Currently Viewing Posts Tagged certificate

SSL Certificate Checker

After installing the SSL certificate on the Nginx web server, you need to check if it is installed correctly.

I installed the SSL certificate two months ago. The Sectigo ECC certificate.

Now I change the certificate files.

Previously, I put the site SSL certificate file content and the SSL-bundle file altogether. The final SSL certificate file is 4.36KB. It includes three certificates. The guide is from Comodo official site. Sectigo site has a similar guide here.

Now, I remove the last one. Just keep the site certificate and the middle one. Total size is  3.01KB.

The certificate I deleted from the old file is for USERTrust ECC Certification Authority. It is already included in the Trusted Root CA list.

Then, I tested the new certificate file, which has two certificates only, on different online SSL checking tools.

 

Geocerts SSL checking Result

Continue reading “SSL Certificate Checker”

Fix the Warning of Event 64, CertificateServicesClient-AutoEnrollment

My Windows 10 is 1809. Recently I saw the warning in the Event Viewer.

Event 64, CertificateServicesClient-AutoEnrollment

Certificate for local system with Thumbprint be f9 b4 cd 1xxxxxxxx f4 df 51 is about to expire or already expired.

I did the search and find the way to solve this problem.

Before to do the following, I would like to make an announcement. It is just a warning. It will not affect your Windows System.

Right Click Start > Run > type mmc > press ENTER
On the File Menu > Click Add/Remove Snap-in > Click Certificates > Click Add
Click Computer Account > click Next
Click Finish > Click OK
In the console tree, Expand Certificates > Personal > Certificates
You should see the XBL Client IPsec Issuing CA
Right Click on it > All tasks > Export
Follow the Export Wizard > Export it as a x509 (.cer) > Give it a name (example: xbl-client-ipsec.cer)
Right Click on it > Delete > Confirm Delete
Close the mmc > Say NO when asked if you want to save Console

Now, the certificate is removed. This warning should not appear in the Event Viewer.

Add my Blog to HSTS preload list

Now my Blog, David Yin Blog is https encrypted . And it is also HSTS enabled. And latest, it is HSTS preload enabled.

It has three layers meaning.

  1. https support.
  2. HSTS enabled.
  3. HSTS preload enabled.

Let me explain them one by one.

First, add https support. I did this step on Feb. 2016, when I announced that SSL added. I recorded how I get the SSL certificate and install it on Nginx web server.

After that, all content send back and force from my Blog to an audience is encrypted. Even ISP can not read the content from the data traffic.

comodo-positive ssl-certificate

Second, I add the HSTS into the Nginx configuration, to make it more secure.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797

Continue reading “Add my Blog to HSTS preload list”

SSL added

To provide higher security and better privacy protection, I added SSL certificate on my Blog, here.

When you enter the url of my blog: http:///www.yinfor.com/, it will redirect you to the SSL version, https://www.yinfor.com/

The certificate is purchased from gogetssl.com , three years certificate of Comodo PositiveSSL.

The latest price is $13.15/3years.

comodo_secure_100x85_white

Look at the comodo secure lock, it is a site seal.

Continue reading “SSL added”

City of Burnaby Web Site SSL issue was fixed

When I wrote my last post about the SSL issue of Burnaby City Website, I made a tweet and @cityofburnaby. They replied me on second day.

The official account of CityofBurnaby said the information has been forwarded to their IT team for review.

burnaby city site SSL issue

I thought my job is done. As a residence of Burnaby, I just have duty to help our city be noticed the issue.

Two days after that, @cityofburnaby send me another notice and said their IT team has applied the needed fix. The error is now resolved for Chrome browser on cell phones.

cityofburnaby SSL issue fixed

Continue reading “City of Burnaby Web Site SSL issue was fixed”

Web site of Burnaby City has SSL error

It is an error. When I enter the url of Burnaby City hall at Chrome browser on my cellphone, it displayed with error.

Red crossing line on the https. It said Your connection is not private. Attackers might be trying to steal your information from www.burnaby.ca.

NET::ERR_CERT_AUTHORITY_INVALID

2015-12-21 16.18.52

It is OK when I browse the site on desktop. It looks normal.

I use SSLLABS server tool to check the certificate installation.

