Google Chrome Will Mark HTTP Sites ‘Not Secure’ from July 2018 with the Release of Chrome 68

New Highlights:

• Google Chrome will start labelling all Non HTTP sites as “Not Secure”
• The change will come with the Chrome 68 release in July 2018
• Google’s Lighthouse tool, an open source app, helps developers run audits on web pages

For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

As a part of this plan Google first rolled out with Chrome 58 when Google marked all HTTP pages as “Not Secure” if the web pages having password or payment credit card fields and the second stage with Chrome 62 version when Google marked all HTTP website pages opened in a private browsing windows as “Not Secure” and beginning in July 2018 with Chrome 68 release will mark all HTTP sites as “not secure” is the final stage.

In a recent announcement, Google has confirmed that when users visit every HTTP websites on Chrome they will be flagged as “Not Secure” from July 2018 with the release of Chrome 68.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have clearly heard the call, according to Google, the results of the efforts have been:

• Over 68% of Chrome traffic on both Android and Windows is now protected
• Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
• 81 of the top 100 sites on the web use HTTPS by default

So it’s clear that HTTPS is the wave of the future when it comes to internet security.

Google Lighthouse Tool

Google itself has a Lighthouse tool is an open-source, automated tool for improving the quality of web pages. Google encourage websites to use HTTPS with its automated Lighthouse developer tool and other set-up guides to transition over.

Take a Strategic Decision to Buying a Right SSL Certificate

Focus on choosing the right SSL Certificate for your business need. Before buying an SSL Certificate, you need to understand specific requirements to secure websites such as to protect Single Domain, Multiple Sub-Domains or Different websites. Move your website from HTTP to HTTPS with an SSL Certificate today!
If you want to know more how to protect your website and safeguard customer’s data? Please complete the form below to get more assistance from an Acmetek trusted security specialist advisor today!

You May Have to Reissue your Certificate!!

Since announcing the acquisition, DigiCert has actively engaged with the security community to explore paths that address browser concerns about Symantec/Geotrust/Thawte/Rapidssl-issued certificates while balancing the SSL/TLS implementations currently deployed. 

Symantec-issued certificates impacted by browser timelines will need to be replaced to bring them under the new Digicert platform. These will be replaced at no cost to all certificates issued prior to December 1st 2017, and Digicert will work to ensure a smooth process. Many customers have already received information on certificate replacement, and more information will be forthcoming for affected parties.

Acmetek is currently working on a smooth transition for their clients and will be notified if they have an effected cert by this transition in the next couple of months. 

Things to know:

DigiCert acquired Symantec under the terms of the agreement, $950 million acquisition of Symantec Website Security and PKI solutions related to SSL/TLS certificates business received in upfront cash proceeds and approximately 30% stake in the common stock equity of DigiCert.

DigiCert completes acquisition of Symantec’s certificate authority business on 31st October. The deal to acquire Symantec’s Website Security and Related PKI Solutions was first announced on August 3rd. DigiCert is a leading provider of scalable identity and encryption solutions.

Speaking on this occasion DigiCert CEO John Merrill said, “Today starts an exciting era for the current customers and partners of both Symantec and DigiCert, For Symantec customers, they can feel assured that they will have continuity in their website security and that we will provide a smooth transition. Our customers and partners will benefit from our accelerated investment in products and solutions for SSL, PKI, and IoT. DigiCert will also lead to shape PKI security standards through our participation in industry standards bodies to ensure our customers stay at the forefront of security practices. DigiCert is prepared for this opportunity.”

“The addition of Symantec Web PKI solutions to DigiCert will provide a customer experience that is second to none. We are excited for Symantec customers to benefit from solutions that help advance and strengthen website security,” said Greg Clark, Symantec CEO. “We expect Symantec and DigiCert customers to benefit from focused investment in the next generation of security solutions for our respective customers, and today’s action helps advance this important objective”

This acquisition will bring together the best minds in the industry and provide customers a reinforced technology platform, unparalleled customer support, and cutting-edge innovations. DigiCert will continue its operations from its headquarters at Lehi, Utah with a combined strength of around 1,000 professionals.

What Symantec Customers Can Expect

DigiCert has a strong reputation in the industry for being fast, reliable and excellent customer support. Symantec customers can experience this DigiCert’s service in addition to industry-leading OCSP response times, and award-winning PKI and IoT management platforms.

DigiCert’s platform is highly scalable and is designed for high-volume deployments for SSL and IoT and stress tested for billions of certificates. DigiCert will be able to continue providing industry-leading issuance times, even with the added Symantec Website Security business.

What DigiCert Customers Can Expect

The addition of Symantec’s Website Security to DigiCert brings together the best talent in the industry which will further the efforts to reinforce the SSL, PKI, and IoT based solutions.

Since announcement to acquire Symantec Website Security in the month of August 2017, DigiCert has focused to work on fixing the browser requirements for Symantec issued certificates and plans to replace with affected certificates for free and without disturbing to ongoing customer business in order to ensure continued trust.

“DigiCert is well positioned for this opportunity,” said Jody Cloutier, former senior program manager, Microsoft Cryptographic Ecosystem. “During my time at Microsoft managing the root store program, I always found DigiCert to be committed to advancing online trust. I expect that this acquisition will lead to increasing investments in new platforms and products that will benefit customers.”

DigiCert look forward to building a big security company and supporting all of Symantec’s Website Security and PKI solutions and their customers well into the future.

What Acmetek Can Offer Its Customers & Partners?

Acmetek will be able to offer an even wider range of solutions from both Symantec and DigiCert. Current Symantec customers can continue to order and purchase certificates the same way they always have. In addition, they can still use existing Symantec management tools. Account management contacts, existing contracts, brands, and validity periods for certificates will remain the same, as does pricing as off now.

We are worked up about bringing together the best of what Symantec has to offer with DigiCert. Acmetek partners and customers are having amazing opportunities in terms of various advanced security solutions. With this acquisition is the best situation for all parties like DigiCert, Symantec clients, partners, and resellers. The SSL and PKI solutions platform have a great bright future with a new responsible leader in the website security industry.

We’ll keep on updating to our customers and partners for transmitting updates with regular communication for further questions. Acmetek has dedicated support team is standing by around-the-clock, ready to assist you with any questions or concerns you may have. Do you want to buy an SSL Certificates at low cost? Simply you can click on request a quote form to submit your requirements.

For the latest Acmetek news and updates, visit www.acmetek.com/announcements/ or follow us on Facebook @Acmetek and Twitter @Acmetek

The Certificate Authority Browser Forum, Also known as CA/Browser Forum, is a voluntary consortium of Certificate Authorities such as Symantec, Digicert, Comodo, and tech Operating System makers such as Apple, Mozilla, Microsoft, etc.. decide the fate of security on the internet. The CA/Browser Forum purpose is to be proactive, and keep the internet secure for users and businesses all over the world.

The CA/Browser Forum recently passed Ballot 193 will effect all Certificate Authorities and those who manage SSL/ TLS Certificates. Effective almost immediately (April 22, 2017).

• Effective April 22, 2017
  Reduces the length of time that authenticate information can be re-used to authenticate subsequent certificate, from 39 months (3 years 2 months) to 27 months (825 days / 2 years) New, Renewal and Replacement certificates will be subject to this change. This seems a little abrupt and might be changed in order for the CA’s to prepare for this new standard but should not effect the majority of clients while this transition is taking place.
• Effective March 1, 2018
  Decreases the maximum validity period of SSL/TLS Certificate to 27 months (825 days). Eventually there will be no more three year option. No certificate after this date can have a validity passed 27 months.

Things to know:

Authentication:

• Existing certificates:
  • Are not effected. The authentication work is already complete and no action is necessary.
• Reissue (replacement) of your SSL Certificate:
  • DV (Domain Validated Certificates) –
    DV certificate reissues such a Quick SSL or Rapid SSL Products currently undergo domain validation; this there is no impact to DV certificate reissues. Reissued 3rd certificates after March 1 2018
  • OV (Organization Validation) –
    Some OV reissues for products like True ID or Secure Site may not instantly issue in the event that the authenticated data used to approve the original certificate is older than 825 days or is otherwise no longer valid. In some cases, reissues will undergo authentication, though many reissue will continue to be instantly issued. Typically 3 year certificate may be effected by this revalidation and not get automatically reissued.
  • EV (Extended Validation) –
    EV reissues are not impacted due to their already 2 year 825 validity day nature.
• Renewal certificates:
  • Certificate renewal will continue to leverage existing authentication and automation whenever possible, and in many cases will be quickly approved.
  • With the shorter validity of authentication data (27 months), renewals will require more frequent authentications.
  • With the shorter validity period network admins will have visit their server & networks more frequently for CSR generation and SSL installation.

