Stuff I'm Up To

Technical Ramblings

Dell iDRAC and Certificates — March 10, 2017

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

HTTPS and SNI — March 9, 2017
SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading

Updating ADFS Certificates — February 25, 2017

Updating ADFS Certificates

This wasn’t as easy as I thought it was going to be. I expected just to import the new certificate into the mmc certificate snap in and then set ADFS to use it in the ADFS Management console by choosing “Set Service Communication Certificate…”. Why would it need to be more difficult than that?

Turns out it is more difficult than that. I tried a few things to get it going with no success. The service starts up just fine, but the website at https://adfs.domain.tld remains down.

I check out event viewer and sure enough we have some pretty useless errors logged when I try to visit it.

Event ID: 15021, An error occurred while using SSL configuration for endpoint adfs.domain.tld:443.  The error status code is contained within the returned data.

Continue reading

Horizon Updating Certificates — February 24, 2017

Horizon Updating Certificates

Updating certificates on the Windows hosts for Connection and Security Servers.

Import the signed SSL server certificate into the Windows local computer certificate store on the Windows Server host.

In the Certificate snap-in, import the server certificate into the Certificates (Local Computer) > Personal > Certificates folder.

Select Mark this key as exportable.

Click Next and click Finish.

For View Connection Server or Security server, add the certificate Friendly name, ‘vdm’, to the new certificate that is replacing the previous certificate. You should only have one certificate with the friendly name vdm, so make sure it’s only the most current certificate.

Right-click the new certificate and click Properties

On the General tab, in the Friendly name field, type vdm.

Click Apply and click OK.

Continue reading

Teradici PCOIP Management Console — February 23, 2017

Teradici PCOIP Management Console

When it comes to upgrading the pcoip-mc it’s a case of deploying a new OVA file into the VMware estate. This means you have to grab all the settings from your previous console and restore them into the new one.

The backup and restore process isn’t painful at all. It’s all managed in the Web GUI. But if like me, you’ve used your own certificates for the server, you’re going to need to make sure you have the current ones handy and in a form you can redeploy to the new one.

Continue reading

Nessus Certificates — February 16, 2017

Nessus Certificates

In order to get your Nessus server to pass a vulnerability scan you’ll need to replace the original self-signed cert it uses for its web server. It’s easy enough to do.

Generate a CSR and a key for the server:

$ openssl req -out nessus.csr -new -newkey rsa:2048 -nodes -keyout nessus.key

Open the CSR and use that to get a certificate from your CA.

Whilst you’re there grab a copy of you CA servers public key.

Once you have the certificate (Base64 format) set about copying the key, CA certificate and your new server certificate to where they need to go.

Backup the following files first:

  • /opt/nessus/var/nessus/CA/serverkey.pem
  • /opt/nessus/com/nessus/CA/servercert.pem
  • /opt/nessus/com/nessus/CA/cacert.pem

Then replace them with your new key and pem files from your CA and restart the nessus service.

$ sudo cp ~/nessus.key /opt/nessus/var/nessus/CA/serverkey.pem
$ sudo cp ~/nessus.pem /opt/nessus/com/nessus/CA/servercert.pem
$ sudo cp ~/ca.pem /opt/nessus/com/nessus/CA/cacert.pem
$ sudo service nessusd restart

 

 

References: https://docs.tenable.com/nessus/6_5/Content/9_Additional_Resources/9_8_Custom_SSL_Certificates.htm

Tomcat and HTTPS — January 31, 2017

Tomcat and HTTPS

By default Tomcat gets installed with HTTP only and a number of default applications. Previously I linked documents on how to secure Tomcat. But put simply just delete the folders under webapps that you don’t need for your application. So you pretty much get left with host-manager and manager in there.

My next step was to try to figure out how to get the connection changed from HTTP to HTTPS and apply a valid certificate to the connection.

Continue reading

Java Certificates — January 30, 2017

Java Certificates

Certificates are the bane of my existence! After applying some updated certificates to Windows servers some of the systems are now failing to connect to database servers. This is due to the underlying Java program not knowing about the Windows certificate stores and using their own.

Now if life weren’t difficult enough the default keystores used by Java reside in their %JAVA_HOME%\lib\security folder, but we’ve got applications that have many flavours of Java installed. ie. java_jre_32bit, java_jre_64bit, java_jdk_32bit and java_jdk_64bit. I know, I didn’t install it like this, it’s a vendor install and they insist on it being this way and it must remain as a very specific version of Java.

So now we have to add the CA certificate into he cacerts file, which is where Java keeps its CA certs. So I’ve had to do this for each flavour of Java by using:

c:\> %JAVA_HOME%\bin\keytool -v -import -alias MyCA -file MyCA.pem -keystore %JAVA_HOME%\lib\security\cacert

Where MyCA is the name of the certificate and the .pem is a .cer file you must export from your CA’s mmc computer certificate snap in (management console).

Keytool will ask you for a password. What could it be? Well after a major trawl of the internet I found the default Java cacert password is ‘changeit‘.

I’m sure you can change it to whatever you’d like, but then you’re going to have to ensure that you update your Java configs to give it the new password. Which for me could be problematic as the vendors configs could be anywhere!

References: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Renamed Machine & Wrong Certificate Name — January 27, 2017

Renamed Machine & Wrong Certificate Name

When we setup some virtual machines from a template and used temporary names for them because we needed to replace existing machines that were currently running on the domain, it seems the rename of the machine didn’t fully do the job after we decommissioned the old and renamed the new.

All the domain membership stuff went ok, but the certificate issued to the machine still had the temporary name. Even after deleting the wrongly named certificate we’d still get a certificate issued with the same name.

A quick trawl in the registry revealed that the following key needed to be changed to get the correctly issued certificate:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName

Once this was done the certificate was received with the correct name.

Using NMAP for SSL/TLS Testing — January 20, 2017
RDP Server Certificate — October 18, 2016

RDP Server Certificate

With Windows Server 2012 it seems they’ve decided to do away with the GUI for managing the RDP admin connection unless you install the full RDS product.

So when you get a new certificate for the server you need to update the RDP service somehow. By far the easiest way is to use the tsconfig.msc (Remote Desktop Session Host Configuration) GUI from an old 2008 server and connect to the new 2012 system to change the certificate.

But sometimes there’s no choice other than command line. For this you’ll need to get the thumbprint of the certificate you want to use from the Local Computer certificate store (using mmc).

Continue reading