The report said it has a certificate chain issues: missing intermediate certificate. Continue reading “Web site of Burnaby City has SSL error”

LFTP Fatal error: Certificate verification: Not trusted

It is a error when I tried to connect an FTP server by LFTP tool.

Fatal error: Certificate verification: Not trusted

I did a search on Google and find the answer.

There is self signed certificates which is used by TLS on a ftp connection. It is not trused and error comes.

Of course, the connection is closed on error, and no more further put or get command can be used.

To bypass this message, or ignore this error, add following content in a file ~/.lftp/rc

set ssl:verify-certificate no

Tools to check your SSL Installation

I have tried some tools to diagnose my SSL certificate installation.

Some related to correct certificate, and more on certificate chain issues.

SSL Certificates are trusted from its parent, or issued by its high lever certificate. It looks like a chain, one connect to other one and gos to the CA root.

Say, I have a SSL certificate for domain seo.g2soft.net.

  • Certificate of seo.g2osft.net is issued by Comodo RSA domain Validation Secure Server CA
  • Comodo RSA domain Validation Secure Server CA is issued by Comodo RSA certification Authority
  • Comodo Rsa Certification Authority is issued by AddTrust External CA Root.

The last one, AddTrust External CA Root is one of root CAs.  It is issued by itself. Root Certificates was installed in every computer or browsers already. It is trusted and in the trust store.

certificate-chain

The above is a corrected installation.

Tool One:

Geocerts SSL Checker

https://www.geocerts.com/ssl_checker

Tool Two:

DigiCert SSL Installation Diagnostics Tool

https://www.digicert.com/help/

Continue reading “Tools to check your SSL Installation”

Certificate Installation: NGINX with Comodo SSL

Here is the guide to show you how to install the Comodo SSL certificate in Nginx.

  1. Order Comodo Certificate. And received the Certificate files.
    I don’t discuss how to get it, where to get it. It is another topic. You will receive following files.
    Positive SSL certificate, it is a zip file emailed to you. Unzip it and get four files.
    PositiveSSL-Shalom-Campus1

    • Root CA Certificate – AddTrustExternalCARoot.crt
    • Intermediate CA Certificate – COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
    • Your PositiveSSL Certificate – www_example_com.crt (or the subdomain you gave them)
  2. Make the file for Nginx
    cat  www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > your_domain_crt.pem 

    I just need your certificate and intermediate certificates. Root is already installed in every single computer or browser. The order of certificates is important.

  3. Save this file into the place you want Nginx use
    mv your_domain_crt.pem /etc/nginx/ssl/
  4. Save your private key in the same place
    mv your_domain_key.pem
  5. Make sure your Nginx config file looks like below
    server {
    listen 443 ssl;
    
    ssl_certificate /etc/nginx/ssl/your_domain_crt.pem;
    ssl_certificate_key /etc/nginx/ssl/your_domain_key.pem;
    
    # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    # ...
    
    }
  6. Reload Nginx and check if it works by enter https://www.your_domain.com/

How to install SSL certificate in Webmin

It is a little bit tricky when I install SSL certificate in Webmin. Here is a how-to of installation of it.

Now Webmin is version 1.710, on CentOS 6.5.

The SSL certificate is issued by Comodo.

The very important part is the key and certificates themselves. I have all these files from gotssl.com. But I know know how to combin them or which one is the correct file.

So, make two files first.

1) Combine server private key and certificate into one file.

new_miniserv.pem


<code>-----BEGIN PRIVATE KEY-----
(Contents of private key)
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Contents of SSL certificate: your_domain_name.crt)
-----END CERTIFICATE----- </code>

your_domain_name.sha256.ca-bundle

It is for chained certificates.


(contents of COMODORSADomainValidationSecureServerCA.crt)

(contents of COMODORSAAddTrustCA.crt)

Save both files into /etc/webmin/

2) Sign in webmin with http protocol.

Goto, Webmin > Webmin Configuration > SSL Encryption

Filling the fields of Private Key and Additional certificate files.

And also choose Yes on “Enable SSL if available? “.

Click Save and it works right away.

webmin-ssl-config

Then when you need to access webmin. The URL is https://your_domain_name.com:10000

No more warning of self-signed certificate.

 

  • Archives