Why Can Only Certain Browsers Generate Automatic Keypairs?

In the world of PKI and SSL some certificate authorities use browsers such as Internet Explorer or Firefox to automatically generate keypairs to be used with Email-S/MIME Code Signing or Client Authentication Certificates. Not all Browsers have the capability to generate these keypairs due to licensing restrictions of the <keygen> and ActiveX controls that perform keypair creation in conjunction with operating systems restrictions.  <keygen> The HTML <keygen> is a licensed element used to facilitate generation of key material, and submission of the public key as part of an HTML form. This mechanism is designed for use with Web-based certificate management systems. Firefox is able to utilize the <keygen> and generate automatic keypairs because Firefox uses its own Keystores that do […]

Read More

SHA-1 or SHA-256 for Windows kernel-mode Code Signing

Problem Windows Vista and Server 2008 trigger a security warning for code running in kernel mode if the code was signed with a SHA-256 Authenticode certificate. The current workaround is to use a SHA-1 certificate. However, SHA-1 is being deprecated. Patched versions of Windows 7 and newer versions of Windows operating systems will trigger a security warning for code signed with a SHA-1 certificate after December 31, 2015. Certificate Authorities such as Symantec/Digicert state that they will still issue out SHA-1 Code Signing but “SHA-1 Code Signing certificates have a max expiration date of December 30, 2019.” and will be discontinued there after. Patched Windows 7 and newer versions should be unaffected. Kernel-mode code that is signed with a SHA-256 […]

Read More

Web Browsers Now Marking HTTP sites “Not Secure”

Web Browsers have now started marking HTTP sites as  ‘Not Secure’ with release of Chrome 68+. For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Lately at SSL Support Desk – Acmetek we have been getting a lot of clients coming across a “Not secure” message on their website even after installing an SSL Certificate.  Causes: Now with Chrome demanding that everything be in https admins must forward all traffic on websites to https. Non https encryption sessions will show the “Not Secure” message within a Chrome […]

Read More

Troubleshooting: Apache – AH02238: Unable to configure RSA server private key

When restarting Apache, the following error message may appear: Error: AH02238: Unable to configure RSA server private key Cause: This error occurs when the incorrect private key (.key) and or public key (.crt/.pem – SSL Certificate) files are selected in the configuration file (https. conf or ssl.conf) Solution: You must use the same private key that was used for CSR generation when you enrolled for your SSL Certificate. Your SSL Certificate is derived from that same private key and will only work for with that single private key. To resolve this issue, specify the correct private key for the certificate. To verify that the certificate and private key math, open the httpd.conf or ssl.conf file in a plain text editor. […]

Read More

Troubleshooting: Apache – SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

When restarting Apache, the following error message may appear: [error] mod_ssl: Init: (www.symantec.com:443) Unable to configure RSA server private key (OpenSSL library error follows) SSL Library Error: 185073780 error:0B080074:x509 certificate routines: X509_check_private_key: key values mismatch OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch Cause: This error occurs when the incorrect private key (.key) and or publick key (.crt/.pem – SSL Certificate) files are selected in the configuration file (https. conf or ssl.conf) Solution: You must use the same private key that was used for CSR generation when you enrolled for your SSL Certificate. Your SSL Certificate is derived from that same private key and will only work for with that single private key. To resolve this issue, specify the correct private key for […]

Read More

ASK SSL Support Desk – How Many Wildcard SSL Certificates Do I Need If I have Multiple IP’s?

What is Ask SSL Support Desk? It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community. Question: One of my customers is looking to get some Wildcard SSL Certificates. They have one main domain and 30 to 40 sub domains across 3 different Internet Service Providers, and all the domains are tagged with all the ISP’s for redundancy. They are having Internet Service provision from BSNL, TATA and National Knowledge Network with respective individual IP Address. Please help me with what they should get. Can my customer buy one single Wildcard […]

Read More

Troubleshooting: Exchange – Unable to open OWA, ECP, or EMS after a self-signed certificate is removed from the Exchange Back End Website

Consider the following scenario when you are using Microsoft Exchange Server 2013 or Microsoft Exchange Server 2016: You remove the Microsoft Exchange Self-Signed certificate from the Exchange Back End Website by using Certificates MMC, Remove-Exchangecertificate, IIS Manager or another method. You clear the IIS cache by restart or IISReset. You are installing a new SSL Certificate to your Exchange system. In this scenario, several client protocols such as ECP, OWA, ActiveSync and Exchange Management Shell cannot connect. The following issues may occur: OWA and ECP display a blank page. ActiveSync users cannot receive emails. Exchange Management Shell will cannot connect and displays the following Error: New-PSSession : [dc.local.mcrlegal.com] Processing data from remote server dc.local.mcrlegal.com failed with the following error message: […]

Read More

ASK SSL Support Desk – Where can I get a Base64 encoded .cer format certificate?

What is Ask SSL Support Desk? It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community. Question: I need a Base64 encoded .cer format certificate to Import into my Websense proxy server. Where can I get that? Short Answer: That is just a regular x509 certificate with a .cer extension. In the world of Public Key Infrastructure (PKI) there are many different file formats. The following are the major ones. pkcs#7/P7B x509/PEM pkcs#12/PFX/P12 x509/PEM Format: The PEM format is the most common format that Certificate Authorities (CA) issue certificates in. PEM […]

Read More

ASK SSL Support Desk – Why Can I not Create a PFX From a Citrix Netscaler?

What is Ask SSL Support Desk? It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community. Question: I’m trying to create a pfx file for wildcard cert *.example.com in Citrix Netscaler but I am Failing to do so. Ive crosses checked with the following directions. What am I doing wrong? https://www.digicert.com/csr-creation-ssl-installation-citrix-netscaler.htm#netscaler_vpx_create_csr Short Answer: That is because Citrix Netscaler cannot create pfx files. Netscaler cannot Create pfx format files. It creates pem apache format. Netscaler systems do on the other hand have the ability to import a pfx file, but that pfx […]

Read More

Website Malware: How to Find Unidentified Malicious Code?

There are a lot of malware scanning services out there that will report any malicious code associated with your website. Some malware services will only report the problematic malicious code, and other services such as Sitelock provided by Acmetek Global Solutions take malware scanning to the next step and will actually remove the malware from your website automatically. If you do not have Sitelock then you will have to manually remove the code yourself. Hopefully this article can help enlighten admins on the general idea of what to search for when manually removing the code to secure your website. Here is The Scenario… You received a notification from a malware scanning service such as the Norton Malware Scan that comes with […]

Read More