Announcements & Articles
Stay informed about the Acmetek Announcements & Articles and more.

SSL Installation Instructions (All Systems)

After your certificate has been issued like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. This is because your private key will always be left on the server system where the CSR was originally created. It will be either in the application or left somewhere on a directory and path you choose when you generated the CSR. Your SSL certificate will not work without this private key file.

If you do not see your server listed perform a search, or you may have to contact your server vender or hosting provider for best practices on how to install a SSL certificate on your system.

Check your SSL installation with the Symantec Certificate Checker 

Instructions for server vendors:


A:
Apache (OpenSSL/Nginx, ModSSL)

Apple Mac OS x 10.6
Apple Mac OS x 10.11

Aruba ClearPass


B:
Barracuda SSL VPN


C:
Citrix Netscaler

Cisco ASA 5510
Cisco Wireless LAN Controller

cPanel


F:
F5 BIG IP
F5 FirePass

FortiGate


I:
IBM AS/400 iSeries
IBM WebSphere


J:
Juniper

JBoss http

JBoss Tomcat using x509 
JBoss Tomcat pkcs7


K:
Kemp 6.x


M:
Microsoft Azure

Microsoft Active Directory LDAP

Microsoft Exchange 2010
Microsoft Exchange 2013

Microsoft Forefront

Microsoft Sever 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5

Microsoft Lync

Microsoft Office 365

Microsoft Sharepoint 2010
Microsoft Sharepoint 2013


O:
Oracle Wallet Manager


P:
Plesk 11.x
Plesk 12


S:
SonicWall

SAP Web Application Server

SRT Titain FTP


T:
Tomcat pkcs7 
Tomcat x509


W:
Web Host Manager (WHM)


Z:
Zimbra


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

CSR Generation Instructions (All Systems)

A Certificate Signing Request or CSR is a specially formatted underdeveloped public key  that is used for enrollment of an SSL Certificate. The information on this CSR is important for a Certificate Authority (CA). It is needed to validate the information required to issue a SSL Certificate.

Creation of a CSR also means you are creating your private key. The private key will always be left on the system or application where the CSR is generated. The Private key will be required later for installation.

If you do not see your server listed Perform a search or you may have to contact your server vender or hosting provider for best practices on how to generate a CSR on your system.

A CSR must contain the Following information:

  • Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
  • State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
  • Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
  • Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
  • Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
  • Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com”. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.

Note: You might be prompted on some server systems or applications to associate a password for your CSR. Leave this blank or bypass it by pressing Enter depending on the system. Associating a password with your CSR will encrypt it and will cause issues with enrollment. If this happens you will have to regenerate another CSR without a password.

To check the information of your CSR visit the SSL Tools CSR Checker.

Instructions for server vendors:


A:
Apache (OpenSSL, Nginx, ModSSL)

Apple Mac OS X 10.6
Apple Mac OS x 10.11

Aruba ClearPass


B:
Barracuda SSL VPN


C:
Citrix Netscaler

Cisco ASA 5510
Cisco Wireless LAN Controller

cPanel


F:
F5 BIG IP
F5 FirePass

FileMaker 15

FortiGate


I:
IBM AS/400 iSeries
IBM WebSphere


J:
Juniper

JBoss Http

JBoss Tomcat


K:
Kemp 6.x


M:
Microsoft Azure

Microsoft Active Directory LDAP

Microsoft Exchange 2010
Microsoft Exchange 2013

Microsoft Forefront

Microsoft Server 2003 – IIS 6

Microsoft Server 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5

Microsoft Lync

Microsoft Office 365

Microsoft Sharepoint 2010
Microsoft Sharepoint 2013


O:
Oracle Wallet Manager


P:
Plesk 11.x
Plesk 12


S:
SonicWall

SAP Web Application Server

SRT Titain FTP


T:
Tomcat


W:
Web Host Manager (WHM)


Z:
Zimbra


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Troubleshooting: SSL with Qualys SSL Labs – SSL Checker

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. Majority of these checkers may vary on the information that they display or may have limitations, as they only perform their function as programmed. Aside from using an SSL Checker tool there is always the manual way of using your browser to check proper installations.

If you would like to learn how to check using a browser SSLSupportDesk features such an article Troubleshooting: Checking SSL installation with a browser.

Some SSL Checkers are extremely advanced and will not only check the validity of a SSL certificate, but can also point out flaws in a server’s configuration or software. 

Qualys SSL Labs has an SSL Server Test (SSL Checker) tool that is well executed and implemented.