Technical:

• Reissues/Replacements:
  • Since the technical validity of a certificate after the date of March 1, 2018 can only have a 27 month / 825 day lifespan if for whatever reason a reissue is needed the certificate may have time removed from their certificate.
    Example: If an Admin gets a new/renewed 3 year certificate on February 29th 2018 and needs to perform a reissue due to a technical matter we could see a certificate cut to 27 months instead of 37 months.
    Note: Due to this technicality Acmetek will be proactive and will put a stop to 3 year certificate enrollments to closer the deadline approaches to prevent this scenario the best we can.

To keep up with the progress of technology the CA/Browser Forum is always coming up with new industry standards. These standards guide and move the internet to a more safer and secure environment for its users. Information regarding the CA/B Forum on is always made publically available at cabforum.org

Lead Tech Engineer, Acmetek
Dominic Rafael

Firstly, key note is that Certificates today require no action – there is no security issue nor any issues with issuance !! Google’s unilateral changes to the Chrome browser do not require any action immediately. Enough is Enough.

On behalf of Symantec, we want you to note that Symantec is proud to be one of the world’s leading certificate authorities. Symantec strongly objects to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was certainly unexpected, and Symantec believes the blog post was irresponsible! Symantec hopes that this was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

Google’s statements about Symantec’s  issuance practices and the scope of Symantec’s  past mis-issuances is exaggerated and misleading. For example..

• Google’s claim that Symantec has mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm as they were for test purposes .
• While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google of recent has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

Symantec has taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.

Symantec operates our CA in accordance with industry standards and maintains extensive controls over our SSL/TLS certificate issuance processes and Symantec works to continually strengthen their CA practices. Symantec has substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Symantec’s most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

Note that Symantec wants to reassure their customers and all consumers that they can continue to trust Symantec SSL/TLS certificates.

Symantec will continue to vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post. Symantec is currently open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

“We suggest and strongly recommend that you continue as normal with your procurement of Symantec SSL Certificates as we are working to clarify Google’s statement. You can expect an update soon once we assess if changes are necessary.”

–  Lead Engineer – Encryption , Acmetek Global Solutions, Kevin S Naidoo

Acmetek’s Platinum Partnership with the worlds leading Certificate Authorities (CA’s) Symantec and Thawte are able to bring to Acmetek Clients a Free domain SAN with the enrollment
of an SSL/TLS Certificate.

This means your website will work when your clients visit your website by either www or without. No more forwarding of website traffic or paying extra for an extra Subject Alternative Name (SAN) domain. Something that should automatically come by default. Many CA’s the world over do not provide this functionality to their clients which causes a technical nightmare to web developers, and Network administrators. But Acmetek is able to provide you with a simpler solution.

Here is how it works:

1. When enrolling for a standard Symantec or Thawte SSL product with a Certificate Signing Request (CSR) Common Name of www.domain.com (example) Symantec/Thawte will automatically add the base domain of domain.com as a free SAN to the certificate.
2. If the Common Name of the CSR has only domain.com then Symantec/Thawte will automatically add www to the Certificate.
3. For Wildcard Certificates products, when your CSR has the Required Common Name of *.domain.com, Symantec/Thawte will add the base domain of domain.com as a free SAN.

Products benefiting from free SAN from this change:

SSL/TLS Certificates are the first step in maintaining a secure website or network for your business. Symantec product especially contain the right tools along with with their Products to give you an overall security soltuion. Read more about Symantec and Thawte website security solutions on our site!

Symantec

Thawte

Acmetek is always brings the best security solutions to fit our clients needs. Our partnerships and tools are dedicated to providing easy solutions in website security.

Lead Engineer: Dominic Rafael
dsrafael@acmetek.com

We want to inform you about new industry requirements that were announced by the Certificate Authority Security Council (CASC) for Code Signing certificates on 8th December 2016 and that comes into effect on the 1st of February 2017.

The new requirements address four key areas within our Code Signing products and provide a safer experience and minimize the risk of Code Signing attacks.

To reduce the chance of issuing certificates to malicious publishers the guidelines require that Symantec:

• Follow a strict and standardized identity verification process to authenticate publishers
• Check all Code Signing orders against lists of suspected or known malware publishers
• Check all Code Signing orders that were previously revoked by Symantec where the certificates were used to sign suspect code.

Symantec has also introduced a ‘Certificate Problem Reporting’ system for both Symantec and Thawte Code Signing certificates which will allow third parties like malware organisations and software suppliers to report issues relating to key compromise, certificate misuse and possible fraud. Under the new arrangement, once Symantec receives a request, we will either revoke the certificate within forty eight hours, or alert the requestor that we have started an investigation.

Symantec has enhanced their timestamping services for their Code Signing customers to meet the new requirements. More information can be found in the following KB articles for Microsoft Signing and Java Signing.

The main benefit of using a timestamp is that the signature does not expire when the certificate does, which is what happens in normal circumstances. Instead, the signature remains valid for the lifetime of the timestamp, which can be as long as 135 months.

Symantec has published a set of guidelines on private key protection best practices for Symantec and Thawte Code Signing certificates which must be reviewed and accepted by subscribers as part of the enrollment process. These guidelines makes recommendations regarding the secure storage of private keys to mitigate against the risk of potential vulnerabilities, however it is important to call out that Code Signing minimum requirements published in December stop short of mandating that an OV Code Signing certificate must be stored on a FIPS 140-2 Level 2 HSM or equivalent on premise hardware.

Lastly, any pending Symantec or Thawte Code Signing orders placed before the 25th of January 2017 and not issued before the 1st of February 2017 will be cancelled by Symantec and respective customers asked to re-enroll.

If you want any further clarification about this announcement, or have any questions feel free to get in touch your Certificate Authority who issued your Code Signing Certificate.

Dominic Rafael, Lead Tech Engineer
dsrafael@acmetek.com

WhatsApp Enables Two Factor Authentication Strengthening it’s Security.

WhatsApp is a widely popular free to use cross platform smart phone messaging application that allows users to use their phone service and wifi internet to make voice/video calls, send text messages, documents, images, gif’s, user locations, etc. Its popularity is primarily due to where data rates or roaming charges can cost an arm and a leg.

WhatsApp Inc., based in Mountain View, California, was acquired by Facebook in February 2014 for ridiculous $19.3 billion US Dollars. By February 2016, WhatsApp has a user base of over one billion, making it the most popular messaging application at the time.

Over the recent years Privacy and Security has been a focus on the popular message app. In 2014 WhatsApp implemented end to end https encryption scrambling the information between communicating users. The latest Security implementation is the coming of Two-Step Verification.

What is Two-Step Verification?

Two-step verification is an optional feature that adds more security to your account. The technology is not new, and it has been in use for quite some time. Blizzard Inc. creator of the biggest online MMO (Massive Multiplayer Online) game World Of Warcraft implemented two factor authentication back in 2008 to protect gamers accounts from being hacked. Two-step, or Two-Factor Authentication protects your accounts by requiring you to provide an additional piece of information after you give your password In the most common implementation, after correctly entering your password, an online service will send you a text message or an email with a unique string of numbers that you’ll need to punch in to get access to your account.

Implementing Two Step Verification on WhatsApp:

To enable two-step verification, open WhatsApp > Settings > Account > Two-step verification > Enable.

Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. WhatsApp will not verify this email address to confirm its accuracy. You will want to provide an accurate  email address so that you’re not locked out of your account if you forget your passcode.

How it works..

After implementing Two-Step Verification if you receive an email to disable two-step verification, or receive a pass-code request but did not request this, do not click on the link! Someone could be attempting to verify your phone number on WhatsApp elsewhere. Meaning that someone is attempting to gain access to your account! Stay secure.

