I received an SSL certificate from sslforfree.com. It is a .zip file consisting of 3 files:
certificate.crt
private.key
ca_bundle.crt
How should I install this certificate on IIS 8.0? (What am I supposed to do with these 3 files?)
First, you need to make a .pfx file to make things easy. You need to Install openssl and run the following in a command prompt with path set to location of downloaded certificate files
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "private.key" -in "certificate.crt" -certfile ca_bundle.crt
Second, import the certificate to IIS:
Note: You created the password when you created .pfx file with openssl in command prompt.
Third, bind https to the website and choose the imported certificate in "Add Site Binding" window:
Note: You need to do this once for every domain name. For example if you have "www.abc.com" and also "abc.com" as your domain names you must do the https binding two times and each time write the corresponding domain name in "Add Site Binding" window and make sure that "Require Server Name Indication" is checked. Also you need to add another extra https binding without checking "Require Server Name Indication" and without writing any Host name to remove the "No default SSL site has been created" warning in IIS.
Congragulations. You are done. Now your website can be accessed with securely with https without any warning or error.
Related
I have a working local website which I enabled via IIS Manager on Windows 10 Home. Now I want to serve my website via HTTPS instead of HTTP. I have created and added self-signed SSL cert using OpenSSL and MMC (following this blog). However, when I tried to add the HTTPS binding to my website using the IIS Manager, there is NO cert displayed for me to add for the binding. See screen shot. Can someone suggest what I might be missing? How do I bind the key/cert to my local website under Windows 10?
It looks like you forgot to import .pfx file to your IIS server certificate.
Please go to IIS manager->server side->server certificates.
Then click import.. button to upload your certificate.
After uploading the certificate, you should be able to select your certificate in IIS binding.
OK, so it turns out the self-signed cert in the procedure is in the .cer/.pem format, whereas Windows IIS expects a .pfx. The confusion part is the fact the tutorial also demonstrates using Windows MMC and IIS, and that MMC "accepts" the .cer when I did the certificate import.
Bottomline: I need to package my .key and .cer files into a .pfx file using the following command before importing the cert into my Personal store:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt
During cert import using MMC, I did need to change the file extension using the dropdown list. Now this cert would show up when I add the website binding via IIS Manager.
I am about to test web application with JMeter. I have already recorded and parametrized scripts and these seem to be working fine.
Problem is, that one of the requirements is to redirect the traffic through mitmproxy.
I already found solution on how to redirect the traffic to the desired proxy:
How to set proxy for JMeter from behind another proxy?
To manually go through the scenario I am setting manual proxy configuration in my Firefox browser, then navigate to mitm.it and if proxy is enabled I get the client side certificate to download. Once trusted, all traffic goes through this proxy instance.
Problem is that certificate downloaded from here is with .crt extension and this is the only form of authentication - no signatures, no passwords and so on.
I am just wondering how to make this proxy trust JMeter requests?
Adding this certificate to existing keystore will do fine? If so, I could not find unambiguous tutorial on how to extend keystore with the certificate having no password and the key.
Any suggestions?
PS. I tried following http://www.middlewareguru.com/mw/?p=478 - but it states: "The key store must have at the least one x509 certificate and private key" -> problem is that I have only certificate, no private keys and it works perfectly for Firefox, but have no idea how keystore will behave in such scenario (my proxy is down as for now, but I would like to be ready with the approach before it's up and running again).
You need to convert your .crt file into .p12 file which JMeter can "understand" using i.e. OpenSSL like:
openssl pkcs12 -export -in certificate.crt -inkey inkey.key -out certificate.p12
Once done you can add the following line to system.properties file (located in "bin" folder of your JMeter installation)
javax.net.ssl.keyStore=/path/to/certificate.p12
Restart JMeter to pick the change up
You can also use SSL Manager instead of steps 2 and 3 but using system properties is way more convenient.
References:
The Most Common OpenSSL Commands
How to Set Your JMeter Load Test to Use Client Side Certificates
It's been 2 full days that I'm trying to sign my exe using SignTool and kSign. I bought a SSL certificate from COMODO for my domain (used for https on apache). Now I'm trying to sign my exe using the same certificate and the same private key used. I'm using the commands:
openssl pkcs12 -inkey example.com.key -in example.com.crt -export -out example.com.pfx
and trying to sign it
signtool /f example.com.pfx /p mypassword myexe.exe
and I always get: "SignTool Error: No certificates were found that met all the given criteria."
Whatever ways I found to generate PFX files from the Internet, it's always that same error message. I even tried to sign it with kSign and I get the same thing. What I am missing? Can I use a SSL certificate I bought for my web server for signing my exe files also?
Thanks.
The problem was, I tried to sign an application using a SSL certificate. That didn't work because SSl certificates is different from code signing certificate, which is the one I need.
I've found the problem by running
certmgr.exe
and then importing the certificate into the personal store.
I had the same error, my PFX file had an expired certificate.
I am trying to move a website into Azure (Azure Website). I have everything moved, except the ssl isn't working. The error that comes up says
You attempted to reach [subdomain].[domain].com, but instead you actually reached a server identifying itself as *.azurewebsites.net ...
I think it may have something to do with my certificate. The cert is a UCC cert (multiple SAN) through GoDaddy. I did not rekey the cert when I moved the site from the old server to the Azure Website. The old server was managed using Parallels. Here is what I did to move the cert:
I logged into Parallels on the old server. I opened the SSL screen, where I could see the 4 parts of the cert (csr, private key, certificate, CA certificate). I copied the text for each of those (including the ---Begin Certificate--- and ---End Certificate--- lines. EDIT: the private key began with ---Begin RSA Private Key--- and ended with ---End RSA Private key), and I pasted the data to create 4 .txt files. I then renamed the txt files so that I had 4 files named CAcertificate.cer, certificate.cer, privateKey.pem, and cert.cer. They were all saved in the c:\ directory (root).
I then pulled up OpenSSL and ran the following command:
pkcs12 -export -in c:\certificate.cer -inkey c:\privateKey.pem -out c:\certificate.pfx -certfile c:\CAcertificate.cer
I entered a password twice, and out popped a certificate.pfx file.
I uploaded that file to my Azure Website. The UCC Cert applies to 4 subdomains. I have my Azure Website set up with only one of those subdomains as a domain name. After uploading the file, I went to SSL Binding, and chose that subdomain, matched it with the cert I just uploaded, and chose "SNI SSL." I saved it, and all looked good.
Unfortunately, when I browse to the subdomain, I get the error I listed at the beginning.
I have a CName set up to forward from that subdomain to the Azure Website. I also have an A record set up to point from that subdomain to the IP Address of the Azure Website. The site is pulling up as I would expect, except for the ssl certificate error.
Did I generate the .pfx file incorrectly? Is there something I need to change in Azure or my domain registrar? I noticed that I could download a .pem file from the parallels panel. It contained all 4 parts of the cert in one file. I didn't know what I could do with that.
A missing root or intermediate certification authority can cause this behavior as documented in this article (written by a Microsoft MVP).
This answer shows how to export the full certificate chain including the private key using OpenSSL for Windows.
If the certificate is already installed in your local Windows machine you can follow this guide and be sure to select
Yes, export the private key and
Include all certificates in the certification path if possible.
This will create a .pfx file containing your certificate, its private key as well as all intermediate and root CAs.
We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12