Please follow these steps to test your installation:

  1. Access the Qualys SSL Labs Server Test checker, click here
  2. Enter the URL/Domain name of the server that you wish to check & click Submit


Troubleshooting Unresolved https address:

SSL checkers will only work if your website is publicly accessible from outside your network. More than likely if your website is internal you will not get any results.

Example: We used a domain name that does not exist in the outside work and get this result.

Qualys Checker


How to read Qualys SSL Server Test Checker:

Using sslsupportdesk.com which is accessible to the open internet lets see how Qualys SSL Server Test Checker works.

With a successful installation we should see the following quality of the server system:

Qualys Checker

Summary:

  1. Overall Rating: Based on the quality of the server system running the Domain Name submitted. Factors that attribute to this Overall Rating are from combining the categories of Certificate, Protocol Support, Key Exchange, Cipher Strength.
  2. Certificate: Factors to this Quality are…
    1. Domain name mismatch.
    2. Certificate not yet valid.
    3. Certificate expired.
    4. Use of a self-signed certificate.
    5. Use of a certificate that is not trusted.
    6. Use of a revoked certificate.
  3. Protocol Support: The encryption protocols that are available to clients visiting this web server.
  4. Key Exchange: The distribution of the public and private keys and their strength when setting up encryption between client and server.
  5. Cipher Strength: Ciphers perform the actual encryption/decryption of the key pair running on the server system. Some can be considered weak, others strong.

Troubleshooting:

If there are any warnings or concerns the Qualys SSL Server Test Checker finds will be denoted below the Summary.

Qualys Checker

Screenshot_4

Red = Very bad
Yellow = Advisories or Industry changes that may turn into red over time.

More information regarding the checkers findings can usually be found by clicking MORE INFO.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.


Authentication:

Server Key and Certificate # 1: States the information pertaining to the SSL certificate running on the Server System in Https:
Additional Certificates (If Supplied): Lists any additional Certificates that are also radiating off the server system. Usually these are Intermediate CA certificates.
Certification Paths: Shows the entire Chain Of Trust. Usually SSL Certificate > Intermediate >  Root.

Note: The last certificate in this chain will be the root certificate. At times a yellow “Sent by Server” may appear on the Root. This only means that when a SSL connection is being made to the server that the server is presenting and forcing a root certificate to the client. Usually the Root certificate should only rest in the client’s browser Trust Store. Don’t be alarmed as some servers have to present this due to their programming. Although proper practice dictates that they shouldn’t.

Qualys Checker 


Configuration:

Protocols: The encryption protocols that are available to clients visiting this web server.
Cipher Suites: The child protocols the perform the actual encryption session.
Handshake Simulation: Mimics the different browsers used to connect to the server.
Off Note: Most modern browser systems will automatically choose the best most secure connection the browser is capable of regardless of how the server is configured.
Protocol Details: More information regarding how the server system is handling protocols.
Miscellaneous: Server type running Domain Name, Timestamp check occurred, etc.


Qualys SSL Labs Server Test Checker tool is operated and managed by Qualys. This SSL Checker is one of many publicly available on the internet that can help you diagnose problems with your SSL certificate installation, or other errors that are associated with your server system.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Portecle: Advanced Keystore Creation and Manipulation Tool

Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.

The scenario for using such a tool is if a server system lacks the capability of generating a CSR keypair on its own. Another Senario would be if large networks of multiple server types, data centers and such are faced with a CSR keypair on one system environment and the tireless key store conversions that are required to import a keypair into a different server environment, which can be very time consuming and frustrating.

Portecle eliminates the need for a server to create a CSR keypair. It acts as keypair CSR generator where you can generate a single key pair, create a CSR, import a Signing SSL certificate, convert and save different format types of this key pair, and migrate them into the various systems required.

Portecle can be used to, for example:

  • Create, load, save, and convert keystores.
  • Generate DSA and RSA key pair entries with self-signed X.509 certificates.
  • Import X.509 certificate files as trusted certificates.
  • Import key pairs from PKCS #12 and PEM bundle files.
  • Clone and change the password of key pair entries and keystores.
  • View the details of certificates contained within keystore entries, certificate files, and SSL/TLS connections.
  • Export keystore entries in a variety of formats.
  • Generate and view certification requests (CSRs).
  • Import Certificate Authority (CA) replies.
  • Change the password of key pair entries and keystores.
  • Delete, clone, and rename keystore entries.
  • View the details of certificate revocation list (CRL) files.