Lead Tech Engineer: Dominique Rafael
dsrafael@acmetek.com

GoDaddy last week has begun the process of re-issuing SSL certificates for more than 6,000 customers after a bug was discovered with there DV (Domain Validated) automated registrar’s validation process. This automated process of getting a certificate is one of the fastest ways of getting a validated digital certificate used to encrypt and validate websites or networks.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. ” “The bug caused the domain validation process to fail in certain circumstances.” Thayer VP and General Manager of Security Products at GoDaddy said in a statement.

When we hear terms such as “Improve Certificate Issuance Process” it usually means make things faster, or more automated. Keep in mind that GoDaddy is not a security company they are into hosting. Being a Certificate Authority (CA) is just a by product of the service they provide. The issue exposed sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site. Enabling a hacker the spread of malware, or steal personal information such as Banking login credentials. This move to “Improve” a certificate issuance comes from fear from a new free CA that has debut called Let’s Encrypt.

Let’s Encrypt is a free, automated, and open CA brought to you by the non-profit Internet Security Research Group (ISRG). The move for this free automated process is to help the industry migrate to enable HTTPS(SSL/TLS) for websites in the most user friendly way possible. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

Features of Let’s Encrypt.

• Let’s Encrypt issues Only domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
• Let’s Encrypt issues certificates valid for 90 days. Their reason is that these certificates “limit damage from key compromise and mis-issuance” and encourage automation. The official certbot client and most of the third-party clients allow automation of the certificate renewal.
• Only Open Source Linux systems are capable with Lets’Encrypt automation.
• No wildcard functionality (currently).
• Elimination of payment, web server configuration, validation email management and certificate renewal tasks.

The Ugly/Disadvantages:

• One disadvantage that makes big companies Not consider Let’s Encrypt is that visitors that connect to the site can’t be sure that it is the actual company that hosts the site. This is because Let’s Encrypt issues DV certificates for a domain free of charge without identity validation (personal or corporate)
• Automatic renewal of these certificates tends to lead IT admins to neglect security upkeep’s on there systems. Majority of the time when an admin is made to visit a system due to a certificate needing an update they discover that they are out of compliance with needed patches and configurations. This can lead to backdoor hacking due to dated software and standards if left untouched.
• The free cost of these certificate allows hackers to achieve a certificate. The potential for Let’s Encrypt being abused by those who can freely get these certificates are very present. Hackers tend to not want to spend money to achieve their goals.

Any technology that is meant for good can be abused by cyber criminals, and digital certificates like those of Let’s Encrypt’s are no exception. This trust system can be abused. There is one reported case where an attacker/malvertiser was able to perform a technique called “domain shadowing.” Domain shadowing is when the attacker is able to create sub domains under the legitimate site. With an embedded advertisement on a website an end user could click on a malicious add thinking that they are visiting an alternate page. In reality though they have been lead to the hackers malvertising server which could download a trojan or Randsomeware into that users system. A certificate authority that automatically issues free certificates specific to these sub-domains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it.

Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this will not validate the identity of the recipient. End users that visit these sites are unaware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public. There is nothing wrong with the procurement of a DV certificate. Depending on the circumstances DV is advised for internal networks when there is a need for a quick cost effective resolution. Security is always is a Pro-Active industry. Cutting corners and making things easy for the sake of convenience is a double edge sword, and could lead to a loss of business and good reputation. Needless to say approach with caution.

Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

What is SHA1 and why is it being depreciated?

Security always needs to be a proactive campaign. Not updating or keeping up with the progress of technology will open doors in security and will leave businesses open to be hacked.

SHA1 was the Algorithm that was used to create and sign encryption keypairs that are used to scramble data on websites, and applications. SHA1 was a replacement for MD5, and now SHA2 is the replacement for SHA1. 

 The CA/Browser Forum, is the governing entity of leading web browsers and certificate authorities (CAs) working together to stay proactive with security and publish their Baseline Requirements for SSL regarding the security standards of the web industry. These Requirements recommend that all CAs transition away from SHA-1 as soon as possible, and to discontinuing issuing SHA1 public facing certificates. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited. 

Browser’s like Internet Explorer,  Firefox and Chrome are inforcing these standards but placing errors within their browsers associated with these standards. According to Google’s “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
In short:
Most browsers will not trust certificates that use SHA1 After 12/31/2016.

If you do not want to get an error on your website you will have to replace that old SHA1 certificate with a newer SHA2. 

How to Replace your old SHA1 certificate with SHA2?

To do list:

1. Identify certificates that have a SHA-1 algorithm. Since the standard is already in effect you would definitely know if you still have a SHA1 certificate from the browser errors you would be getting in chrome.
2. Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
   Note: If your SSL certificate was issued through Acmetek Click HERE.
   
3. Install your new SHA2 SSL Certificate to your server.
4. Test your SSL installation by using an SSL Checker.

These standards are always changing. Especially with how fast new technologies are coming out. SSL Certificates are a method of enforcing industry standards to make a more secure internet for everyone.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

After your certificate has been issued like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. This is because your private key will always be left on the server system where the CSR was originally created. It will be either in the application or left somewhere on a directory and path you choose when you generated the CSR. Your SSL certificate will not work without this private key file.

If you do not see your server listed perform a search, or you may have to contact your server vender or hosting provider for best practices on how to install a SSL certificate on your system.

Check your SSL installation with the Symantec Certificate Checker 

Instructions for server vendors:

A:
Apache (OpenSSL/Nginx, ModSSL)

Apple Mac OS x 10.6
Apple Mac OS x 10.11

Aruba ClearPass

B:
Barracuda SSL VPN

C:
Citrix Netscaler

Cisco ASA 5510
Cisco Wireless LAN Controller

cPanel

F:
F5 BIG IP
F5 FirePass

FortiGate

I:
IBM AS/400 iSeries
IBM WebSphere

J:
Juniper

JBoss http

JBoss Tomcat using x509 
JBoss Tomcat pkcs7

K:
Kemp 6.x

M:
Microsoft Azure

Microsoft Active Directory LDAP

Microsoft Exchange 2010
Microsoft Exchange 2013

Microsoft Forefront

Microsoft Sever 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5

Microsoft Lync

Microsoft Office 365

Microsoft Sharepoint 2010
Microsoft Sharepoint 2013

O:
Oracle Wallet Manager

P:
Plesk 11.x
Plesk 12

S:
SonicWall

SAP Web Application Server

SRT Titain FTP

T:
Tomcat pkcs7 
Tomcat x509

W:
Web Host Manager (WHM)

Z:
Zimbra

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

A Certificate Signing Request or CSR is a specially formatted underdeveloped public key  that is used for enrollment of an SSL Certificate. The information on this CSR is important for a Certificate Authority (CA). It is needed to validate the information required to issue a SSL Certificate.

Creation of a CSR also means you are creating your private key. The private key will always be left on the system or application where the CSR is generated. The Private key will be required later for installation.

If you do not see your server listed Perform a search or you may have to contact your server vender or hosting provider for best practices on how to generate a CSR on your system.

A CSR must contain the Following information:

• Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
• State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
• Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
• Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
• Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
• Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com”. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.

Note: You might be prompted on some server systems or applications to associate a password for your CSR. Leave this blank or bypass it by pressing Enter depending on the system. Associating a password with your CSR will encrypt it and will cause issues with enrollment. If this happens you will have to regenerate another CSR without a password.

To check the information of your CSR visit the SSL Tools CSR Checker.

Instructions for server vendors:

A:
Apache (OpenSSL, Nginx, ModSSL)

Apple Mac OS X 10.6
Apple Mac OS x 10.11

Aruba ClearPass

B:
Barracuda SSL VPN

C:
Citrix Netscaler

Cisco ASA 5510
Cisco Wireless LAN Controller

cPanel

F:
F5 BIG IP
F5 FirePass

FileMaker 15

FortiGate

I:
IBM AS/400 iSeries
IBM WebSphere

J:
Juniper

JBoss Http

JBoss Tomcat

K:
Kemp 6.x

M:
Microsoft Azure

Microsoft Active Directory LDAP

Microsoft Exchange 2010
Microsoft Exchange 2013

Microsoft Forefront

Microsoft Server 2003 – IIS 6

Microsoft Server 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5

Microsoft Lync

Microsoft Office 365

Microsoft Sharepoint 2010
Microsoft Sharepoint 2013

O:
Oracle Wallet Manager

P:
Plesk 11.x
Plesk 12

S:
SonicWall

SAP Web Application Server

SRT Titain FTP

T:
Tomcat

W:
Web Host Manager (WHM)

Z:
Zimbra

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. Majority of these checkers may vary on the information that they display or may have limitations, as they only perform their function as programmed. Aside from using an SSL Checker tool there is always the manual way of using your browser to check proper installations.

