Showing posts with label SSL. Show all posts
Showing posts with label SSL. Show all posts

Monday, January 09, 2023

Manually install an SSL certificate on my IIS 10 server

Once you have your certificate approved and ready do the following steps

Convert your .crt file to a .cer file

  1. Locate your downloaded .crt file, and double-click to open it.
  2. Select the Details tab, and then the Copy to File button.
  3. Select Next in the Certificate Wizard.
  4. Select Base-64 encoded X.509(.CER) and then select Next.
  5. Select Browse, locate where you want to save your .CER file, and type in a name for your certificate.
  6. Select Next and then Finished.

Copy your certificate files onto the server

  1. Find the directory on your server where certificate and key files are stored, then upload your intermediate certificate (gd_iis_intermediates.p7b or similar) and primary certificate (.cer file that you just converted) into that folder.

Add a Certificate Snap-in to the Microsoft Management Console (MMC)

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type mmc and click OK.
  3. Click File, then click Add/Remove Snap-in.
  4. On the new window, click the Add button.
  5. On the new window, select Certificates and click Add.
  6. Select Computer account for the snap-in and click Next.
  7. Click Local computer and click Finish.
  8. Click Close on the Add Standalone Snap-in window.
  9. Click OK on the Add/Remove Snap-in window.

Import the Intermediate SSL Certificate

  1. In the MCC Console, click to expand Certificates (Local Computer).
  2. Right click on the Intermediate Certification Authorities folder, hover over All Tasks and click Import.
  3. On the new window, click Next.
  4. Click Browse, find your gd_iis_intermediates.p7b intermediate certificate file and click Open.
  5. Click Next, verify that the certificate information is proper and click Finish.
  6. Close the the import was successful notification.

Install your SSL certificate

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type inetmgr and click OK to launch the Internet Information Services (IIS) Manager.
  3. Under the Connections panel on the left, click on your Server Name.
  4. In the main panel under the IIS section, double click on Server Certificates.
  5. Under the Actions panel on the right, click Complete Certificate Request.
  6. On the new window, click ... to browse, find your previously uploaded primary certificate file and click Open.
  7. Add a Friendly name to easily identify this certificate in the future.
  8. In the certificate store option, select Web Hosting and click OK.

Bind the SSL certificate

  1. Under the Connections panel on the left, click to expand the Sites folder.
  2. Click the Site Name that you plan to install the SSL certificate onto.
  3. Under the Actions panel on the right, find the Edit Site section and click Bindings.
  4. On the new window, click Add and fill out the following information:
    • Type: select https.
    • IP Address: select All Unassigned.
    • Port: type in 443.
    • Host name: leave this empty.
    • SSL Certificate: select your recently installed SSL.
  5. Click OK to confirm, then Close for the Site Bindings window.

Restart IIS

  1. Under the Actions panel on the right, find the Manage Website section and click Restart.

Thursday, January 05, 2023

Manually install an SSL certificate on my IIS 7 server

Copy your certificate files onto the server

  1. Find the directory on your server where certificate and key files are stored, then upload your intermediate certificate (gd_iis_intermediates.p7b or similar) and primary certificate (.crt file with randomized name) into that folder.

Add a Certificate Snap-in to the Microsoft Management Console (MMC)

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type mmc and click OK.
  3. Click File, then click Add/Remove Snap-in.
  4. On the new window, click the Add button.
  5. On the new window, select Certificates and click Add.
  6. Select Computer account for the snap-in and click Next.
  7. Click Local computer and click Finish.
  8. Click Close on the Add Standalone Snap-in window.
  9. Click OK on the Add/Remove Snap-in window.

Import the Intermediate SSL Certificate

  1. In the MCC Console, click to expand Certificates (Local Computer).
  2. Right click on the Intermediate Certification Authorities folder, hover over All Tasks and click Import.
  3. On the new window, click Next.
  4. Click Browse, find your previously uploaded intermediate certificate file and click Open.
  5. Click Next, verify that the certificate information is proper and click Finish.
  6. Close the the import was successful notification.

