Stunnel on Debian/Ubuntu with Squid

What’s Stunnel

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program’s code.

What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.

Step 1: Create an Ubuntu Droplet

So far I have tested it on Ubuntu 12.04 x32/x64, Ubuntu 12.10 x32/x64, Ubuntu 13.04 x32/x64.

Step 2: Update and Upgrade Ubuntu

Using these commands update your Ubuntu’s package list and also upgrade the existing packages to the latest version:

apt-get update
apt-get upgrade

Continue reading “Stunnel on Debian/Ubuntu with Squid” »

Share

Convert .p12 bundle to server certificate and key files

Seperate Private Key and Certificate file

#Generate certificates bundle file

openssl pkcs12 -nokeys -in server-cert-key-bundle.p12 -out server-ca-cert-bundle.pem

#Generate server key file.

openssl pkcs12 -nocerts -nodes -in server-cert-key-bundle.p12 -out server.key

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Src: https://www.sslshopper.com/article-most-common-openssl-commands.html

Share

Convert .p12 and install in apache server

If you have a pkcs12 file (from IIS for example) and if you need to install the certificate on an Openssl-compatible product such as Apache, you will have to extract the content of the pkcs12 to get several files.

First of all, create a global file (package):

openssl pkcs12 -in yourpkcs12.pfx -out package.pem -nodes

Then duplicate that package file to get 3 different files:

cp package.pem mykey.key
cp package.pem mycert.cer
cp package.pem mychain.txt

Edit each of those files via a test editor. Warning: You need to use a text editor that can interpret OpenSSL-style end-of-lines (under Windows, use an editor compatible with UNIX): Continue reading “Convert .p12 and install in apache server” »

Share
Posted in PKI.

BD now member of Asia PKI Consortium

Bangladesh has been accepted as a member of the Asia PKI Consortium in its General Assembly (GA) Meeting held in Bangkok recently. The GA Meeting was chaired by Philip Leung, Chairman of Asia PKI Consortium and attended by member countries. The GA unanimously approved the membership of Bangladesh in the Asia PKI Consortium and expressed its interest to engage with Bangladesh in this complex field of technology, says a press release.

An international conference styled "The Common Denominators Collaboration of Cross-Region on E-Government Application, Cloud Computing and Security" was organised on the occasion in which large number international experts, companies took part Bangkok, Thailand recently. Ms Karen Chang, Office of Science and Technology, Executive YuanTaiwan and BAWG Chair along with Mr Shin Adachi, Dr Tschai Huei Jane and Mr Th Schee among others made presentations.

The Ministry of ICT of Thailand and Asia PKI Consortium (APKIC) were the hosts. The organiser of the event was Electronic Transaction Development Agency (ETDA) of Thailand, Business Case/Application Working Group (BAWG) of APKIC and Thailand PKI Association. Ms Suranghana Wayuparb, Chairperson of Thailand PKI Association & Vice Chair of APKIC Executive Director and CEO, ETDA along with Charamporn Jotikasthira, President of the Stock Exchange of Thailand and APKIC Chairman Philip Leung inaugurated the event. Continue reading “BD now member of Asia PKI Consortium” »

Share

Creating a Certificate Signing Request Using Certreq.exe

Create a file named CSRParameters.inf on the C:\ drive using the contents below as a template (replace the single quotes with double quotes):

[NewRequest]
Subject="CN=mailgw.mango.com.bd,OU=IIG,O=Mango Teleservices Limited,S=Not Applicable,L=Dhaka,C=BD"
KeySpec=1
KeyLength=2048
Exportable=TRUE
MachineKeySet=TRUE
SMIME=False
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0
Silent=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

Open a command prompt and type in:

C:\>certreq -new CSRParameters.inf CSROutput.pem

Open Windows Explorer and browse to the C drive to locate the CSROutput.pem file

Using the CSROutput.pem file, go back to the certificate authority and use the file to request your certificate

Share

Many-To-One Mappings IIS

Many-to-one Client certificate mapping is used by the Internet Information Services (IIS) to associate an end user to a windows account when the client certificate is used for the user authentication. The user session is executed under the context of this mapped windows account by IIS. For this to work we need to ensure that the certificate to account mapping is configured correctly in IIS.

