Secure Sockets Layer(SSL) Frequently Asked Questions(FAQ)

Lorem dim sum Haam sui gau Jiu cai bau Zhaliang Pei guen Lo baak gou Taro cake Deep fried pumpkin and egg-yolk ball. Dried scallop and leek puff deep fried seaweed roll BBQ pork puff Pan friend pork dumpling Pot sticker water chestnut cake bitter melon beef dumplings.

A CSR is a certificate signing request or PKCS #10 specifications.
A CSR is generated by the end user and submitted to a Certificate Authority (CA) to get a certificate.

CSR can be generated by openssl, IIS, Exchange, java etc.

A CSR starts with “—–BEGIN CERTIFICATE REQUEST—– ” and end with “—–END CERTIFICATE REQUEST—– ”
For steps how to generate a CSR, go to
1. GlobalSign Support
2. GlobalSign CSR help

Typically, when creating a CSR, you will be required to enter some fields. The common fields for most company are:

CN = www.fortiedge.com  –> The Domain name you want to protect

O = Fortiedge Pte. Ltd. –> The Company name

OU= Marketing –> The company department or optional

L = Singapore –> Locality

S = Singapore –> State

C = SG  –> Country codes.

Subject Alternative Name:  Most CA will auto include www.fortiedge.com and fortiedge.com for most certificate. Additional DNS names or what most CA called FQDN/SAN  added in will required additional costs.

To view a CSR, there are free CSR decoder you can find on the web. One example is:
1. Certlogik

Different CSR decoder will show you different details.

A CSR with multiple SAN would require you to install openssl which you can download from here

Create the below files and save it as “req.conf”

[ req ]

default_bits        = 2048

default_keyfile     = privatekey.pem

distinguished_name  = req_distinguished_name

req_extensions     = req_ext # The extentions to add to the self signed cert

 

[ req_distinguished_name ]

countryName           = Country Name (2 letter code)

countryName_default   = SG

stateOrProvinceName   = State or Province Name (full name)

stateOrProvinceName_default = Singapore

localityName          = Locality Name (eg, city)

localityName_default  = Singapore

organizationName          = Organization Name (eg, company)

organizationName_default  = Fortiedge Pte. Ltd.

commonName            = Common Name (eg, YOUR name)

commonName_max        = 128

 

[ req_ext ]

subjectAltName          = @alt_names

 

[alt_names]

DNS.1   = server1.fortiedge.com

DNS.2   = server2.fortiedge.com

DNS.3   = www.otherdomain.com

You will need to set your alt_names section to the FQDNs you wish to use. You do not need to repeat the CN here, but input other DNS name. If you need more simply add “DNS.4 = domain3.com” and so on. Once you have done that, save the file as “req.conf” and save the file in opensslbin and run the below commands.

openssl req -new -nodes -out myreq.csr -config req.conf

Generating a 2048 bit RSA private key

……………………………………………………++++++

..++++++

writing new private key to ‘privatekey.pem’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [SG]:SG

State or Province Name (full name) [Singapore]: Singapore

Locality Name (eg, city) [Singapore]:Singapore

Organization Name (eg, company) [Company]:Fortiedge Pte. Ltd

Common Name (eg, YOUR name) []:www.fortiedge.com

You now have a “myreq.csr” and a “privatekey.pem” associated with the CSR. You can now submit this CSR to a CA.

You can find the detailed syntax here

Most CA will issue a certificate in base64 format which looks like

—–BEGIN PKCS7—–
MIIDbQYJKoZIhvcNAQcCoIIDXjCCA1oCAQExADALBgkqhkiG9w0BBwGgggNCMIID
PjCCAiagAwIBAgIEVTCM2TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJTRzEa
MBgGA1UECgwRd3d3LmZvcnRpZWRnZS5jb20xGjAYBgNVBAsMEXd3dy5mb3J0aWVk
Z2UuY29tMRowGAYDVQQDDBF3d3cuZm9ydGllZGdlLmNvbTAeFw0xNTA0MTcwNDMy
NTBaFw0xNjA0MTcwNDMyNTBaMGExCzAJBgNVBAYTAlNHMRowGAYDVQQKDBF3d3cu
Zm9ydGllZGdlLmNvbTEaMBgGA1UECwwRd3d3LmZvcnRpZWRnZS5jb20xGjAYBgNV
BAMMEXd3dy5mb3J0aWVkZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu84O4HkbC4yD/X4aj0c/MZKRYwSsIrdwhwU94N7I3+V4ymznTgledktN
J9P6C8XFwVv+mGjt2ac9sMsZCaP7LapV9EOPco8qpBKaI9NZoXZOCV5ybmKAoLl0
pRE7zxfJiN6EFSBnS7IMBVrW8DjuAFHaV0OSRyQzp+O5s7QLNV+uGeC37h1eiGhE
se/uICSN3IM3RYNx0bWfptqvpPpnmPCFeK8Km3m/55wtd+/3UG6amNQUfeF9kIt/
9sZZe2Y8NU2OLSVLvD3KqK9h1YblNP7srx84a4y/m2N14OykUQxXPjkK6Yxxy3Iv
yGnzgYy2ccAb8s7LoesCaL65NTD0LQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAZ
thdUO/pOzOj7ofuFJfiqtSK4BYachkxbS3BvCIqje+R6Lwka44W5ieCkmyQI0XGk
PzyeCLZtlICTGr5sIIUBNDG5ZIgB3Pqsz8xChBm7yhnW1EMGkXzYH1XwxKLovCoI
rU5BMBG0SY6KaI8/DePEgXL1UwtiUxHfcjlHu2mdto1DboczkkgLxPC5qtHGDSBU
e39h2BhKpxfxHa/ZM6dqnwvoaYnjfgR0jFvc19Fd2VdS+oyIZIClF3bguxQVNfgJ
55VcvUyB7Sj5CcIVxZhwokMiEUYo9nnzC1bE6bBGKJM0jlLpxKL7md1/IoeAH86Y
vGFiMK0FO2ICB/SsmbMPMQA=
—–END PKCS7—–