Install your SSL certificate

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type inetmgr and click OK to launch the Internet Information Services (IIS) Manager.
  3. Under the Connections panel on the left, click on your Server Name.
  4. In the main panel under the IIS section, double click on Server Certificates.
  5. Under the Actions panel on the right, click Complete Certificate Request.
  6. On the new window, click ... to browse, find your previously uploaded primary certificate file and click Open.
  7. Add a Friendly name to easily identify this certificate in the future.
  8. Click OK.

Bind the SSL certificate

  1. Under the Connections panel on the left, click to expand the Sites folder.
  2. Click the Site Name that you plan to install the SSL certificate onto.
  3. Under the Actions panel on the right, find the Edit Site section and click Bindings.
  4. On the new window, click Add and fill out the following information:
    • Type: select https.
    • IP Address: select All Unassigned.
    • Port: type in 443.
    • Host name: leave this empty.
    • SSL Certificate: select your recently installed SSL.
  5. Click OK to confirm, then Close for the Site Bindings window.

Restart IIS

  1. Under the Actions panel on the right, find the Manage Website section and click Restart.

Friday, June 08, 2018

How to Configure Stunnel Windows

stunnel is an open-source multi-platform application used to provide universal TLS/SSL tunneling service. stunnel is used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively.

stunnel can be used as TLS proxy, I have used when we have issues with TLS 1.0 with one of API End point.

Server administrators and home users alike feel the pressure to secure their Internet communications, but not every application supports using Transport Layer Security (TLS). Recently all OS and all major stopped TLS 1.0 support. So we used Stunel as an fall back approach to TLS 1.0.

Step 1
Install Stunnel. Download the Windows binary file from Stunnel.org. Double-click on the executable "stunnel-4.34-installer.exe" and accept the default values for installing Stunnel on your computer.

Step 2
Copy a valid SSL public certificate to the directory "C:\Program Files (x86)\stunnel." To make things more trouble-free, combine the public key and private key certificates into one .PEM file.

Step 3
Modify the Stunnel configuration file. Open the file "C:\Program Files (x86)\stunnel\stunnel.conf" using a text editor such as Notepad. Modify the file to include the line "cert = C:\Program Files (x86)\stunnel\," where is the name of your certificate file.

Here is the example of my config file

client = yes
[myService1]
accept          = 4010
connect         = www.pld.ups.com:443
sslVersion 	= TLSv1.2

[myService2]
accept          = 4011
connect         = wwwcie.ups.com:443
sslVersion 	= TLSv1.2

Step 4
Configure Stunnel to start automatically. Navigate to the Start menu, "stunnel" folder and click on "Service Install." Stunnel will configure a Windows service called "stunnel" to start automatically when the computer boots.

Tuesday, May 01, 2018

TLS 1.2 and .NET Support: How to Avoid Connection Errors

I recently ran into an interesting issue when developing we are connecting to a third-party Carrier API. When trying to connect to the API endpoint, I received the following error message:

“An error occurred while making the HTTP request to https://<API endpoint>. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.” Inner exception was “Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.”

With data security in place lot of API providers are ending TLS 1.0 support. This can be overcomed by adding a line of code in .NET by setting TLS 1.1 or above
The default System.Net.ServicePointManager.SecurityProtocol in both .NET 4.0/4.5 is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3.

.NET 4.0 supports up to TLS 1.0 while .NET 4.5 supports up to TLS 1.2

However, an application targeting .NET 4.0 can still support up to TLS 1.2 if .NET 4.5 is installed in the same environment. .NET 4.5 installs on top of .NET 4.0, replacing System.dll

Adding below one line of code will help you to avoid above error.

ServicePointManager.SecurityProtocol = (SecurityProtocolType)192 |
(SecurityProtocolType)768 | (SecurityProtocolType)3072;

Reference:

namespace System.Net
{
    [System.Flags]
    public enum SecurityProtocolType
    {
       Ssl3 = 48,
       Tls = 192,
       Tls11 = 768,
       Tls12 = 3072,
    }
}