Revoking Lets Encrypt Certificate properly

When you want to learn how to revoke Let’s Encrypt SSL/TLS certificates, follow the steps below:

Step 1: Validate Certificate file

Before you revoke a certificate, you’ll want to validate that the correct certificates and key file you’re revoking.. since there is no reversal.. Once a certificate is revoked, it will never be used again…

When you revoke a certificate, the certificate authority publishes that revocation information through the Online Certificate Status Protocol (OCSP), and some browsers will check OCSP to see whether they should trust a certificate… Continue reading “Revoking Lets Encrypt Certificate properly” »

Share

Installing a Comodo SSL on Zimbra using CLI

1. Get the bundle from Comodo in crt format, or sometimes like a zip file.

2. Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_domain_com.crt 

or 

since comodo is acquired by Sectigo, the updated zip might appear as below: Continue reading “Installing a Comodo SSL on Zimbra using CLI” »

Share

Zimbra Letsencrypt SSL Renew – Zimbra 8.6

Let’s Begin:
This works if you already have an expired letsencrypt ssl certificate and assuming you have already deployed SSL in you zimbra system. However, if you come up here already, and would like to know how to setup letsencrypt on your system you may read my other article here:

https://tweenpath.net/installing-encrypt-zimbra-server/ 

Log on Zimbra user then stop proxy and mail box service for renew proccess.

su zimbra
zmproxyctl stop
zmmailboxdctl stop

Then return root user and renew Letsencrypt certificate

exit

letsencrypt renew: Change directory to Zimbra Letsecnrpyt SSL folder Continue reading “Zimbra Letsencrypt SSL Renew – Zimbra 8.6” »

Share

Set Up Nginx Load Balancing with SSL Termination

Nginx can be configured as a load balancer to distribute incoming traffic around several backend servers. SSL termination is the process that occurs on the load balancer which handles the SSL encryption/decryption so that traffic between the load balancer and backend servers is in HTTP. The backends must be secured by restricting access to the load balancer’s IP, which is explained later in this article.

Prerequisites
In this tutorial the commands must be run as the root user or as a user with sudo privileges. You can see how to set that up in the Users Tutorial. Continue reading “Set Up Nginx Load Balancing with SSL Termination” »

Share

The SSL/TLS Handshake: an Overview

Obligatory SSL/TLS Handshake Graphic
All SSL/TLS-related sites have their own version of a handshake diagram – here’s ours! (Click to enbiggen.)

Let’s Clear Up Some Confusion, If We Can
Some confusion about how SSL/TLS handshakes work is due to the handshake being only the prelude to the actual, secured session itself. Let’s try to address some common points: Continue reading “The SSL/TLS Handshake: an Overview” »

Share

Let’s Encrypt service with Pound server

In order to install Certbot on your server, follow the next steps: (make sure you have “git” installed on your system)

$sudo apt-get install git (if not previously installed)
$cd /opt
$sudo git clone https://github.com/certbot/certbot

Running the above commands will download the Certbot latest release from their git repo in the /opt folder. Then we need to stop any service that might be using port 80 on our server, since the installation type we will be performing on this tutorial is the “standalone” type described on the Cerbot documentation, there are other ways to install the certificates, it is up to your preference.
Since this tutorial is about Pound, we are assuming the daemon is already installed so we need to stop it:

$sudo service pound stop

once the service is stopped, run:

$cd /opt/certbot
$sudo ./letsencrypt-auto --text --email YOUR@EMAIL -d YOUR_DOMAIN --agree-tos --standalone certonly

by default, running the command above will generate the necessary key files (*.pem) in the following folder:

/etc/letsencrypt/live/YOUR_DOMAIN/

now, we need to create a private key file that Pound can understand, to do so run the following:

$sudo cat /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem > /etc/ssl/YOUR_DOMAIN.pem

doing so, will concatenate the privkey.pem file and the fullchain.pem file generated by Cerbot into a single file that will be stored into your ssl certificates folder, this is very important! Continue reading “Let’s Encrypt service with Pound server” »

Share

Stunnel on Debian/Ubuntu with Squid

What’s Stunnel

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program’s code.

What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.

Step 1: Create an Ubuntu Droplet

So far I have tested it on Ubuntu 12.04 x32/x64, Ubuntu 12.10 x32/x64, Ubuntu 13.04 x32/x64.

Step 2: Update and Upgrade Ubuntu

Using these commands update your Ubuntu’s package list and also upgrade the existing packages to the latest version:

apt-get update
apt-get upgrade

Continue reading “Stunnel on Debian/Ubuntu with Squid” »

Share

Convert .p12 bundle to server certificate and key files

Seperate Private Key and Certificate file

#Generate certificates bundle file

openssl pkcs12 -nokeys -in server-cert-key-bundle.p12 -out server-ca-cert-bundle.pem

#Generate server key file.

openssl pkcs12 -nocerts -nodes -in server-cert-key-bundle.p12 -out server.key

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Create a .pfx/.p12 certificate file using OpenSSL

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Src: https://www.sslshopper.com/article-most-common-openssl-commands.html

Share

Convert .p12 and install in apache server

If you have a pkcs12 file (from IIS for example) and if you need to install the certificate on an Openssl-compatible product such as Apache, you will have to extract the content of the pkcs12 to get several files.

First of all, create a global file (package):

openssl pkcs12 -in yourpkcs12.pfx -out package.pem -nodes

Then duplicate that package file to get 3 different files:

cp package.pem mykey.key
cp package.pem mycert.cer
cp package.pem mychain.txt

Edit each of those files via a test editor. Warning: You need to use a text editor that can interpret OpenSSL-style end-of-lines (under Windows, use an editor compatible with UNIX): Continue reading “Convert .p12 and install in apache server” »

Share
Posted in PKI.

BD now member of Asia PKI Consortium

Bangladesh has been accepted as a member of the Asia PKI Consortium in its General Assembly (GA) Meeting held in Bangkok recently. The GA Meeting was chaired by Philip Leung, Chairman of Asia PKI Consortium and attended by member countries. The GA unanimously approved the membership of Bangladesh in the Asia PKI Consortium and expressed its interest to engage with Bangladesh in this complex field of technology, says a press release.

An international conference styled "The Common Denominators Collaboration of Cross-Region on E-Government Application, Cloud Computing and Security" was organised on the occasion in which large number international experts, companies took part Bangkok, Thailand recently. Ms Karen Chang, Office of Science and Technology, Executive YuanTaiwan and BAWG Chair along with Mr Shin Adachi, Dr Tschai Huei Jane and Mr Th Schee among others made presentations.

The Ministry of ICT of Thailand and Asia PKI Consortium (APKIC) were the hosts. The organiser of the event was Electronic Transaction Development Agency (ETDA) of Thailand, Business Case/Application Working Group (BAWG) of APKIC and Thailand PKI Association. Ms Suranghana Wayuparb, Chairperson of Thailand PKI Association & Vice Chair of APKIC Executive Director and CEO, ETDA along with Charamporn Jotikasthira, President of the Stock Exchange of Thailand and APKIC Chairman Philip Leung inaugurated the event. Continue reading “BD now member of Asia PKI Consortium” »

Share