To combine the certificates into a PFX for use in IIS, you can run the following OPENSSL Command:

openssl pkcs12 -export -out myPfx.pfx -inkey privateKey.pem -in certificate.crt

You can find most steps to install SSL at GlobalSign SSL Installation

Not all servers can use SHA2 certificates. Click here to check if your server supports SHA2.

All servers requiring SSL in most installation will be required to install a Chain Cert in order for their SSL to work properly. Most web server has certificate store for you to import the certificate. For IIS, the chain cert is installed in the Intermediate Certificate Authorities Console.

To check whether the chain cert is installed properly, use this SSL Scanner to test.

  • Install on as many servers as you need for no extra charge
  • Unlimited re-issuance during the validity period
  • Clickable secure site seal displaying organization details
  • Underwritten warranty & refund policy

for more details please click here

Basically, most Certificate Authority offer 3 types of certs, Domain Validated, Organization Validated and EV Certificates.

1. Domain validated certificates are issued after the CA has validated your domain. Domain validated certificates only verify the domain ownership but not the company owning it.

2. Organization Validated certificates are issued after the CA has validated your domain and company. This process takes a longer time to verify before the certificate can be issues.

3. The last certificate is the extended SSL or EV Certificate. This certificate gives the highest assurance of a website ownership and there has to be re-vetting every 1-2 years.

EV Certs will show the green bar in chrome browsers.

All certs have an OID to differentiate among the different classes of certificates.

To find out more, you can visit this link

Heartbleed is one of the vulnerability that could compromises man in the middle attack of SSL certificates. It affected mainly OpenSSL systems such as apache, unix/linux servers. Vendors that uses the openssl stack will be affected as well.

To find out more information, please visit
1. Heart Bleed.com
2. Support.globalsign.com

Most clients I encountered have the impression that SSL certificates have weak ciphers or needs to support TLS. This is never about the certificate but a setting on the web servers that clients need to configure. To enable strong ciphers or TLS support for most common web servers, you can refer to here:
1. IIS Server
2. Apache Servers

There are no right/wrong settings, but it depends whether if your clients can support strong ciphers. If you are using old browsers like IE6, you need to manually enable TLS 1.0 else when users visit your website, they can’t load the webpages.

As a baseline rule, SSLV2 and SSLV3 must be disabled and not be used anymore.

You can display a seal on your website to assure your visitors that your site is secured with an SSL certificate. Visitors can verify the site’s authenticity and certificate status. We highly recommend using the site seal on your website.

It looks like the image below and when you click it, it shows the certificate information.
seal_125-50_dblue

How to generate a CSR for LDAPS ?

Generate CSR:

1. Open notepad and save the information below and replace the parameters in accordance with your own certificate information (CN).

Save the following file as request.inf on your server and edit the Subject:

;—————– request.inf —————–

[Version] Signature=”$Windows NT$”

[NewRequest] ;Change to your,country code, company name and common name of AD.

;CN of AD can be viewed using Attribute editor of AD.

Subject = “C=SG, O=Fortiedge Pte. Ltd. , CN=ad.fortiedge.com”

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;———————————————–

 

2. Open command prompt and make sure you have the full admin rights on the server to perform the next step:

C:>certreq -new request.inf request.csr

 

3. Open the request.csr using notepad and submit the CSR to your CA.

Installing Certificate:

When your certificate is issued you’ll receive a certificate, Save it on the server and from the same directory run:

C:>certreq -accept certificate.cer

This will install the cert in the Windows certificate store and it will be available in IIS , MMC , Exchange , LDAP/Active Directory , Terminal Services and those products that make use of the Windows certificate store.

More information at here.