Appendix:

Downloading and implementing:

  • Downloading Java (If Needed)
  • Downloading Portecle

Using the Portecle Java Application

Getting Started:

  1. Create a new Keystore
  2. Creating a Keypair
  3. Saving a keystore
  4. Generating a CSR
  5. Setting a new password for you keystore

Importing and configuring:

  1. Installing your SSL certificate
  2. Importing an Intermediate CA or “Trusted Certificate” into your Keystore.

How to convert keystore:

  1. Jks keystore converted to pkcs12/.pfx/.p12 keystore or vise versa
  2. Converting your Keystore to Apache .cer/.pem/.crt and .key files

Downloading and Implementing

Downloading Java (If Needed):

  1. Portecle is a java based application and you must have java installed for it to run. If you do not already have java downloaded click Screenshot_5
  2. Click Agree and Start Free Downloading.
  3. Download will begin,
  4. Open the JavaSetup.exe that you just downloaded to install.
  5. At the Java Setup installer click Install.
    Java Installer
  6. After Installation click Close.

Downloading Portecle:

  1. Portecle can be downloaded from Sourceforge by clicking HERE
  2. Click Download.
  3. The portecle.zip will be downloaded.
  4. Right click on the compressed portecle.zip folder and select Extract All… to extract all files to a location of your choice.

    Extracting Portecle
  5. In the extracted portecle folder click on the portecle.jar to open the Portecle java executable jar file application.
    Portecle jar
  6. Note: Depending on your you environment on your system you may need to right click the portecle.jar file and choose open with.. and Select Java(™) Platform

Using the Portecle Java application:

Gettings Started:

Note: When navigating portecle, in the lower left of the application you will typically find information pertaining to the keystore, or information pertaining to its functions when mousing over those functions.

Create a new Keystore:

  1. From the File menu, choose New Keystore. Alternatively click on the New Keystore toolbar Icon button:
    Portecle
  2. The New Keystore Type dialog is displayed. Select the desired keystore type to generate your keypair.
    Keypair Types:

    • Major ones:
      • JKS = Java Keystore used by Tomcat, Keytool, and Java codesigning.
      • PKCS#12 = Used by Windows systems such as IIS/Exchange, and other Windows based applications.
    • Lesser ones:
      • JCEKS = Java Cryptography Extension Keystore (More secure version of JKS)
      • JKS (case sensitive): Case sensitive JKS
      • BKS = Bouncy Castle Keystore (Bouncy Castle’s version of JKS)
      • UBER = Bouncy Castle UBER Keystore (More secure version of BKS)
      • GKR = GNU Keyring keystore (requires GNU Classpath version 0.90 or later installed)
  3. Press the OK button.
    Portecle

  4. The title bar will change to display the text Untitled and the status bar will change to display the chosen keystore type.
  5. Saving your keystore will change the Untitled to whatever you name you choose specify for your keystore.

Saving a keystore:

From the File menu, choose Save Keystore. Alternatively click on the Save Keystore toolbar icon button: portecle

  1. If the keystore is not Untitled then it will be saved immediately. Otherwise…
  2. If you have yet to set a password for your Untitled keystore:
    • The Set Keystore Password dialog is displayed.
    • Specify a simple password to protect the keystore with, confirm it and press the OK button.
      Note: you will need to remember this password for SSL certificate installation and implementation.
      portecle
  3. The Save Keystore As dialog is displayed.
  4. Select the folder where the keystore file is to be saved.
  5. Type the filename into the File Name text box.
    Note: For easily accessing your keystores add the extension to your file name based on your keystore type.
    Example:

    • jks keystore File Name: mydomain.jks
    • pkcs#12 keystore File Name: mydomain.pfx
  6. Click on the Save button.

Creating a Keypair:

Before you can get a SSL certificate you will have to generate a Certificate Signing Request (CSR), and before you can generate a CSR you will have to generate a keypair .

  1. From the Tools menu, choose Generate Key Pair. Alternatively click on the Generate Key Pair toolbar icon button:Screenshot_14
  2. The Generate Key Pair dialog will be displayed. Select a Key Algorithm and Key Size and press the OK button. Key pair generation will start in the background.
    Note: Standards dictate that your keypair/CSR Must be at least 2048.
    portecle
  3. The Generate Certificate dialog will be displayed.
  4. Specify the following information:
    • Signature Algorithm: Leave as default SHA256 with RSA
    • Validity (days): Leave as Default. If you enroll for a CA SSL Certificate this will be overridden depending on your enrollment for a SSL certificate.
    • Common Name (CN): FQDN (fully-qualified domain name) of the server (e.g., www.domain.com, mail.domain.com, or for wildcard certificate *.domain.com). IP’s are not accepted for enrollment of a CA SSL Certificate
    • Organisational Unit (OU): A department name, such as ‘Information Technology’.
    • Organisation Name (O): The full legal name of the organization.
    • Locality Name (L): City where the Organization is located. do not abbreviate.
    • State Name (ST): State, or Province where the organization is located. Do not abbreviate.
    • Country Name (C): City, state, and country where the organization is located. Do not abbreviate.
    • Contact Email (E): Your email.
  5. Click OK.
    portecle
  6. The Key Pair Entry Alias dialog pop up will appear.
  7. Specify an alias of you choice for the private key.
    Note: This alias will be used when you import your SSL certificate back into this keystore.
    portecle
  8. The Generate Certificate dialog dialog will display noting the “Key Pair Generation Successful.” you will also see your private key under the specified alias name now in your keystore.
    portecle

