Expired SSL Certificates

When I'm doing my thing on customer projects, and there's some SSL stuff involved, I always keep reminding them to make sure that they renew their certificates in time. Why, because they almost always forget it the renew them in time, and after the expire stuff stops working, and they call us.

Guess what? My certificates expired this evening, so I got numerous warnings and errors in several applications that use those SSL certificates. Thankfully I run my own CA (XCA), and I documented where I use them, and how to replace them, so I was back in business in 10 minutes.

Lesson(s) learned: make a notification in my calendar to replace them ahead of time.

Posted on January 5, 2014 by Willem and filed under Security, Tips'n Tricks and tagged xca ssl certificates expire.

Create a Juniper SRX ca-profile For Unified Access Control

When you have a registered Juniper UAC / IC appliance, you have to option to download a VMWare version of the system. This is called a DTE appliance (Development and Test Environment). With this you have a full-blown UAC at your disposal for testing and development. Only downside is that it's limited to 5 connected users. Apart from that, it's just like the real-deal.

Posted on July 30, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged xca srx UAC Unified Access Control PKI Juniper.

Changing SSL Certificates in a ISPConfig v3 Configuration

When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.

First I needed to find out where all those certificates are located, and what there formats are. In my case, there are three services that use SSL/TLS in some form;

Postfix SMTP service
Courier IMAP service
http / Apache2 webservice

Checking the configuration files will reveal their locations.

Posted on January 7, 2012 by Willem and filed under Linux, Operating Systems, Security, Software, Tips'n Tricks and tagged CentOS ISPConfig certificates ssl xca PKI.

Configure SSL Certificate for Juniper J-Web Interface

By default, the J-Web interface (GUI for the Juniper SRX firewalls) has SSL enabled. Like most devices with SSL out-of-the-box, the protection is based on a self-signed certificate. Self-signed certificates are easy (they come basically out-of-the-box), but they tend to nag you every time you connect to the GUI. So, it's time to install a proper certificate.

In this case, I use the XCA (1) software to create a new certificate. This certificate is signed by my own root CA, which I installed on all of my devices and Operating Systems. Basically, I trust myself.....

According to the Juniper support pages on SSL certificate usage, I found out that the certificates are to be in the PEM format. No problem for XCA.

Posted on March 11, 2011 by Willem and filed under Hardware, Security, Tips'n Tricks and tagged J-Web OpenSSL certificate ssl xca PKI Juniper.

OSX CardDAV Server

After the challenges with the iCalDAV server in OSX, I gave up on getting the Addressbook server up-and-running. Somehow, the clients couldn't wouldn't connect. No matter what configuration parameters I tried.

This week I tried to get it up-and-running again. Mainly because I can't concentrate for longer than two hours for my Cisco exams next week. Sometimes you need to clear your head.

For some reason I found the solution within the hour. No idea what the original problem was exactly.

Posted on December 17, 2010 by Willem and filed under Apple, Personal, Tips'n Tricks and tagged Addressbook CardDAV CardDAVd xca.

The Problems with Apple OS X (10.6.4) Server

It has finally been done. I've switched off the old Windows 2003 server at home and officially replaced it with an Apple Mac mini server. For now... And with 'for now' I really mean for now. It turns out that Apple OS X Server doesn't resemble its client counterpart at all. Where the client is stable and intuitive, the server edition lacks both.

I'll try to explain why I think there's lots of room for improvement. Mainly stuff I ran into while configuring the server/services.
Since the Windows fulfilled several functions, I needed these functions to be available on the OS X server as well. These were;

Networking services like DNS and DHCP
Webserver
Mailserver
MySQL Database
SSH Server
File sharing on the internal network
Public Key Infrastructure for issuing certificates
Download station

Evaluating these functions, one would think that this shouldn't be a problem. Well it actually is.... At least some of those features.

Posted on July 12, 2010 by Willem and filed under Annoying, Apple, Operating Systems, Switched2Mac and tagged PKI Server Admin certificates xca PKI XCA OSX.

Creating Certificate Signing Requests

OK, the title might sound a little weird, but trust me..... I work on a daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well, most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex. SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority. The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing. There are several ways to generate a CSR on the different platforms;

OpenSSL - equivalent to rocket science for most people, since it's a commandline tool
Via webserver tooling (IIS, JAVA Keytool, etc.)
XCA - Not very user friendly if you're requesting just one or two certificates a year.
And probably some other 'obscure' ways

But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform). I hope to solve this by creating an application (cross platform off course) which creates these CSR's, and create pkcs12 (or .pfx) files when you import the resulting certificate in the tool. This pkcs12 file can be installed on the server as needed. Finally, a challenge for me to start programming again.

Posted on January 17, 2007 by Willem and filed under Personal, Security, Software and tagged xca PKI.