I currently have a wildcard SSL certificate running on IIS 6 and needs to be renewed. The new certificate bit-strength is now 2048 (the current one that needs to be renewed is 1024). Is there any easy way to get a certificate request file that is 2048 bit when renewing from a 1024?
I don't see the option to change bit strength for renewing an SSL certificate (I only see this when creating a totally new one from scratch).
I recently had to do this very same thing, and the way I did it was I had to remove the current certificate completely, then add a new certificate fresh, otherwise, I could not figure out how to update the CSR from 1024 to 2048, which is now a requirement.
So, to answer your question, remove the current certificate first (this might be tricky if it's a busy online store), then go through the wizard and switch the CSR from 1024 to 2048.
Not the best answer, I know, but the only one I could seem to find right off (and the easiest)
Be warned about trying to get clever with this one. I just got myself in a big mess trying to do exactly this same thing without any downtime.
What I did was :
create another website and generate a cert request for that. made sure to put in the correct common name when generating the request.
I downloaded the certificate that was generated and installed it in my 'Personal' certificates for the Local Computer account (after adding certificate snap in).
Did 'replace' on the main website for the certificate and chose the new updated one.
I ended up getting this error (as reported by Chrome) when accessing the https site.
(net::ERR_SSL_PROTOCOL_ERROR): Unknown error
After playing around and switching back to the original certificate I ended up just removing it and re-keying the certificate. It only led to 1-2 minutes of downtime.
I do think that if you do what I was attempting in the correct order you'd be fine. I think you need to export the .pfx file and then import that. I think whats happening is the original server didnt have the correct private key or something like that and was getting confused.
So I'm upvoting calweb :-)
Related
I have an expired five name certificate that I want to replace with a wild card cert. The wild card cert is currently handling SMTP. I want to add IMAP. Because it's a wild card cert I'm following the instructions to use
Set-ImapSettings -X509CertificateName mail.mydomain.com
and I get a response of
WARNING: The command completed successfully but no settings of 'myServer\1' have been modified.
And the wild card cert does not have the IMAP service added.
How do I do this? Do I need to remove the old expired cert first?
This is on premise Exchange 2019
Was able to finally get it working with no clear answer. I wish MS would fix the GUI to show when a wildcard is being used for POP and IMAP. For anyone that comes along after with the same issue, use the only SSL checking tools to see when your connection is secure and some combinations of using the command and a couple of service restarts got it working. It appeared as magic, but there is not magic. Sorry I can't off any better advice.
I've set up my app running on Cloud Run with a Let's Encrypt wildcard certificate to cover subdomains. It works fine, but everytime I run testssl.sh or other similar tools they notice 2 certificates: mine and Google's. The second certificate throws errors regarding name mismatch and from time to time (couldn't reproduce it, it may not be a problem) even browser notice this and say the cert is not valid, but a refresh will fix it.
Is this something common and should I ignore it? Google's DIG shows that the domain has the correct IP as A record and everything else works fine.
Use only one certificate.
A wildcard certificate with Cloud Run provides few benefits. Only domain names that are mapped will be supported so the wildcard does not help. The negative is that you must manually renew the certificate every 90 days.
Use the Google Managed certificates.
I'm working on automating a web application (F# and Canopy). Getting 'Your connection is not private' screen upon launching the website/ after providing login credentials. Tried a few workaround to have the same disabled, but none did the job. Please help.
The best approach here is not try to hide or cover up the problem, but to fix it properly so you don't have to. Solutions that involve hiding the issue are necessarily going to adversely affect your security.
Note the wording of the error code: ERR_CERT_AUTHORITY_INVALID. That tells us that the certificate for the site is signed by a non-standard or unknown certificate authority.
You mentioned localhost in your comment; you're not going to be able to get a certificate for that, but you could create a self-signed one, however, if you've enabled the localhost exemption and you're still getting the error, it suggests that you may not be using localhost after all.
So, if you have a certificate signed by a real CA and you're seeing this error, it's likely that your local OS or browser has an outdated CA root certificate bundle. you can usually get the latest one by making sure your OS packages are up to date.
If your certificate is self-signed, then the 'advanced' button will allow you to add an exemption. I you have set up your own CA and signed the certificate with that, you need to add that CA's public key that signed it to your OS.
If you've got a "regular" commercial certificate from verisign, letsencrypt, comodo or whoever, then a run through a testing tool like testssl.sh or Qualys SSL labs will tell you more about what's going wrong. Without knowing the actual domain we can't test anything for you.
Added the following argument and it did the job:
options.AddArguments("--ignore-certificate-errors")
First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
I am using certs from an issuer called AlphaSSL. I just recently realised that my pages shows invalid certificate error on pageload. Further investigation shows that the intermediate certificate that binds my cert to GlobalSign's root certificate has been revoked. I checked and there is a new intermediate certificate on their site but I am not sure I should download it as their download page is secured with the same revoked certificate.
UPDATE:
I got a boilerplate email from support, they reckon clearing the CRL cache should fix the issue. I wonder though, is this really doable, can they 'unrevoke' the certificate? How can I check their revocation list and how can I force the propagation of the undo to my CRL (other than clearing the cache)?
UPDATE2:
I received another email that references this page. Long story short, they are busy shoveling the sh*t back to the horse, browser ubiquity yaddda-yadda, you should change the iterim cert to a new one, but if you have AlphaSSL or CLoudSSL, then you're sheesh out of luck, no cert for you.
Does not say where to claim your money back.
GlobalSign is currently experiencing issues which results in certificates being marked as revoked:
https://twitter.com/globalsign/status/786505261842247680
I got a reply from their support staff:
Hello,
Thank you for getting in touch with the GlobalSign Support Team
We thank you for bringing this to our attention. We are aware of the
issue you described and are in the process of investigating the matter
further.
We would like to ask for the below details so we can provided these to
the team investigating the issue.
Operating system & version: Browsers & version:
For the latest updates on the issue, please follow the below link:
https://twitter.com/gssystemalerts
We will let you know as soon as the issue has been resolved.
Thanks.
Best Regards, Janice Tablarin GlobalSign Support Team
Some boilerplate response, I reckon. If the trust has gone from the cert that signed a zillion other certs, then its not a cliient/browser issue.