Tag Archives: SSL

HTTPS + CT SCT TLS extension on my blog

Finally, I managed to enable HTTPS on my own blog!

I opted for a quick-and-dirty solution based on a self-compiled version of HAProxy in front of WordPress, statically linked to OpenSSL 1.0.2, in order to serve Certificate Transparency information during the TLS setup.

blog.pierky.com-SCT

Read more …

Certificate Transparency: manually verify SCT with openssl

The recent OpenSSL 1.0.2 version added support for Certificate Transparency (CT) RFC6962 by implementing one of the methods that allow TLS clients to receive and verify Signed Certificate Timestamp during the TLS handshake, that is the OCSP response extension. My goal here is to show how to use another method, the signed_certificate_timestamp TLS extension, to gain the same result.

Certificate Transparency - SCT via TLS Extension

Read more …

SHA-1 sunset: valid SHA-2 chains treated as insecure

While dealing with the SHA-1 sunsetting process I encountered a problem with some certificates from StartSSL/StartCom that may lead Chrome to raise warnings or even errors on websites with updated SHA-2-only chains (at least on Microsoft Windows clients).

Chrome yellow-triangle

Read more …

Italian Government mail servers STARTTLS support

After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.

STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.

STARTTLS User to MX mail server

Read more …

Apache2 SSL certificates signed by the Windows domain Certification Authority

This is mostly a reminder to myself…

When you submit an openssl generated certificate signing request (CSR) file to a Windows Certification Authority and try to sign it you receive the following error:

The request contains no certificate template information. The request does not contain a certificate template extension or the CertificateTemplate request attribute.

The request contains no certificate template information. The request does not contain a certificate template extension or the CertificateTemplate request attribute.

CA signing error – The request contains no certificate template information.

Every time (not really “every”!) I need to setup an Apache2 SSL certificate I get stuck in front of it!

Steps to have a domain-trusted SSL certificate installed on Apache2

1) Generate an SSL certificate signing request (CSR):

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

2) Move the CSR file on the Windows server where the Certification Authority is running.

3) Open a DOS prompt with administrative privileges and run the following command:

certreq -submit -attrib "certificatetemplate:WebServer"

4) Now select the CSR file and then choose where to save the X.509 file.

You got it!

The WebServer name used in the certreq command is the name of the template you want to use, not the “display name”; you can have this parameter from the “Certificate Templates Console” MMC snap-in (certtmpl.msc):

Template name from the Certificate Templates Console

Template name from the Certificate Templates Console