    Congrats you have just generated a Private Key for your keystore.

Generating a CSR:

Now that your keystore and private key is now created you can now generate your CSR.

  1. Right click on your private key alias and select Generate Certification Request.
    Portecle
  2. Specify the location and path of where you will want to save this CSR file.
  3. Under File Name change the extension of the CSR request from .csr to .txt. This will save you some steps in submitting the CSR to the CA.
  4. Under Files of Type dropdown select All Files.
  5. Click Generate.
    portecle save
  6. A confirmation of a successful CSR generation will appear.
  7. You can now submit its entire contents when enrolling for your SSL Certificate from a Certificate Authority.

Importing and Configuring:

Installing your SSL Certificate:

Now that your SSL certificate has been issued from the Certificate authority you will need to import it into your keystore. Any SSL certificate format will be accepted but If you received a pkcs#7/.pdb file from your CA you will not need to worry about installing an Intermediate CA. This format type has the Intermediate CA included in its formating.

  1. Right click on your private key alias and select Import CA Reply.
    portecle import ssl
  2. Specify the location and path of your saved SSL certificate file that you received from your CA and click Import.
    Portecle will attempt to match the reply’s root CA to an existing trusted certificate in your keystore
    Note: If it cannot then the Certificate Details dialog will appear displaying the details of the reply’s Intermediate/root CA certificate for you to verify.
  3. After viewing the details acknowledge the dialog by pressing the OK button.
  4. A further dialog will appear asking if you wish accept the certificate.
  5. Click Yes.
  6. Save your keystore.

    You have successfully installed and configured your keystore. It can now be moved and imported wherever it is needed.

    Note: When performing Import CA Reply you may receive a error. “Cannot establish trust for the CA reply. The import cannot proceed.”
    portecle error
    This error means that there is no trusted certificate to support the SSL certificate. This error usually appears when installing a x509/.cer/.pem/crt format certificate. In order to resolve this you must import your SSL certificates intermediate CA certificate first and then proceed to import the SSL certificate. See Instructions for Importing Intermediate CA or “Trusted Certificate” into your keystore.

Importing an Intermediate CA or “Trusted Certificate” into your keystore.

If you chose Other as your server type and received a SSL certificate (Something other than a Windows format) and got a x509/.pem/.crt/.cer format certificate then you will need to import the Intermediate CA certificate for you SSL certificate first. or else you will receive the error “Cannot establish trust for the CA reply. The import cannot proceed.” as described above. in Importing SSL certificate. To resolve this perform the following.

  1. From the Tools menu, choose Import Trusted Certificate. Alternatively click on the Import Trusted Certificate toolbar button: Screenshot_23
  2. The Import Trusted Certificate dialog will appear.
  3. Select the folder where the certificate file is stored.
  4. Click on the required certificate file or type the filename into the File Name text box.
  5. Click on the Import button.
  6. A warning will appear shown below. This will happen. it’s just acknowledging to you that you need to manually confirm that this is a Trusted Intermediate CA.
  7. Click OK.
    Portecle error
  8. The details of the Intermediate CA will appear.
  9. Click OK.
  10. Acknowledge that this is a trusted CA certificate by clicking OK.
    Portecle trust
  11. Under the Trusted Certificate Entry Alias specify an alias for the intermediate trust CA Any name will do.
  12. Click OK.
    Portecle Trust

  13. Click OK.
    Portecle
  14. Your intermediate should be imported successfully, and a new intermediate certificate should appear within your keystore with the chosen alias.
  15. Save your keystore.
  16. If you still need to install your SSL certificate go to Installing your SSL certificate section of this article.

How to convert Keystore:

Jks keystore to pkcs12/.pfx/.p12 keystore or vise versa:

  1. From the Tools menu, choose the Change Keystore Type.
  2. In the Change keystore Type sub-menu select one of the available format types you want to convert to.
    Note: you will not be able to convert a keystore into a format it is currently in.
    Portecle keystore
  3. If you are converting your keystore from PKCS12 to JKS you may receive the pop you message below.
    Portecle
    This simply means that the password for the new converted keystore will be by default set to password. You can change this password later.
  4. Click OK.
    portecle change keystore
  5. To change the password to something else instead of “password” perform the steps in Setting new password for keystore.

