Always make sure that when you get an "Unresponsive host" error, that you can still connect to the HTTP console via the browser, to make sure that you are connected to the same network as your server. I know you already did this as you specified in your question, I'm just mentioning it as a reminder since it is easy to forget this.)