How To Move An SSL Certificate From Windows Server To Apache.

Depending on your network you may have to move your SSL/TLS server certificate and its private key from one system to another. This article covers how to move your server certificate, and its private key from IIS that uses a single pfx/p12/pkcs#12 file to Apache that uses separate .pem,.crt, key files. This will require a conversion using OpenSSL that is on the Apache System. You need both the public key and private keys for an SSL certificate to work properly on any system. Windows uses the pfx/p12 file to contain these two keys; therefore, if you need to transfer your SSL certificate from one server to another or store it someplace for safe keeping you need to create a .pfx backup. Apache […]

Read More

How to Convert an SSL Server Certificate from Apache to PKCS12/PFX

Depending on your network you may have to move your SSL/TLS server certificate and its private key from one system to another. This article covers how to move your SSL certificate, its private key, and its intermediate CA from Apache to pfx also known as a pkcs#12 file. This will require a conversion using OpenSSL that is on the Apache System. Apache systems are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions. We will start by assuming that you have already successfully installed the SSL certificate on the Apache web server. To move your certificate keypair from Apache to PFX perform the following: Step 1: Finding your […]

Read More

OpenSSL patch released that fixes High-severity Diffie Hellman bug

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange. The OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection. OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses […]

Read More

OpenSSL Commands

OpenSSL is used for many things other than running encryption on a website. It is also used for the generation of CSR keypairs, and more importantly within this article converting. The Italic parts in the conversions below are examples of you own files, or your own unique naming conventions adapt these Italic name examples to your own files names for openssl commands. Note: .pem, .cer, crt. are all the same type of x509/pem certificate only with different extensions. Obtain OpenSSL: Note: In order for OpenSSL software successfully installed on a computer system. You must have local system administrator privilege on the computer. Download and install OpenSSL to perform a certificate conversion. Windows Linux Use the following OpenSSL commands to convert SSL […]

Read More

How to move SSL certificate from Apache to Apache

Apache uses x509 pem/crt certificate files for its configurations. You will follow these steps to copy, move and import your files from Apache to Apache system. Apache  systems are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions. You will have to apply these examples to your own environment.  We will start by assuming that you have already successfully installed the SSL certificate on one Apache web server. Step 1: Finding/converting your SSL certificate and key file on Apache: Referencing the httpd.conf or ssl.conf  file on the Apache system look for the location and directories of the three files necessary on the Apache system that has the installed SSL certificate. […]

Read More

Apache HTTP (OpenSSL / Nginx / ModSSL) – SSL Installation

Apache SSL is a very custom environment and your system may differ. Below are generalized instructions. If you have a custom installation, you will need to adjust these instructions appropriately. Like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. Your private key will always be left on the server system where the CSR was originally created. Your SSL certificate will not work without this private key file. We will assume that this is the original system. To install your SSL certificate On Apache SSL perform the following. Step 1: Downloading your SSL Certificate & its Intermediate CA certificate: If you had the option of server […]

Read More

How to fix Alternative chains certificate forgery (CVE-2015-1793)

How to fix Alternative chains certificate forgery (CVE-2015-1793):Critical OpenSSL vulnerability could allow attackers to intercept secure communications. What is it: An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Reported by Adam Langley and David Benjamin (Google/BoringSSL).Fixed in OpenSSL 1.0.2d (Affected 1.0.2c, 1.0.2b)Fixed in OpenSSL 1.0.1p (Affected 1.0.1o, 1.0.1n) ===================================================================== How to Fix it: Alternative chains certificate forgery (CVE-2015-1793) ==================================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if […]

Read More

OpenSSL: Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793)

Critical OpenSSL vulnerability could allow attackers to intercept secure communications with the new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) A critical new vulnerability in OpenSSL could allow attackers to intercept secure communications by tricking a targeted computer into accepting a bogus digital certificate as valid. This could facilitate man-in-the-middle (MITM) attacks, where attackers could listen in on connections with secure services such as banks or email services. OpenSSL is one of the most widely used implementations of the SSL and TLS cryptographic protocols. Open-source software, it is used widely on internet-facing devices, including two thirds of all web servers. The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project (https://www.openssl.org/news/secadv_20150709.txt) […]

Read More