If you would like to learn how to check using a browser SSLSupportDesk features such an article Troubleshooting: Checking SSL installation with a browser.

Some SSL Checkers are extremely advanced and will not only check the validity of a SSL certificate, but can also point out flaws in a server’s configuration or software. 

Qualys SSL Labs has an SSL Server Test (SSL Checker) tool that is well executed and implemented.

Please follow these steps to test your installation:

1. Access the Qualys SSL Labs Server Test checker, click here
2. Enter the URL/Domain name of the server that you wish to check & click Submit

Troubleshooting Unresolved https address:

SSL checkers will only work if your website is publicly accessible from outside your network. More than likely if your website is internal you will not get any results.

Example: We used a domain name that does not exist in the outside work and get this result.

How to read Qualys SSL Server Test Checker:

Using sslsupportdesk.com which is accessible to the open internet lets see how Qualys SSL Server Test Checker works.

With a successful installation we should see the following quality of the server system:

Summary:

1. Overall Rating: Based on the quality of the server system running the Domain Name submitted. Factors that attribute to this Overall Rating are from combining the categories of Certificate, Protocol Support, Key Exchange, Cipher Strength.
2. Certificate: Factors to this Quality are…
   1. Domain name mismatch.
   2. Certificate not yet valid.
   3. Certificate expired.
   4. Use of a self-signed certificate.
   5. Use of a certificate that is not trusted.
   6. Use of a revoked certificate.
3. Protocol Support: The encryption protocols that are available to clients visiting this web server.
4. Key Exchange: The distribution of the public and private keys and their strength when setting up encryption between client and server.
5. Cipher Strength: Ciphers perform the actual encryption/decryption of the key pair running on the server system. Some can be considered weak, others strong.

Troubleshooting:

If there are any warnings or concerns the Qualys SSL Server Test Checker finds will be denoted below the Summary.

Red = Very bad
Yellow = Advisories or Industry changes that may turn into red over time.

More information regarding the checkers findings can usually be found by clicking MORE INFO.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.

Authentication:

Server Key and Certificate # 1: States the information pertaining to the SSL certificate running on the Server System in Https:
Additional Certificates (If Supplied): Lists any additional Certificates that are also radiating off the server system. Usually these are Intermediate CA certificates.
Certification Paths: Shows the entire Chain Of Trust. Usually SSL Certificate > Intermediate >  Root.

Note: The last certificate in this chain will be the root certificate. At times a yellow “Sent by Server” may appear on the Root. This only means that when a SSL connection is being made to the server that the server is presenting and forcing a root certificate to the client. Usually the Root certificate should only rest in the client’s browser Trust Store. Don’t be alarmed as some servers have to present this due to their programming. Although proper practice dictates that they shouldn’t.

Configuration:

Protocols: The encryption protocols that are available to clients visiting this web server.
Cipher Suites: The child protocols the perform the actual encryption session.
Handshake Simulation: Mimics the different browsers used to connect to the server.
Off Note: Most modern browser systems will automatically choose the best most secure connection the browser is capable of regardless of how the server is configured.
Protocol Details: More information regarding how the server system is handling protocols.
Miscellaneous: Server type running Domain Name, Timestamp check occurred, etc.

Qualys SSL Labs Server Test Checker tool is operated and managed by Qualys. This SSL Checker is one of many publicly available on the internet that can help you diagnose problems with your SSL certificate installation, or other errors that are associated with your server system.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.

The scenario for using such a tool is if a server system lacks the capability of generating a CSR keypair on its own. Another Senario would be if large networks of multiple server types, data centers and such are faced with a CSR keypair on one system environment and the tireless key store conversions that are required to import a keypair into a different server environment, which can be very time consuming and frustrating.

Portecle eliminates the need for a server to create a CSR keypair. It acts as keypair CSR generator where you can generate a single key pair, create a CSR, import a Signing SSL certificate, convert and save different format types of this key pair, and migrate them into the various systems required.

Portecle can be used to, for example:

• Create, load, save, and convert keystores.
• Generate DSA and RSA key pair entries with self-signed X.509 certificates.
• Import X.509 certificate files as trusted certificates.
• Import key pairs from PKCS #12 and PEM bundle files.
• Clone and change the password of key pair entries and keystores.
• View the details of certificates contained within keystore entries, certificate files, and SSL/TLS connections.
• Export keystore entries in a variety of formats.
• Generate and view certification requests (CSRs).
• Import Certificate Authority (CA) replies.
• Change the password of key pair entries and keystores.
• Delete, clone, and rename keystore entries.
• View the details of certificate revocation list (CRL) files.

Appendix:

Downloading and implementing:

• Downloading Java (If Needed)
• Downloading Portecle

Using the Portecle Java Application

Getting Started:

1. Create a new Keystore
2. Creating a Keypair
3. Saving a keystore
4. Generating a CSR
5. Setting a new password for you keystore

Importing and configuring:

1. Installing your SSL certificate
2. Importing an Intermediate CA or “Trusted Certificate” into your Keystore.

How to convert keystore:

1. Jks keystore converted to pkcs12/.pfx/.p12 keystore or vise versa
2. Converting your Keystore to Apache .cer/.pem/.crt and .key files

Downloading and Implementing

Downloading Java (If Needed):

1. Portecle is a java based application and you must have java installed for it to run. If you do not already have java downloaded click
2. Click Agree and Start Free Downloading.
3. Download will begin,
4. Open the JavaSetup.exe that you just downloaded to install.
5. At the Java Setup installer click Install.
   
6. After Installation click Close.
   

Downloading Portecle:

1. Portecle can be downloaded from Sourceforge by clicking HERE
2. Click Download.
3. The portecle.zip will be downloaded.
4. Right click on the compressed portecle.zip folder and select Extract All… to extract all files to a location of your choice.
   
   
5. In the extracted portecle folder click on the portecle.jar to open the Portecle java executable jar file application.
   
   
6. Note: Depending on your you environment on your system you may need to right click the portecle.jar file and choose open with.. and Select Java(™) Platform

Using the Portecle Java application:

Gettings Started:

Note: When navigating portecle, in the lower left of the application you will typically find information pertaining to the keystore, or information pertaining to its functions when mousing over those functions.

Create a new Keystore:

1. From the File menu, choose New Keystore. Alternatively click on the New Keystore toolbar Icon button:
   
2. The New Keystore Type dialog is displayed. Select the desired keystore type to generate your keypair.
   Keypair Types:
   • Major ones:
     • JKS = Java Keystore used by Tomcat, Keytool, and Java codesigning.
     • PKCS#12 = Used by Windows systems such as IIS/Exchange, and other Windows based applications.
   • Lesser ones:
     • JCEKS = Java Cryptography Extension Keystore (More secure version of JKS)
     • JKS (case sensitive): Case sensitive JKS
     • BKS = Bouncy Castle Keystore (Bouncy Castle’s version of JKS)
     • UBER = Bouncy Castle UBER Keystore (More secure version of BKS)
     • GKR = GNU Keyring keystore (requires GNU Classpath version 0.90 or later installed)
3. Press the OK button.
   
   
4. The title bar will change to display the text Untitled and the status bar will change to display the chosen keystore type.
   
5. Saving your keystore will change the Untitled to whatever you name you choose specify for your keystore.

Saving a keystore:

From the File menu, choose Save Keystore. Alternatively click on the Save Keystore toolbar icon button:

1. If the keystore is not Untitled then it will be saved immediately. Otherwise…
2. If you have yet to set a password for your Untitled keystore:
   • The Set Keystore Password dialog is displayed.
   • Specify a simple password to protect the keystore with, confirm it and press the OK button.
     Note: you will need to remember this password for SSL certificate installation and implementation.
     
     
3. The Save Keystore As dialog is displayed.
4. Select the folder where the keystore file is to be saved.
5. Type the filename into the File Name text box.
   Note: For easily accessing your keystores add the extension to your file name based on your keystore type.
   Example:
   • jks keystore File Name: mydomain.jks
   • pkcs#12 keystore File Name: mydomain.pfx
6. Click on the Save button.