In IIS 6.0, the user had the option to configure Many-to-One client certificate mapping through the IIS Manager User Interface. In IIS 7/7.5, we don’t have such an interface for either One-to-One or Many-to-One mappings. This post talks about the Configuration Editor IIS 7/7.5 extension that can be used to achieve the mappings either for One-to-One or Many-to-One. Here we will talk in specific about Many-to-1 mapping.

IIS 7 or IIS 7.5 Schema

This is the schema for the IIS Client Certificate Mapping authentication feature in IIS 7 or IIS 7.5.
Prerequisites

These are the prerequisites needed for this walkthrough.
1.We have installed IIS Client Certificate Mapping module on the server.
2.A Web Site is configured with an HTTPS binding which can accept SSL connections.
3.We have a client certificate installed on the client.
4.IIS 7 Administration Pack is installed on the IIS 7.0 server. NOTE: Configuration Editor is shipped by default on IIS 7.5.

Walkthrough

Step 1:

1. Launch the IIS manager and select your web site which is being configured for client certificate authentication.

2. In the features View select Configuration Editor under Management section in the Features View.
3. Go to "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the drop down box as shown below:

You will see a window to configure Many-to-One or One-to-One certificate mappings here. This is the UI provided through Configuration editor from where we can setup all the mapping configurations.

4. We can go ahead and modify the properties through this GUI.
•Set enabled to true
•Set manyToOneCertificateMappingsEnabled to True
•Select manyToOneMappings and click on the extreme end at the Ellipsis button to launch the new window for configuring mappings.

5. Under this new window go ahead and Add a new item. You can modify the properties from within the window as shown below:

6. Click on the Ellipsis button for rules and this will give you an option to add multiple patterns for matching based on certificate properties.

So here above we have two entries for rules for mapping the certificate. In the above case we are using two different fields named Subject and the Issuer in the certificate field and based on the matchcriteria property map the certificate to the account mydomain\testuser.

Shown below is how the final mapping for a specific windows account looks like. As you can see there are two entries for rules for this account.
Similarly we can have other mappings for various accounts based on the fields “Issuer” and “Subject” in the Certificate.

Download the details with screenshot from here configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5

Relevant Sources:

http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

http://blogs.iis.net/webtopics/archive/2010/04/27/configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5.aspx

http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

Share

Code Signing (Digital Signature) using Signtool

The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. The /v option generates a unique name if necessary to prevent replacing an existing catalog file named MyCatalogFileName.cat.

signtool catdb /v /u MyCatalogFileName.cat

The following command signs a file automatically by using the best certificate.

signtool sign /a MyFile.exe

The following command digitally signs a file by using a certificate stored in a password-protected PFX file. Continue reading “Code Signing (Digital Signature) using Signtool” »

Share

How to distribute root certificates as exe files

We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.

image

 Our installation script is not that big. ;)

image

@echo off
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL

 This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically. ;) Continue reading “How to distribute root certificates as exe files” »

Share

Using an Aladdin eToken with firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. The procedure for Thunderbird and Mozilla/Seamonkey is nearly identical. To add your eToken as a security device , follow these steps

  • Start Firefox
  • (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
  • (Windows) Go to Tools->Options->Advanced->Tab "Encryption"
  • Click on 'Security Devices'

You should see a screen similar to

this.

Share

Setting up an Apache Web Server as a proxy in front of EJBCA

This section will show you how to use an Apache Web Server Proxy in front of EJBCA. The resulting server will

  • Display EJBCA public web at https://ca-server.company.local/
  • Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
  • Require a client SSL certificate when accessing https://ca-server.company.local/adminweb/
  • Be able to loadbalance requests
  • Still answer to requests on https://ca-server.company.local/ejbca/*

This example was created on Ubuntu 64-bit Server 7.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.

Start by installing EJBCA as normal. If you intend to have the CA on the same machine as the proxy you should modify $EJBCA_HOME/conf/web.properties to only listen to localhost Continue reading “Setting up an Apache Web Server as a proxy in front of EJBCA” »

Share