Converting your Keystore to Apache .cer/.pem/.crt and .key files:

Note: This conversion will associate a password to the private key. Not all systems want a password associated with the private key.

C-panel, WHM or other web hosted environments for example. Double check the hosted application you are attempting to import this converted private key (with password) into to see if it will accept private keys with password or not. Typically there will be an option that states something like “password“ when installing the private key on such systems.

Recommendation 1: It might be easier to just generate a new CSR from the hosted system perform a reissue of the SSL certificate and perform a import directly into that hosted system instead. It will save you steps and frustrations finding out that the conversion does not work.

Recommendation 2: Convert your keystore into a pkcs12 if it is not already and then use a web base converter or openssl. Some free web based pkcs12 > Pem/Apache converters found through Google search will give you a zip with all the certificates in their own respective files that you open in notepad and copy and paste into your application. Others will give you one file where you will have to open in notepad and copy and paste the individual certificates (Including the BEGIN and END headers) into their own files or into the application directly. You will see an example below in the Apache conversion.

  1. Right-click on the keystore entry in the keystore entries table. Select the Export item from the resultant pop-up menu.
    Portecle export
  2. In the Export Keystore Entry pop up under Export Type select Private Key and Certificates.
    Note: The other types will not include the private key which will be required when implementing a SSL Certificate on any Apache type system
  3. Under Export Format select PEM Encoded
  4. Click OK.
    portecle converting

  5. Under Private Key Export Password Specify a password to associate with your private key. (remember this password it is necessary to
  6. Click OK.

    portecle converting
  7. Under Private Key Export Password Specify a password to associate with your private key. (remember this password it is necessary to
  8. Click OK.
    portecle password
  9. Specify the location and path of where you want to save this Apache file.
  10. Change the extension of the File Name: from .pem to .txt (this will save you time for later)
  11. Click Export.
  12. You will have a text document that looks like this:
    portecle converted
  13. To help you can see what these individual certificates are by using a online web based certificate decoder by performing a internet search.
    Note: Your private key you will not be able to decode because the password associated with it encrypts it. Your SSL certificate will have a common name of your domain such as www.example.com your intermediate will have a common name of something pertaining to the Certificate Authority that issued your SSL certificate.
  14. You will have to Copy and Paste these individual certificates into their own respective notepad files with either a .txt extension or whatever extension your server requires. Apaches typically want either .crt or .pem for its SSL certificate and intermediate files, and .key for the Private key file. . Consult your server documentation. When copying/pasting the individual certificates Included the header and footer and all data within.

    Example:
    —–BEGIN CERTIFICATE—–
    {All Encoded Data}
    —–BEGIN CERTIFICATE—–
  15. At the end of this journey you should have at least 2 certificates in their own respective files.
    1. Private key (important)
    2. SSL certificate (important)
    3. Intermediate CA (You may have it provides SSL certificates Chain of trust)
    4. Root (You may have but isn’t needed typically to be installed on some systems)
  16. Installation on Apache servers will only require three certificates typically. The Private key, SSL certificate, and IntermediateChain/IntermediateCA. Consult your server documentation.
  17. The time it took you to work through all this you could of probably just generated a new CSR from your Apache system and performed a reissue of your SSL certificate, giving you a new SSL certificate to be installed within that Apache environment.

Setting a new password for keystore:

  1. From the Tools menu, choose Set Keystore Password. Alternatively click on the Set Keystore Password toolbar icon button:Screenshot_35
  2. The Keystore Password box will display. Enter a password for this keystore and click OK.
    portecle password

Conclusion:

This Application also has many other features for you to experiment with. The ones listed in this document are the major ones that would pertain to its main functionality for creation of keystores, Privatekeys, CSR’s, Importing SSL certificate reply’s etc.. Remember to always save your keystore to finalise any configurations you want to take effect.


Portecle is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Portecle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU_General Public License for more details.

Copyright and Legalities-
Copyright © 2004 Wayne Grant
2004 Mark Majczyk
2004-2015 Ville Skyttä


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Java Code Signing Certificate Guide

Getting a Java Code Signing is more of a manual process compared to Micrsosoft Authenticode/Office-VBA Code Signing.

Java Code Signing is used for signing  Java applications for desktops, digitally sign .jar files and Netscape Object Signing. Recognized by Java Runtime Environment (JRE).