Creating a Keypair:

Before you can get a SSL certificate you will have to generate a Certificate Signing Request (CSR), and before you can generate a CSR you will have to generate a keypair .

1. From the Tools menu, choose Generate Key Pair. Alternatively click on the Generate Key Pair toolbar icon button:
2. The Generate Key Pair dialog will be displayed. Select a Key Algorithm and Key Size and press the OK button. Key pair generation will start in the background.
   Note: Standards dictate that your keypair/CSR Must be at least 2048.
   
3. The Generate Certificate dialog will be displayed.
4. Specify the following information:
   • Signature Algorithm: Leave as default SHA256 with RSA
   • Validity (days): Leave as Default. If you enroll for a CA SSL Certificate this will be overridden depending on your enrollment for a SSL certificate.
   • Common Name (CN): FQDN (fully-qualified domain name) of the server (e.g., www.domain.com, mail.domain.com, or for wildcard certificate *.domain.com). IP’s are not accepted for enrollment of a CA SSL Certificate
   • Organisational Unit (OU): A department name, such as ‘Information Technology’.
   • Organisation Name (O): The full legal name of the organization.
   • Locality Name (L): City where the Organization is located. do not abbreviate.
   • State Name (ST): State, or Province where the organization is located. Do not abbreviate.
   • Country Name (C): City, state, and country where the organization is located. Do not abbreviate.
   • Contact Email (E): Your email.
5. Click OK.
   
6. The Key Pair Entry Alias dialog pop up will appear.
7. Specify an alias of you choice for the private key.
   Note: This alias will be used when you import your SSL certificate back into this keystore.
   
8. The Generate Certificate dialog dialog will display noting the “Key Pair Generation Successful.” you will also see your private key under the specified alias name now in your keystore.
   
   
   Congrats you have just generated a Private Key for your keystore.

Generating a CSR:

Now that your keystore and private key is now created you can now generate your CSR.

1. Right click on your private key alias and select Generate Certification Request.
   
2. Specify the location and path of where you will want to save this CSR file.
3. Under File Name change the extension of the CSR request from .csr to .txt. This will save you some steps in submitting the CSR to the CA.
4. Under Files of Type dropdown select All Files.
5. Click Generate.
   
6. A confirmation of a successful CSR generation will appear.
7. You can now submit its entire contents when enrolling for your SSL Certificate from a Certificate Authority.

Importing and Configuring:

Installing your SSL Certificate:

Now that your SSL certificate has been issued from the Certificate authority you will need to import it into your keystore. Any SSL certificate format will be accepted but If you received a pkcs#7/.pdb file from your CA you will not need to worry about installing an Intermediate CA. This format type has the Intermediate CA included in its formating.

1. Right click on your private key alias and select Import CA Reply.
   
   
2. Specify the location and path of your saved SSL certificate file that you received from your CA and click Import.
   Portecle will attempt to match the reply’s root CA to an existing trusted certificate in your keystore
   Note: If it cannot then the Certificate Details dialog will appear displaying the details of the reply’s Intermediate/root CA certificate for you to verify.
3. After viewing the details acknowledge the dialog by pressing the OK button.
4. A further dialog will appear asking if you wish accept the certificate.
5. Click Yes.
6. Save your keystore.
   
   You have successfully installed and configured your keystore. It can now be moved and imported wherever it is needed.
   
   Note: When performing Import CA Reply you may receive a error. “Cannot establish trust for the CA reply. The import cannot proceed.”
   
   This error means that there is no trusted certificate to support the SSL certificate. This error usually appears when installing a x509/.cer/.pem/crt format certificate. In order to resolve this you must import your SSL certificates intermediate CA certificate first and then proceed to import the SSL certificate. See Instructions for Importing Intermediate CA or “Trusted Certificate” into your keystore.

Importing an Intermediate CA or “Trusted Certificate” into your keystore.

If you chose Other as your server type and received a SSL certificate (Something other than a Windows format) and got a x509/.pem/.crt/.cer format certificate then you will need to import the Intermediate CA certificate for you SSL certificate first. or else you will receive the error “Cannot establish trust for the CA reply. The import cannot proceed.” as described above. in Importing SSL certificate. To resolve this perform the following.

1. From the Tools menu, choose Import Trusted Certificate. Alternatively click on the Import Trusted Certificate toolbar button:
2. The Import Trusted Certificate dialog will appear.
3. Select the folder where the certificate file is stored.
4. Click on the required certificate file or type the filename into the File Name text box.
5. Click on the Import button.
6. A warning will appear shown below. This will happen. it’s just acknowledging to you that you need to manually confirm that this is a Trusted Intermediate CA.
7. Click OK.
   
   
8. The details of the Intermediate CA will appear.
9. Click OK.
10. Acknowledge that this is a trusted CA certificate by clicking OK.
    
    
11. Under the Trusted Certificate Entry Alias specify an alias for the intermediate trust CA Any name will do.
12. Click OK.
    
    
13. Click OK.
    
    
14. Your intermediate should be imported successfully, and a new intermediate certificate should appear within your keystore with the chosen alias.
15. Save your keystore.
16. If you still need to install your SSL certificate go to Installing your SSL certificate section of this article.

How to convert Keystore:

Jks keystore to pkcs12/.pfx/.p12 keystore or vise versa:

1. From the Tools menu, choose the Change Keystore Type.
2. In the Change keystore Type sub-menu select one of the available format types you want to convert to.
   Note: you will not be able to convert a keystore into a format it is currently in.
   
   
3. If you are converting your keystore from PKCS12 to JKS you may receive the pop you message below.
   
   This simply means that the password for the new converted keystore will be by default set to password. You can change this password later.
4. Click OK.
   
5. To change the password to something else instead of “password” perform the steps in Setting new password for keystore.
   

Converting your Keystore to Apache .cer/.pem/.crt and .key files:

Note: This conversion will associate a password to the private key. Not all systems want a password associated with the private key.

C-panel, WHM or other web hosted environments for example. Double check the hosted application you are attempting to import this converted private key (with password) into to see if it will accept private keys with password or not. Typically there will be an option that states something like “password“ when installing the private key on such systems.

Recommendation 1: It might be easier to just generate a new CSR from the hosted system perform a reissue of the SSL certificate and perform a import directly into that hosted system instead. It will save you steps and frustrations finding out that the conversion does not work.

Recommendation 2: Convert your keystore into a pkcs12 if it is not already and then use a web base converter or openssl. Some free web based pkcs12 > Pem/Apache converters found through Google search will give you a zip with all the certificates in their own respective files that you open in notepad and copy and paste into your application. Others will give you one file where you will have to open in notepad and copy and paste the individual certificates (Including the BEGIN and END headers) into their own files or into the application directly. You will see an example below in the Apache conversion.

1. Right-click on the keystore entry in the keystore entries table. Select the Export item from the resultant pop-up menu.
   
2. In the Export Keystore Entry pop up under Export Type select Private Key and Certificates.
   Note: The other types will not include the private key which will be required when implementing a SSL Certificate on any Apache type system
3. Under Export Format select PEM Encoded
4. Click OK.
   
   
5. Under Private Key Export Password Specify a password to associate with your private key. (remember this password it is necessary to
6. Click OK.
   
   
7. Under Private Key Export Password Specify a password to associate with your private key. (remember this password it is necessary to
8. Click OK.
   
9. Specify the location and path of where you want to save this Apache file.
10. Change the extension of the File Name: from .pem to .txt (this will save you time for later)
11. Click Export.
12. You will have a text document that looks like this:
    
    
13. To help you can see what these individual certificates are by using a online web based certificate decoder by performing a internet search.
    Note: Your private key you will not be able to decode because the password associated with it encrypts it. Your SSL certificate will have a common name of your domain such as www.example.com your intermediate will have a common name of something pertaining to the Certificate Authority that issued your SSL certificate.
14. You will have to Copy and Paste these individual certificates into their own respective notepad files with either a .txt extension or whatever extension your server requires. Apaches typically want either .crt or .pem for its SSL certificate and intermediate files, and .key for the Private key file. . Consult your server documentation. When copying/pasting the individual certificates Included the header and footer and all data within.
    
