Stuff I'm Up To

Technical Ramblings

Ansible and Client Certificates — March 4, 2020

Ansible and Client Certificates

Now we know how to inject client certificates into Firefox and Chrome it’s time to automate that process with Ansible.

The goal is to take a client and CA certificate and deliver it to the .pki keystore on the client. The actual generation of the certificate happens using easyrsa and is not part of this process. Let’s assume you already have generated a series of certificates, and converted them to a .pfx (pkcs12) for each client and just need to deliver them – although I may write up that process later.

Further let’s assume you are naming the certificate files with the same inventory hostname you are going to use in Ansible. This is so we can easily identify which file goes to which host, eg.

myclient01.pfx for inventory item myclient01.

Continue reading
Firefox Certificates — February 5, 2020

Firefox Certificates

Now with added Chromium!

Fun and games with Nginx and client authentication certificates means we need to deploy certificates to the user for them to trust our CA and have a trusted personal certificate to validate with our server.

I can see why many just pop up a help page and navigate the user through importing the CA and their certificate in the browser. We need to make this a bit more automated though as the machines will be out with customers.

Continue reading
PaperCut Certificate — November 21, 2017

PaperCut Certificate

Time to replace the PaperCut web server certificate. So pleased I ran into Keystore Explorer previously as this made changing the web server certificate a breeze.

Put simply you create a new keystore file, in the Program Files\PaperCut MF\server\custom folder, and import your certificate that you obtain from your internal CA. We did this using MMC and the Certificate snap-in on the print server. Then export the certificate with private key to a .pfx file. Then just import the .pfx into the new keystore in Keystore Explorer.

Edit the file in Program Files\PaperCut MF\server and add the relevant keystore and password details.:

### SSL/HTTPS Configuration (Default: 9192) ###

# Custom SSL keystore example (recommend placing in the custom directory)

Restart the PaperCut services, give it a minute and the user and admin portal should now be using the new certificate.


Now every printer that has an embedded PaperCut app will need to be updated to accept the new certificate. This means you have to visit each PaperCut admin console on every device – yes, that’s the painful bit if you have a lot of printers. Then you login to the console and click apply, even though you’ve made no change. This will then ask you to accept and trust the new certificate.



OpenSSL and Subject Alternative Names — July 27, 2017

OpenSSL and Subject Alternative Names

Now that Google chrome has started bitching about certificates not having Subject Alternative Names because the practice of using Common Names in certificates has changed.

So in order to get the SAN into a CSR you need to edit the OpenSSL config file you’re using for the request. You can spend time scripting something, but for the few times I do it I’ll just copy the base openssl.cnf file to one specific to the CSR I need to create. After all you’ll already have customised the req_distinguished_name section so you don’t have to put in the country and company name all the time. eg.

$ cp /etc/ssl/openssl.cnf ~/myserver.cnf

Then I just use that new cnf file as part of the command line to create the CSR.

$ openssl req -out myserver.csr -new -newkey rsa:2048 -nodes -keyout myserver.key -config ~/myserver.cnf

Continue reading

Remmina/xfreerdp Certificate Name Mismatch — July 21, 2017

Remmina/xfreerdp Certificate Name Mismatch

When using Remmina to connect to some of our older Windows systems we’re seeing a certificate problem that prevents it from connecting. Remmina pretty much says you can’t connect, but you can see the error message if you run remmina from a terminal and try to connect.

connected to server:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           WARNING: CERTIFICATE NAME MISMATCH!           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (m3app) does not match any of the names given in the certificate:
Common Name (CN): no CN found in certificate
A valid certificate for the wrong name should NOT be trusted!
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure

Continue reading

Dell iDRAC and Certificates — March 10, 2017

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

HTTPS and SNI — March 9, 2017
SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading

Updating ADFS Certificates — February 25, 2017

Updating ADFS Certificates

This wasn’t as easy as I thought it was going to be. I expected just to import the new certificate into the mmc certificate snap in and then set ADFS to use it in the ADFS Management console by choosing “Set Service Communication Certificate…”. Why would it need to be more difficult than that?

Turns out it is more difficult than that. I tried a few things to get it going with no success. The service starts up just fine, but the website at https://adfs.domain.tld remains down.

I check out event viewer and sure enough we have some pretty useless errors logged when I try to visit it.

Event ID: 15021, An error occurred while using SSL configuration for endpoint adfs.domain.tld:443.  The error status code is contained within the returned data.

Continue reading

Horizon Updating Certificates — February 24, 2017

Horizon Updating Certificates

Updating certificates on the Windows hosts for Connection and Security Servers.

Import the signed SSL server certificate into the Windows local computer certificate store on the Windows Server host.

In the Certificate snap-in, import the server certificate into the Certificates (Local Computer) > Personal > Certificates folder.

Select Mark this key as exportable.

Click Next and click Finish.

For View Connection Server or Security server, add the certificate Friendly name, ‘vdm’, to the new certificate that is replacing the previous certificate. You should only have one certificate with the friendly name vdm, so make sure it’s only the most current certificate.

Right-click the new certificate and click Properties

On the General tab, in the Friendly name field, type vdm.

Click Apply and click OK.

Continue reading

Teradici PCOIP Management Console — February 23, 2017

Teradici PCOIP Management Console

When it comes to upgrading the pcoip-mc it’s a case of deploying a new OVA file into the VMware estate. This means you have to grab all the settings from your previous console and restore them into the new one.

The backup and restore process isn’t painful at all. It’s all managed in the Web GUI. But if like me, you’ve used your own certificates for the server, you’re going to need to make sure you have the current ones handy and in a form you can redeploy to the new one.

Continue reading

Nessus Certificates — February 16, 2017

Nessus Certificates

In order to get your Nessus server to pass a vulnerability scan you’ll need to replace the original self-signed cert it uses for its web server. It’s easy enough to do.

Generate a CSR and a key for the server:

$ openssl req -out nessus.csr -new -newkey rsa:2048 -nodes -keyout nessus.key

Open the CSR and use that to get a certificate from your CA.

Whilst you’re there grab a copy of you CA servers public key.

Once you have the certificate (Base64 format) set about copying the key, CA certificate and your new server certificate to where they need to go.

Backup the following files first:

  • /opt/nessus/var/nessus/CA/serverkey.pem
  • /opt/nessus/com/nessus/CA/servercert.pem
  • /opt/nessus/com/nessus/CA/cacert.pem

Then replace them with your new key and pem files from your CA and restart the nessus service.

$ sudo cp ~/nessus.key /opt/nessus/var/nessus/CA/serverkey.pem
$ sudo cp ~/nessus.pem /opt/nessus/com/nessus/CA/servercert.pem
$ sudo cp ~/ca.pem /opt/nessus/com/nessus/CA/cacert.pem
$ sudo service nessusd restart