The following instructions are a supplemental guide into generating and configuring a keystore necessary for Java Code Signing. If you have not already done so, you will need to download the Java Software Development Kit (SDK) from Oracle. If you have any questions or assistance in implementing the Java SDK for best support contact Oracle.

Unlike other types of code signing in order to get a Java Code Singing  Certificate you will need to use the keytool utility to create  and configure a keystore .jks. Keep your keystore safe and make backup copies. If you lose your keystore file, or your password to access it you will need start from scratch by generating a new keystore and perform a replace the certificate.

This article will go over the following:

  1. Step 1 – Create a Keystore
  2. Step 2 – Generating a CSR needed for enrollment for your Java Certificate.
  3. Steps 3 & 4 – Installing the Java Certificate after its issuance.

In order to create and configure your Keystore for Java Code Signing perform the following.

Step 1: Create a Keystore:

  1. Create a certificate keystore and private key by executing the following command:
    Note: You will specify a Privatkey Alias. This Alias will be used for CSR creation and eventually installation of the Java Code Signing  Certificate.

    keytool -genkey -alias create_Privatkey_Alias -keyalg RSA -keystore path_and_create_KeystoreFilename.jks -keysize 2048
  2. Example:tomcat
  3. Enter and re-enter a keystore password.
    Note: Remember your Alias Name and your password for your private key. You will require it for installation!
  4. Fill out the applicable information:

    • First and Last Name? or Common Name (CN): With java code signing the common name of the certificate is  is your Organization Name .Example: XY & Z Corporation would be XYZ Corporation
    • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
    • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corporation
    • Locality or City (L): The Locality field is the city or town name, for example: Boston
    • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: New York
    • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.

      tomcat
  5. Confirm or reject the details by typing “Yes” or “No” and press Enter.

Step 2: Creating your CSR from your keystore:
Now that your keystore has been created you can now generate your CSR from it.

  1. Use the following command to create your CSR from your Keystore.
    keytool -certreq -keyalg RSA -alias your_privatekey_alias -file your_csr_file.csr -keystore your_keystore_filename.jks
  2. Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
  3. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

Your CSR request for your Java Code Signing Certificate has been created and is ready for you to copy and paste its contents into the enrollment portal when enrolling for a Java Code Signing certificate.

Step 3: Picking up your Java Certificate:

  1. After validation the Java Certificate will be sent to the Technical Contact via email. You will see your Java certificate in the body of that email.
  2. Copy the Java Certificate and make sure to copy the —–BEGIN PKCS7 CERTIFICATE—– and —–END PKCS7 CERTIFICATE—– header and footer. Ensure there are no white spaces, extra line breaks or additional characters.
  3. Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .p7b (When performing this on a Windows system the Icon of the file should change into a certificate icon)

Step 4: Installing your SSL certificate:
It is recommended that you have your Keystore, SSL certificate and Keytool.exe in the same folder or you will need to specify the full file path when running the following commands. you may want to make a copy of your Keystore in case their are issues with Installation.

  1. Import the SSL certificate into the keystore used for CSR creation.
    Note: Use the same Privatekey alias name based on when you created the keystore for CSR creation.

    keytool -import -alias your_Privatekey_alias -trustcacerts -file your_SSL_Certificate.p7b  -keystore your_keystorename.jks
  2. You will be prompted to enter the password to access the keystore.Note: If you do not know your password you will have to start from scratch by generating a new keystore, a new csr, and perform a reissue of the certificate.

If the installation is successful you will see “Certificate reply was installed in keystore”.

Your Java Certificate should now be installed and configured into its keystore. With this configured keystore you will Sign your Java Code.

For actual signing procedures and information on how to code view Oracles Tech notes using Jarsigner.

If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Oracle Java Support

For more information refer to Java.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Microsoft Authenticode/Office-VBA Code Signing Certificate Guide

Enrollment for Microsoft Authenticode/Office-VBA Code Signing is a fairly simple process unlike Java Code signing. But there are some steps that need to be explained and remembered in order to have a successful enrollment, and certificate pickup.

MicroSoft OfficeMicrosoft Authenticode/Office-VBA Code Signing is useMicroSoftd to Digitally sign 32-bit or 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi, .xpi, and .xap files) and windows kernel-mode software. As well as digitally sign Microsoft Office VBA objects, macros, and third-party applications using VBA.

