GoGreen PC Tune-Up™
Learn More

Insta-Install™
this is how ssl encrypt our websites
MTNCOMP | List View | Table View

myBlog

myBlog Home

Blog


ZeroSSL OpenSSL SSL.com and Cypher and Protocol security review and modifications for PFX

by Mountain Computers Inc., Publication Date: Saturday, May 21, 2022
View Count: 602, Keywords: SSL.com, OpenSSL, ZeroSSL, RC4, TLS, PFX, Hashtags: #SSL.com #OpenSSL #ZeroSSL #RC4 #TLS #PFX



I had the chance to go through an IIS server and Server 2012 R2 and update and fix the open security issues for TLS, RC4 and the like, and switch from paid SSL.com certificates to free ZeroSSL certificates.
 
REF:
 
https://ssl.com -- paid
https://www.sslforfree.com/ -- free
https://www.ssllabs.com/ssltest/index.html -- server test - don't include in dashboard
https://www.a10networks.com/glossary/key-differences-between-tls-1-2-and-tls-1-3/ - since 2018
https://www.whynopadlock.com/ -- why no padlock test domain
https://slproweb.com/products/Win32OpenSSL.html  -- openssl tool
 
example openssl command to get your certificate, private key and ca bundle and build your PFX file. MMC Certificate Machine/System Import into Personal and then IIS Certificate refresh and bind to 443 ports on IIS entry,
 
be sure to use DNS verification of ZeroSSL certificate renewals since other methods are faulty and painful to wait for... trust me. if you have DNS control of the domain, just do it. ZeroSSL has issues with email and other methods.
 
Her is the admin cmd prompt example - drop your 3 files in the bin directory with some simple naming to not conflict with existing files. for example: domain-name_{cert names}.extension
 
c:\OpenSSL-Win32\bin>openssl pkcs12 -export -out yourcertwithkey.pfx -inkey yourprivate.key -in certificate.crt -certfile ca_bundle.crt
 
note: so the trick after you download the certificate bundle...
 
1. rename each of the three files with the domain prefix so you don't collide with other certificate bundles (3 files).
 
These are the steps to create the pfx to upload to your IIS server and attach to your domain in 443 port for root domain name and then www. root domain name.
 
2. from the command above is to import the pfx in your local computers mmc certificate (computer account) console.
3. then update the certificate description to include your root domain name
4. then export the certificate using the defaults including extended properties and include the private key, and include a password at 2048 bit or higher and TripleDES
5. then transfer the new updated pfx to the hosting machine mmc certificates (computer account) into the personal certificates. and once import is successful and you reviewed it for accuracy and verified the description to help with SNI identification. Note: during the import mark certificate as exportable and provide password.
6. then go to IIS management and domain and bindings for the domain and select the updated pfx certificate.
 
note: if you like, you can either keep the old certificate in place or delete it depending on your procedure(s) and policies regarding ssl certificate replacements. Normally an IIS service will take about 30 seconds to 5 minutes to release the old certificate to existing sessions, and bind the new certificate to new sessions.
 
ps. keep your uploaded pfx certificate outside your upload directory and in a safe directory where the system is not open to the public and internet.
 
 

more to come...

if you found this article helpful, consider contributing $10, 20 an Andrew Jackson or so..to the author. more authors coming soon
FYI we use paypal or patreon, patreon has 3x the transaction fees, so we don't, not yet.

© 2024 myBlog™ v1.1 All rights reserved. We count views as reads, so let's not over think it.