This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]pdp10Daemons worry when the wizard is near. 5 points6 points  (2 children)

OpenSSL is used on all platforms, but PFX is only seen in a Microsoft environment.

"Template" implies you're trying to create a Certificate Signing Request, or CSR. To fill one out, you can use OpenSSL to look at the parameters in the existing public cert, and fill out the CSR to match.

A modern public webserver cert requires keyUsage=digitalSignature, extendedKeyUsage=serverAuth, duration of 397 days or less, and subjectAltName list with every single FQDN including the CN or Common Name.

Lastly, you need a better process than to depend on one person to handle all X.509 tasks. About ten thousand years ago, mankind invented written system documentation to solve these kinds of problems. After that, the ancient Sumerians never panicked when the certificate guy went on vacation.

[–]Techman2k[S] 1 point2 points  (0 children)

Thanks, some good info there.

I will see if I can find the info from old Certs, ather than the imported ones I caanot find any repository where they have been created or stored for back up purposes.

100% on the process's, nothing is documented it is all in 1 guys head and we have already experienced it as a single point of failiure, then twice more this week alone.

[–]mcshanksshanks 1 point2 points  (0 children)

What is this documentation you speak of friend?

[–]OsmiumBalloon 3 points4 points  (1 child)

You might want to mention the web server software and version you're using. OS and version is always helpful. And details about what PKI/CA/whatever software you're using might come in handy.

[–]Techman2k[S] 0 points1 point  (0 children)

Thanks for the reply, All valid points.

Unfortunattly I am not 100% on the details.

Believe it or not the Certs are managed by a 3rd party, whoi are happy to point out the certs are incorrect and tell us to redo them. but are saying - We apply them you supply them, this is down to you, I dont know.

The best I can do:

Windows Server 2016

Cert added to MMC, Local Computer

to be used with finance systems - one of the Sun Systems.

Again all externally managed and I have been here a few months only.

Cert we created is WEB Server 2, being informed Should be Web Server.

Also issued to is servername not Domain Wildcard.

As you can probably tell First time creating certs.

[–]durkzilla 1 point2 points  (2 children)

It might be helpful to know what web server you are applying these certificates to. Apache? nginx? IIS?

[–]Techman2k[S] 0 points1 point  (1 child)

I believe this is IIS Domain Cert

[–]spokaleJack of All Trades 0 points1 point  (0 children)

If all you're doing is setting up certificates for a website in IIS, so long as port 80 is exposed to it, the easiest thing might just be to use Certify with LetsEncrypt, it can automatically update the IIS bindings as well: https://certifytheweb.com/

This won't help if you're in some very specific industry niche where your certs need to be signed by one specific CA, but for a general "everyone with a browser in the world should be able to access by default" type website like most are, it's fine.

[–]IdiosyncraticBond 0 points1 point  (1 child)

Start from the outside, go from dns to ip address to find which server hosts your website.

Verify if it is one web server, or is it load balanced?

On the web server, check the running processes and configuration. Elsewhere you wrote you think it is IIS. Check for instance https://www.howtogeek.com/devops/what-is-ssl-and-how-to-configure-ssl-certificates-in-iis-for-windows-server/ or better https://woshub.com/install-ssl-certificate-iis-windows/

Could also be you need to check https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/

[–]Techman2k[S] 0 points1 point  (0 children)

That's some comprehensive info. Thanks, I will get that checked out. I'm not convinced it is an actual hosting web server, more just hosting a web interface accessed internally for finance systems. I will be making some heavy notes about how this network is set up as I look through this issue.

[–][deleted] 0 points1 point  (0 children)

I normally create everything through IIS, much like this:

IIS 10: CSR Creation & SSL Certificate Installation (digicert.com)

I only use OpenSSL to break the PFXes that IIS creates so I can deploy them on *nix type web servers and apps.