    Example:
    —–BEGIN CERTIFICATE—–
    {All Encoded Data}
    —–BEGIN CERTIFICATE—–
15. At the end of this journey you should have at least 2 certificates in their own respective files.
    1. Private key (important)
    2. SSL certificate (important)
    3. Intermediate CA (You may have it provides SSL certificates Chain of trust)
    4. Root (You may have but isn’t needed typically to be installed on some systems)
16. Installation on Apache servers will only require three certificates typically. The Private key, SSL certificate, and IntermediateChain/IntermediateCA. Consult your server documentation.
17. The time it took you to work through all this you could of probably just generated a new CSR from your Apache system and performed a reissue of your SSL certificate, giving you a new SSL certificate to be installed within that Apache environment.

Setting a new password for keystore:

1. From the Tools menu, choose Set Keystore Password. Alternatively click on the Set Keystore Password toolbar icon button:
2. The Keystore Password box will display. Enter a password for this keystore and click OK.
   
   

Conclusion:

This Application also has many other features for you to experiment with. The ones listed in this document are the major ones that would pertain to its main functionality for creation of keystores, Privatekeys, CSR’s, Importing SSL certificate reply’s etc.. Remember to always save your keystore to finalise any configurations you want to take effect.

Portecle is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Portecle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU_General Public License for more details.

Copyright and Legalities-
Copyright © 2004 Wayne Grant
2004 Mark Majczyk
2004-2015 Ville Skyttä

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Getting a Java Code Signing is more of a manual process compared to Micrsosoft Authenticode/Office-VBA Code Signing.

Java Code Signing is used for signing  Java applications for desktops, digitally sign .jar files and Netscape Object Signing. Recognized by Java Runtime Environment (JRE).

The following instructions are a supplemental guide into generating and configuring a keystore necessary for Java Code Signing. If you have not already done so, you will need to download the Java Software Development Kit (SDK) from Oracle. If you have any questions or assistance in implementing the Java SDK for best support contact Oracle.

Unlike other types of code signing in order to get a Java Code Singing  Certificate you will need to use the keytool utility to create  and configure a keystore .jks. Keep your keystore safe and make backup copies. If you lose your keystore file, or your password to access it you will need start from scratch by generating a new keystore and perform a replace the certificate.

This article will go over the following:

1. Step 1 – Create a Keystore
2. Step 2 – Generating a CSR needed for enrollment for your Java Certificate.
3. Steps 3 & 4 – Installing the Java Certificate after its issuance.

In order to create and configure your Keystore for Java Code Signing perform the following.

Step 1: Create a Keystore:

1. Create a certificate keystore and private key by executing the following command:
   Note: You will specify a Privatkey Alias. This Alias will be used for CSR creation and eventually installation of the Java Code Signing  Certificate.

   keytool -genkey -alias create_Privatkey_Alias -keyalg RSA -keystore path_and_create_KeystoreFilename.jks -keysize 2048

2. Example:
3. Enter and re-enter a keystore password.
   Note: Remember your Alias Name and your password for your private key. You will require it for installation!
4. Fill out the applicable information:
   
   • First and Last Name? or Common Name (CN): With java code signing the common name of the certificate is  is your Organization Name .Example: XY & Z Corporation would be XYZ Corporation
   • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
   • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corporation
   • Locality or City (L): The Locality field is the city or town name, for example: Boston
   • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: New York
   • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
     
     
     
5. Confirm or reject the details by typing “Yes” or “No” and press Enter.

Step 2: Creating your CSR from your keystore:
Now that your keystore has been created you can now generate your CSR from it.

1. Use the following command to create your CSR from your Keystore.

   keytool -certreq -keyalg RSA -alias your_privatekey_alias -file your_csr_file.csr -keystore your_keystore_filename.jks

2. Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
3. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

Your CSR request for your Java Code Signing Certificate has been created and is ready for you to copy and paste its contents into the enrollment portal when enrolling for a Java Code Signing certificate.

Step 3: Picking up your Java Certificate:

1. After validation the Java Certificate will be sent to the Technical Contact via email. You will see your Java certificate in the body of that email.
2. Copy the Java Certificate and make sure to copy the —–BEGIN PKCS7 CERTIFICATE—– and —–END PKCS7 CERTIFICATE—– header and footer. Ensure there are no white spaces, extra line breaks or additional characters.
3. Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .p7b (When performing this on a Windows system the Icon of the file should change into a certificate icon)

Step 4: Installing your SSL certificate:
It is recommended that you have your Keystore, SSL certificate and Keytool.exe in the same folder or you will need to specify the full file path when running the following commands. you may want to make a copy of your Keystore in case their are issues with Installation.

1. Import the SSL certificate into the keystore used for CSR creation.
   Note: Use the same Privatekey alias name based on when you created the keystore for CSR creation.
   

   keytool -import -alias your_Privatekey_alias -trustcacerts -file your_SSL_Certificate.p7b  -keystore your_keystorename.jks

2. You will be prompted to enter the password to access the keystore.Note: If you do not know your password you will have to start from scratch by generating a new keystore, a new csr, and perform a reissue of the certificate.

If the installation is successful you will see “Certificate reply was installed in keystore”.

Your Java Certificate should now be installed and configured into its keystore. With this configured keystore you will Sign your Java Code.

For actual signing procedures and information on how to code view Oracles Tech notes using Jarsigner.

If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Oracle Java Support

For more information refer to Java.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Enrollment for Microsoft Authenticode/Office-VBA Code Signing is a fairly simple process unlike Java Code signing. But there are some steps that need to be explained and remembered in order to have a successful enrollment, and certificate pickup.

Microsoft Authenticode/Office-VBA Code Signing is used to Digitally sign 32-bit or 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi, .xpi, and .xap files) and windows kernel-mode software. As well as digitally sign Microsoft Office VBA objects, macros, and third-party applications using VBA.

Here is a list of things to be aware of when enrolling for Microsoft Authenticode/Office-VBA Code Signing:

1. Certificate creation for Microsoft Authenticode/Office-VBA Code Signing is conducted in your browser during enrollment. Depending  on the code signing product you will be advised on the enrollment requires, such as what browser to use.
   Note: When enrolling for a code signing certificate through Acmetek or SSL2048 it is required to use a Firefox or Internet Explorer Browser for enrollment and pickup of the code signing certificate.
2. The legal information added to the code signing certificate is pulled directly from the information you enter during enrollment.
3. If you would like your code signing certificate to look a certain way you must specify it as such in all the required fields pertaining to Corporate Legal Name or Company fields.
   Example:
   acmetek global solutions inc will not give me the more visually appealing Acmetek Global Solutions, Inc. The enroller must state Acmetek Global Solutions, Inc. in order to get it on the issued certificate.
4. If you have a subdivision that is responsible for this code signing certificate you will have the option to specify it under the Division or OU fields during enrollment.
5. Important: During enrollment you will have the option to list the Technical Contact on the order. The enroller is actually creating the private key pair within their browser. It is important to keep this in mind for the following reasons…
   • Once the certificate gets issued a email will be sent to the Technical Contact with instructions to click on a link in order to pick up their Microsoft code signing product. That link must be Clicked-on/Copy-Pasted into the same System/Browser that was used for the initial enrollment of the code signing certificate.
   • If the enroller – Admin Contact is different than the Technical Contact that email  must be forwarded to the enroller in order to Clicked-on/Copy-Paste the link  into the same System/Browser that was used for the initial enrollment of the code signing certificate.
6. The certificate pickup link must be Click-on/Copy-Paste the link  into the same System/Browser that was used for the initial enrollment of the code signing certificate.
7. Once you get confirmation in your browser that the code signing certificate has been installed you can begin your signing or export/backup the code signing certificate and distribute it to your developers.
8. For instructions on how to export/backup your code signing certificate click on one of the links below for the corresponding browser you used.
   How to export a certificate from Firefox
   How to export a certificate from Internet Explorer

With your new Microsoft Code Signing certificate you will sign your windows based applications. For actual signing procedures, support and more information on how to code contact Microsoft.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

The term SSL certificate has been used for the purposes of marketing since the creation of the digital certificates.  SSL just like TLS are actually protocols that utilize a digital certificates keypair.