Here is a list of things to be aware of when enrolling for Microsoft Authenticode/Office-VBA Code Signing:

  1. Certificate creation for Microsoft Authenticode/Office-VBA Code Signing is conducted in your browser during enrollment. Depending  on the code signing product you will be advised on the enrollment requires, such as what browser to use.
    Note: When enrolling for a code signing certificate through Acmetek or SSL2048 it is required to use a Firefox or Internet Explorer Browser for enrollment and pickup of the code signing certificate.
  2. The legal information added to the code signing certificate is pulled directly from the information you enter during enrollment.
  3. If you would like your code signing certificate to look a certain way you must specify it as such in all the required fields pertaining to Corporate Legal Name or Company fields.
    Example:
    acmetek global solutions inc will not give me the more visually appealing Acmetek Global Solutions, Inc. The enroller must state Acmetek Global Solutions, Inc. in order to get it on the issued certificate.
  4. If you have a subdivision that is responsible for this code signing certificate you will have the option to specify it under the Division or OU fields during enrollment.
  5. Important: During enrollment you will have the option to list the Technical Contact on the order. The enroller is actually creating the private key pair within their browser. It is important to keep this in mind for the following reasons…
    • Once the certificate gets issued a email will be sent to the Technical Contact with instructions to click on a link in order to pick up their Microsoft code signing product. That link must be Clicked-on/Copy-Pasted into the same System/Browser that was used for the initial enrollment of the code signing certificate.
    • If the enroller – Admin Contact is different than the Technical Contact that email  must be forwarded to the enroller in order to Clicked-on/Copy-Paste the link  into the same System/Browser that was used for the initial enrollment of the code signing certificate.
  6. The certificate pickup link must be Click-on/Copy-Paste the link  into the same System/Browser that was used for the initial enrollment of the code signing certificate.
  7. Once you get confirmation in your browser that the code signing certificate has been installed you can begin your signing or export/backup the code signing certificate and distribute it to your developers.
  8. For instructions on how to export/backup your code signing certificate click on one of the links below for the corresponding browser you used.
    How to export a certificate from Firefox
    How to export a certificate from Internet Explorer

With your new Microsoft Code Signing certificate you will sign your windows based applications. For actual signing procedures, support and more information on how to code contact Microsoft.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Clearing Confusion – TLS & SSL certificates are the same thing.

The term SSL certificate has been used for the purposes of marketing since the creation of the digital certificates.  SSL just like TLS are actually protocols that utilize a digital certificates keypair.

TLS & SSL Certificate
“TLS and SSL can both use the same digital certificate”

A digital certificate keypair by itself  is  nothing more than a place holder of 2048 bits or greater and is needed in order to perform encryption and validation. A protocol is the actual function of encryption that initializes that keypair to start encryption, such as the TLS or SSL Protocols. These protocols are set up and chosen on the server side by a server admin. Since TLS  or SSL  are protocol functions on the server and not pertaining to the digital certificate’s keypair it is uncertain why the industry calls Digital Certificates as SSL Certificates because of this principle. All SSL protocols that were all available are now perceived as a vulnerable protocol leaving only TLS until something better eventually comes up.

Because of the SSL marketing gimmick around the industry, and lack of secure SSL protocols there is now a fountain of confusions flying around. Here are some examples:

Since SSL Versions are vulnerable to Poodle attack. Is it possible to consider TLS 1.2 instead of SSL certificate?

“We need to upgrade our SSL certificate to TLS 1.2”

“My certificate states its is a SSL certificate, but I asked for a TLS certificate did I do something wrong?”

A standard digital certificate can use both TLS and SSL because they are both protocols that are configured on the server. There is no such thing as an SSL certificate that will only work for the SSL protocol or a TLS certificate that will only work for the TLS protocol.

Remember, that a digital certificate keypair is essentially just a bit place holder for encryption. All mainstream digital certificates are essentially TLS/SSL  because of the protocols that can use it.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

End of Life Announcement for Symantec Digital ID for Secure Email

End of Life Announcement for Symantec Digital ID for Secure Email

Symantec will be discontinuing the availability of its Digital ID for Secure Email offering. To ease this transition, Symantec is phasing out this offering as follows:

August 22, 2016 – End of Sale: Symantec will stop selling the Digital IDs offering. No new certificates will be issued.

August 23, 2017- End of Life & End of Support: All certificates will expire or are revoked. Symantec Digital IDs for Secure Email support and operations will cease.

Why? For a more secure world of course

The retail versions of the Symantec Digital IDs for Secure Email did not accurately authenticate clients. When the Digital ID certificate would get issued Symantec placed “Persona Not Validated” in the Common Name field of these certificates because Symantec does not verify that the individual registering the email is indeed legally recognized by that name.  Because this ID is not validated, to separate these certificates from those that are validated through a notary enrollment process, they are designated as not validated.

