檢查網站憑證 CA

Reference:

【茶包射手日記】網站憑證無效案例分析

網站憑證安裝之後，可使用以下的方法檢查是否安裝正確。

• Qualys SSL Labs 的 SSL Server Test
• What's My Chain Cert?
• SSLChecker
• openssl s_client -showcerts -connect www.hinet.net:443

CA 憑證轉檔 (.crt/.key to .pem)

Reference:

TLS / SSL 金鑰轉檔，「.crt / .key」如何轉成「.pem」？( OpenSSL 教學)

Nginx 使用的憑證格式是 .pem，所以需要把憑證轉檔。

 

使用 openssl 轉檔

 

openssl rsa -in private.key -text > private.pem
openssl x509 -inform PEM -in certificate.crt > certificate.pem
openssl x509 -inform PEM -in ca_bundle.crt > ca_bundle.pem 

2021/9/14 update:

ZeroSSL 憑證給 nginx 使用的方法

 

$ cat certificate.crt ca_bundle.crt >> certificate.crt

 

nginx.conf

    listen               443 ssl;
    ssl                  on;
    ssl_certificate      /etc/ssl/certificate.crt;
    ssl_certificate_key  /etc/ssl/private.key;

更改 Windows 憑證授權所發行的認證到期日期

Reference:
http://support.microsoft.com/kb/254632

1. 開啟「登錄編輯器」。
2. 請找到下面的登錄機碼： HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSrv\Configuration\<CAname>
3. 請按兩下 ValidityPeriod REG_SZ 登錄值並將有效期間更改為下列其中一個選項： 日，周，月或年。
4. 請按兩下ValidityPeriodUnits REG_DWORD 登錄值並更改您想要的日，周，月或年等數字 (例如 1,2,3, 等等)。
5. 停止然後重新啟動「憑證服務」。

Adding "Trusted Publishers" certificate with Group Policy

Reference:
http://www.bibble-it.com/2008/09/03/adding-trusted-publishers-certificate-with-group-policy

• export Certificate without private key. (ex. mykey.cer)
• Open “Group Policy Manager”
• Under Computer Configuration – Windows Settings – Security Settings – Software Restriction Policies
• Right click and create a new Software Restriction policy if you haven’t got one already

• Under Additional rules right click and create new “Certificate rule”
• Click browse and select the exported certificate that is being used to sign the updates (.cer file)
• Change the “Security Level” to Unrestricted otherwise you will stop the computers running any programs!

Certificate template for VBA Projects code signing

用預設的 Certificate template "User" 不能對 Office 巨集做 Digital Certificate for VBA Projects。

解法：
自己新增 Certificate template 並加上 Code Signing。

Windows 2008 SSTP VPN configuration and troubleshooting

Reference:
http://www.dotblogs.com.tw/ray716/archive/2011/08/19/33607.aspx
http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx

My environment:
1. Server 1: DC with Active Directory Certificate Services
2. Server 2: For remote access. In DMZ. with one Network Interface Card only.
3. Client 1: Windows 7. For test SSTP connection.

RRAS (Server 2) Configuration Steps:
1. open "Server Manager".
2. Add roles: Web Server (IIS)

用網頁申請憑證發生錯誤 No certificate templates could be found.

Windows 2008 CA.
Error message on requesting Certificate from Web: No certificate templates could be found.

Solution:
1. Create an account (Ex: CA_admin) and to to group Cert Publishers. (Add to group Domain Admin if not work)
2. Open IIS manager. Create new Application Pool (Ex: cert). Change Identity of this Pool to domain\CA_admin.

3. Change Application Pool of CertSrv to this new Pool.

Reference:
http://technet.microsoft.com/en-us/library/cc731256(WS.10).aspx

Windows 2003 CA for IIS 6.0

設定步驟請參考 http://blog.blueshop.com.tw/topcat/archive/2007/04/03/50380.aspx

補充：
在 http://HOSTNAME/CertSrv 申請憑證時，Certificate Template 必須選 Web Server

Windows 2008 CA 申請憑證

CA server 為 cert.domain.com

方法一：透過網頁 https://cert.domain.com/certsrv/

 

Windows 2008 CA, RMS 安裝

CA 安裝步驟請參考這一篇
https://dotblogs.com.tw/justingong/2011/05/05/24256

RMS 安裝步驟請參考這一篇
https://dotblogs.com.tw/dotjason/2010/01/08/12923

補充：我用Enterprise CA，沒有事先做 IIS server憑證，安裝完成後無法使用，必須另外申請 IIS SSL 憑證才行，製作方法請參考這一篇 http://chandler-bin.blogspot.com/2011/08/iis-7-https.html

RMS client SP2 download
http://www.microsoft.com/download/en/details.aspx?id=4909

RMS client Office 版本需求
http://chandler-bin.blogspot.com/2011/08/microsoft-rms-client.html

用 GPO 建立信任網站
http://www.dotblogs.com.tw/angi/archive/2009/09/30/10833.aspx

IIS 7 https 無法開啟

錯誤訊息：
The following fatal alert was generated: 20. The internal error state is 960.

原因：
Server 憑證不正確。

解法：
重新申請 Server 憑證。
http://technet.microsoft.com/en-us/library/cc731014(WS.10).aspx