A digital certificate keypair by itself  is  nothing more than a place holder of 2048 bits or greater and is needed in order to perform encryption and validation. A protocol is the actual function of encryption that initializes that keypair to start encryption, such as the TLS or SSL Protocols. These protocols are set up and chosen on the server side by a server admin. Since TLS  or SSL  are protocol functions on the server and not pertaining to the digital certificate’s keypair it is uncertain why the industry calls Digital Certificates as SSL Certificates because of this principle. All SSL protocols that were all available are now perceived as a vulnerable protocol leaving only TLS until something better eventually comes up.

Because of the SSL marketing gimmick around the industry, and lack of secure SSL protocols there is now a fountain of confusions flying around. Here are some examples:

“Since SSL Versions are vulnerable to Poodle attack. Is it possible to consider TLS 1.2 instead of SSL certificate?”

“We need to upgrade our SSL certificate to TLS 1.2”

“My certificate states its is a SSL certificate, but I asked for a TLS certificate did I do something wrong?”

A standard digital certificate can use both TLS and SSL because they are both protocols that are configured on the server. There is no such thing as an SSL certificate that will only work for the SSL protocol or a TLS certificate that will only work for the TLS protocol.

Remember, that a digital certificate keypair is essentially just a bit place holder for encryption. All mainstream digital certificates are essentially TLS/SSL  because of the protocols that can use it.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

End of Life Announcement for Symantec Digital ID for Secure Email

Symantec will be discontinuing the availability of its Digital ID for Secure Email offering. To ease this transition, Symantec is phasing out this offering as follows:

August 22, 2016 – End of Sale: Symantec will stop selling the Digital IDs offering. No new certificates will be issued.

August 23, 2017- End of Life & End of Support: All certificates will expire or are revoked. Symantec Digital IDs for Secure Email support and operations will cease.

Why? For a more secure world of course

The retail versions of the Symantec Digital IDs for Secure Email did not accurately authenticate clients. When the Digital ID certificate would get issued Symantec placed “Persona Not Validated” in the Common Name field of these certificates because Symantec does not verify that the individual registering the email is indeed legally recognized by that name.  Because this ID is not validated, to separate these certificates from those that are validated through a notary enrollment process, they are designated as not validated.

Example:

Authentication procedures cannot prove that the retail enrolled person for the digital ID is indeed JON DOE with an email of likescheese@mailcom. Thus why the certificates in the common name would state “Persona Not Validated“

Alternatively, customers can purchase an ENTERPRISE offering (NOT the RETAIL offering)  to protect digital communication. These User Authenticated notarized certificates accurately state a users name for which they are issued to because of validated checks that are performed within the enrolled organization.

Digital IDs for Secure Email (Class 1) Support can be found here and any concerns can be address by sending an email to id-queries@symantec.com

What do User Digital IDs Do in General?

Compromised email can mean loss of IP and damage to reputation. A digital ID is like an electronic driver’s license or passport that proves your identity. Digital IDs allow you to digitally sign and encrypt your digital communications using a certificate, bound to your validated email address. 

Use Digital IDs to:

• Digitally sign email: A red ribbon icon on the email indicates it came from a valid email address.
• Encrypt email: A blue envelope icon on the email indicates it remained private during transmission (only the recipient can securely open it).
• General signature and encryption: Microsoft Word allows for digital signing of Word documents.
• In Enterprise environments it Authenticates digitally the holder of the certificate to be used and gain access to applications or network environments.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Symantec will be discontinuing the availability of its External Certificate Authority ECA Certificates offering. Symantec is phasing out this offering as follows:

August 16, 2016 – End of Sale: Symantec will stop selling the ECA offering. No new ECA certificates will be issued.

August 16, 2016 – End of Renewal: Symantec will stop renewals for all the existing certificates.

August 17, 2017 – End of Life: All certificates will expire or are revoked. Symantec ECA operations will cease.

What is a ECA Certificate?

Symantec was certified by the United States Department of Defense (DoD) as a provider of External Certification Authority (ECA) digital certificates for government contractors, state and local governments and employees of foreign governments. ECA certificates enable secure on-line transactions with DoD agencies, digitally signing documents, and encrypting e-mail communications.

Who does this effect?

If you are not interacting with the Department of Defense then this will not effect you. This only effects those who do business or work for the DoD digitally in order to gain access to DoD systems. If you do work for the DoD ask the proper DoD IT security agent for more information. More than likely though you should have received some sort of information if this directly effects you from an DoD entity.

If you need more information and to stay up to date on the Symantec ECA and its End of Life visit

https://www.symantec.com/products/information-protection/eca-certificates

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Memorandum Requires Secure Connections across Federal Websites and Web Services.

Signed June 8th 2015 The Executive Office Of The President has enacted memorandum M-15-13. Also known as The HTTPS-Only Standard that requires that all public accessible Federal websites and web services only provide service through a secure connection.

This is very important as unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Any data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

“All browsing activity should be considered private and sensitive.”

Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection, and the Federal Government needs to set a presidence that in this day-and-age Web Security is as important as the air we breathe.

Although the challenges are few there are some considerations and implementations of HTTPS that may have effect on these Federal Government Services.

Challenges and Considerations:

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.

Server Name Indication: The Server Name Indication (SNI) extension to SSL/TLS allows for more efficient use of iP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. An example of SNI also known as Fully Qualified Domain Name (FQDN) would be www.energy.gov.

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APis and Services: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. With that said Admin may have to be upgrade their system typologies in order to meet this standard. Federal websites and services should also deploy HTTPS in a manner that allows for rapid updates to certificates, proper cipher choices.

One standard that has effected legacy systems that will need to be taken into account is the SHA2 standard due to the SHA1 vulnerability that has taken effect in the commercial browser industry.  For Example, old Microsoft IIS6 (Server 2003) systems lack the ability to understand the SHA2 algorithm due to its 12 year outdated software. Federal web service admins should evaluate the feasibility of using technology to improve performance efficiency and may have to upgrade their infrastructure as soon as possible.

In order to secure and implement HTTPS a Digital Server Certificate will have to be issued to the SNI/FQDN for that implemented HTTPS Web Service. Issued by a Trusted Authority.

The Office of Management and Budget (OMB) affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Implementation of Server Certificates with HTTPS will help fight unofficial or malicious websites claiming to be Federal services, and block hacker eavesdropping on communications with official U.S. government sites.

Acmetek Global Solutions, Inc.  is very familiar with the standards of the industry and have the Managed PKI solutions & recommendations needed to assist Federal/State government agencies on matters of Web Network Security.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

As part of a long-term effort to simplify Symantec’s product range and ensure their offerings are relevant to the latest security needs, Symantec is discontinuing (End of Life) their Symantec Safe Site product as of March 2016.

Symantec Safe Site (formally the VeriSign Trust Seal) is the stand-alone seal product which allows a user to display the seal without having to purchase an SSL certificate.

Note: There will be no impact on the Norton Secured Seal included in SSL certificate products.

Symantec Safe Site End of Life FAQ:

What should I do?
In order to continue displaying the Norton Secured Seal on their website, you will need to purchase one of our Symantec SSL products. Any Symantec Safe Site customer who chooses not to upgrade will lose their existing Symantec Safe Site at the end of their current product’s current term.

Why is Symantec discontinuing Symantec Safe Site?
Symantec want’s to simplify their product range, so they plan to eliminate smaller products that essentially have become redundant. Symantec Safe Site has been marked as a product that is not essential in their range and can be discontinued. Symantec SSL offers the same Norton Secured Seal, plus additional features that more comprehensively protect websites and simultaneously project trust.

Does this affect the seal on any other products?
No, the seal for all other products will still be available. No changes will be made.

What will happen if I don’t want another product?
Customers will not be able to renew their Symantec Safe Site product once their term is complete, so at that time they will no longer have access to the Norton Secured Seal nor Malware Scanning.

We suggest you upgrade to Symantec SSL to continue reaping the benefits you clearly value from the Norton Secured Seal, in addition to the added website security that comes with an SSL certificate.

If you currently have an SSL certificate but are not displaying the Norton Secured Seal visit our SSLSupportDesk article: Norton Secured Seal Installation Instructions

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Just recently there has been a lot of news regarding a vulnerability with SSLv2 (SSL2.0) and what has been named the Drown Attack. You will see articles saying “Drown Attack effects over 1/3 of the worlds websites, ” “No one is secure on the internet anymore,”  More than a Million sites effected!” etc.. the list goes on and on.

Allow me to calm some fears you may have..