Example:

Authentication procedures cannot prove that the retail enrolled person for the digital ID is indeed JON DOE with an email of likescheese@mailcom. Thus why the certificates in the common name would state “Persona Not Validated

Alternatively, customers can purchase an ENTERPRISE offering (NOT the RETAIL offering)  to protect digital communication. These User Authenticated notarized certificates accurately state a users name for which they are issued to because of validated checks that are performed within the enrolled organization.

Digital IDs for Secure Email (Class 1) Support can be found here and any concerns can be address by sending an email to id-queries@symantec.com

What do User Digital IDs Do in General?

Compromised email can mean loss of IP and damage to reputation. A digital ID is like an electronic driver’s license or passport that proves your identity. Digital IDs allow you to digitally sign and encrypt your digital communications using a certificate, bound to your validated email address. Digital certificate

Use Digital IDs to:

  • Digitally sign email: A red ribbon icon on the email indicates it came from a valid email address.
  • Encrypt email: A blue envelope icon on the email indicates it remained private during transmission (only the recipient can securely open it).
  • General signature and encryption: Microsoft Word allows for digital signing of Word documents.
  • In Enterprise environments it Authenticates digitally the holder of the certificate to be used and gain access to applications or network environments.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

Become a Partner and create additional revenue stream while the heavy lifting for you.

End of Life Announcement for Symantec ECA Certificates

Symantec will be discontinuing the availability of its External Certificate Authority ECA Certificates offering. Symantec is phasing out this offering as follows:

 

August 16, 2016 – End of Sale: Symantec will stop selling the ECA oDoD Department of Defenseffering. No new ECA certificates will be issued.

August 16, 2016 – End of Renewal: Symantec will stop renewals for all the existing certificates.

August 17, 2017 – End of Life: All certificates will expire or are revoked. Symantec ECA operations will cease.

What is a ECA Certificate?

Symantec was certified by the United States Department of Defense (DoD) as a provider of External Certification Authority (ECA) digital certificates for government contractors, state and local governments and employees of foreign governments. ECA certificates enable secure on-line transactions with DoD agencies, digitally signing documents, and encrypting e-mail communications.

Who does this effect?

If you are not interacting with the Department of Defense then this will not effect you. This only effects those who do business or work for the DoD digitally in order to gain access to DoD systems. If you do work for the DoD ask the proper DoD IT security agent for more information. More than likely though you should have received some sort of information if this directly effects you from an DoD entity.

If you need more information and to stay up to date on the Symantec ECA and its End of Life visit

https://www.symantec.com/products/information-protection/eca-certificates


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Memorandum Requires Secure Connections across Federal Websites

Memorandum Requires Secure Connections across Federal Websites and Web Services.

Signed June 8th 2015 The Executive Office Of The President has enacted memorandum M-15-13. Also known as The HTTPS-Only Standard that requires that all public accessible Federal websites and web services only provide service through a secure connection.

Executive Office SealThis is very important as unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Any data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

“All browsing activity should be considered private and sensitive.”

Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection, and the Federal Government needs to set a presidence that in this day-and-age Web Security is as important as the air we breathe.

Although the challenges are few there are some considerations and implementations of HTTPS that may have effect on these Federal Government Services.

Challenges and Considerations:

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.

Server Name Indication: The Server Name Indication (SNI) extension to SSL/TLS allows for more efficient use of iP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. An example of SNI also known as Fully Qualified Domain Name (FQDN) would be www.energy.gov.

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APis and Services: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. With that said Admin may have to be upgrade their system typologies in order to meet this standard. Federal websites and services should also deploy HTTPS in a manner that allows for rapid updates to certificates, proper cipher choices.

One standard that has effected legacy systems that will need to be taken into account is the SHA2 standard due to the SHA1 vulnerability that has taken effect in the commercial browser industry.  For Example, old Microsoft IIS6 (Server 2003) systems lack the ability to understand the SHA2 algorithm due to its 12 year outdated software. Federal web service admins should evaluate the feasibility of using technology to improve performance efficiency and may have to upgrade their infrastructure as soon as possible.ssl/tls certificate

In order to secure and implement HTTPS a Digital Server Certificate will have to be issued to the SNI/FQDN for that implemented HTTPS Web Service. Issued by a Trusted Authority.

The Office of Management and Budget (OMB) affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Implementation of Server Certificates with HTTPS will help fight unofficial or malicious websites claiming to be Federal services, and block hacker eavesdropping on communications with official U.S. government sites.

Acmetek Global Solutions, Inc.  is very familiar with the standards of the industry and have the Managed PKI solutions & recommendations needed to assist Federal/State government agencies on matters of Web Network Security.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.