Unless your have NOT touched your server system since 2011 then don’t worry. SSLv2 which was created back in 1995 was considered an obsolete protocol back in 2011, and more than likely you are not using it. Because the following…

• Browsers such as Chrome have by default put a stop to the use of this protocol as default on their browsers since 2011.
• You would have seen errors within your browser regarding the use of this the SSLv2 protocol running on the website, and would have turned this protocol off already.
• Every couple of years a Digital Certificate gets updated on server systems that is part of encryption, and during this time you probably used a certificate checker to see if everything is ok. That SSL Checking tool more than likely told you that status of that server system and would have made you aware of SSLv2 being obsolete years ago.
• If you are PCI compliant then you are not using SSLv2, or any SSL protocol for that matter.

The DROWN stands for Decrypting Rsa with Obsolete and Weakened eNcryption and it allows attackers to break the encryption enabling that hacker  to read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.

On March 01, 2016, The United States Computer Emergency Readness Team (US-Cert) released this on their website. 

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability – referred to as DROWN in public reporting – may allow a remote attacker to obtain the private key of a server supporting SSLv2.

US-CERT encourages users and administrators to review Vulnerability Note VU#583776 and the US-CERT OpenSSL Current Activity for additional information and mitigation details.

So this really shouldn’t be news since SSLv2 was considered obsolete back in 2011. It was bound to happen sooner or later.

If you do happen to be effected by SSLv2 or would like to double check Qualys has an amazing SSL checking tool that goes deep into the health of a server system. SSLSupportDesk.com has a great article on how to use and read this checker featured here.  

More information can be found https://drownattack.com/

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange.

The OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection.

OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.

OpenSSL 1.0.2 users should upgrade to 1.0.2f as stated in the security advisory. That download patch fix can be found here.

Fortunately Diffie Hellman key exchange is not met by the mainstream industry, and more than likely users are not using DSA Diffie Hellman ephemeral keys in order to perform their encryption. But the first line of defense to keep hackers at bay is to update their systems and not become stagnant in security.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

The FREAK Vulnerability, What is happening?

A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note: That this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed.

Why should a Acmetek Customer or Partner care?

Customer webservers may be vulnerable to this issue. Organizations should evaluate their web servers to determine if they are vulnerable. Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable.

What Acmetek Customers Must Do?

It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSLdocumentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

EXP-EDH-RSA-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

NULL-SHA

NULL-MD5

In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from

http://support.microsoft.com/kb/245030:

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

NULL

We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

Frequently Asked Questions:

Q: How critical is this vulnerability?

A: This vulnerability appears to be as slightly less critical than POODLE. Although an attack is difficult to carry out it is important for people prioritize this patch.

Q: What should customers do?

A: Customers should remove the above listed affected ciphers (if they are supported by their web server) and restart their web server.

Q: Do SSL certificates have to be replaced?

A: No, this is not required.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Overview

The security environment is constantly changing as hackers become more sophis­ticated and your customers increasingly reach for mobile or tablet devices to carry out transactions online. Keeping up with the developments in malware and con­tinuing to provide a secure and trustworthy experience for your customers is vital.

As a leader in SSL security, Symantec is always working on new solutions that help your business to anticipate and meet increasing security demands, and provide a safe environment for your customers.

Harnessing the latest technology, Symantec SSL certification with ECC is an easy way for your business to address the impending move to 2048-bit encryption and benefit from the explosion in mobile device and tablet use. ECC is a U.S. government-approved and National Security Agency-endorsed encryption method that offers your business enhanced security and better performance than current encryption.

Better Performance, Stronger Security with the ECC Algorithm

Elliptic Curve Cryptography (ECC) creates encryption keys based on the idea of using points on a curve to define the public/private key pair. It is difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than RSA-based encryption.

Key Benefits

• Better security — ECC provides stronger protection against attacks than cur­rent encryption methods. The ECC algorithm relies on a mathematical problem that is more difficult for hackers to attack than the current encryption, making your websites and infrastructure more secure than with traditional methods.
• Better performance — ECC requires a shorter key length to provide a superior level of security, For instance, a 256-bit ECC key provides the same level of protection as a 3072-bit RSA key. The result? You get the security you need without sacrificing performance.
• Investment protection — ECC helps protect your infrastructure investment by providing increased security that can handle the explosion in mobile device connections. ECC key lengths increase at a slower rate than other encryption method keys, potentially extending the life of your existing hardware and giving you a greater return on your investment.
• Mobile advantage — ECC’s smaller key length means smaller certificates that consume less bandwidth. As more of your customers move to smaller devices for their online transactions, ECC offers a better customer experience.

Compatibility

We know that keeping up with security requirements, compliance and threats can be difficult, and that’s why Symantec creates solutions that will make protecting your business easier.

Symantec’s ECC roots have been available in the top three browsers since 2007, so Symantec’s ECC certificates will work in your existing infrastructure as long as modern browsers are used.

Why Acmetek?

Acmetek is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Our certificates include certificate management, vulnerability assessment, malware scanning, and life time support for the certificate. You also get the Norton Secured Seal and Symantec Seal-in-Search to assure customers that they are safe when they search, browse or buy on your websites.

Rest easy knowing your website is protected by the #1 choice for SSL security. Symantec SSL Certificates secure more than one million web servers worldwide— more than any other Certificate Authority. In fact, 97 of the world’s 100 largest SSL-using banks and 81% of the 500 biggest e-commerce sites in North America use SSL Certificates from Symantec.

How to get SSL Certificates with ECC from Acmetek?

Symantec Premium SSL Certificates, Secure Site Pro and Secure Site Pro with EV, now give you the option of using the high security ECC algorithm (included free) to deliver stronger security than standard encryption methods while improving performance.

Visit the Symantec Secure Site Pro pages to sign up for a certificate or renew your current subscription.
or
Become a Partner and create additional revenue stream while we do the heavy lifting for you.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Server Gated Cryptography (SCG) certificates are used for maintaining a 128 bit connection irrespective of browser age. They are designed to step up the encryption to 128 bit. With the new norm of SHA-256 for all SSL certificates.

The thawte product thawte SGC SuperCert  will no longer be compatible with SHA-256. This is the reason why  thawte announced they will discontinue their SGC SuperCert product in the 2nd Qtr of 2015.

Acmetek recommends the SSL Web Server with EV as a suitable replacement certificate. Added benefit with this certificate is it also offers Green Bar at a similar cost.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security.

What Is Certificate Transparency (CT)?

As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details.

In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information.  The information is publicly audible.  Once the CT logging is enabled, that information will be public and can not be deleted from the log.  The following information appears in the CT log:

• Common Name
• Subject alternative names
• Organization name
• CA (issuer) name
• Serial number
• Validity period
• Extensions
• Certificate chain

*Note: that much of this information is already publicly available for external sites.

The Security Triad:

If you haven’t noticed over the years all client web browsers have been implementing various security notifications regarding the safety of websites. Browser have become an Auditor of website security  and show notifications to clients when web-surfing.

These notifications will typically show green bars or  padlocks if everything is secure and safe.  Yellow exclamation marks to make client awareness that the website is not as secure as it can be. Lastly red strikes if the browser deems something that is considered unsafe for users. The notifications will vary from browser to browser, but in the end these are all just disclaimers to inform web visitors on the safety of the website. Anything can contribute to these browser notifications including outdated server software configurations, Mixed or Insecure Content, or the certificate running on the website.

Now with Certificate Transparency there is a Web Security Triad. Security is not just limited to the Certificate Authority (Monitor) and Client browser (Auditor) like it used to be. Here’s what’s going on now.

• CT is a middle logging system that holds a time-stamp of logs of the certificates that have been issued by the various CA’s.
• The CA informs the Log Server of all certificates that get issued.
• The CA Monitor and Browser Auditor work in conjunction with the CT Log Server to Monitor, and Audit logs for suspicious certs, and verify that all the certs issued are visible for the public community.
• The Client browser Auditor verifies that the logs are behaving properly and informs  clients of anything suspicious that has happened in regards to certificate security.

CT is something that happens behind the scenes and is pretty much unnoticeable to browser clients navigating the web, but with its implementation there is a faster response and a extra tier to client safety with navigating the web.

For more information on Certificate Transparency feel free to visit Https://www.certificate-transparency.org

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.