SHA-1 or SHA-256 for Windows kernel-mode Code Signing

Problem Windows Vista and Server 2008 trigger a security warning for code running in kernel mode if the code was signed with a SHA-256 Authenticode certificate. The current workaround is to use a SHA-1 certificate. However, SHA-1 is being deprecated. Patched versions of Windows 7 and newer versions of Windows operating systems will trigger a security warning for code signed with a SHA-1 certificate after December 31, 2015. Certificate Authorities such as Symantec/Digicert state that they will still issue out SHA-1 Code Signing but “SHA-1 Code Signing certificates have a max expiration date of December 30, 2019.” and will be discontinued there after. Patched Windows 7 and newer versions should be unaffected. Kernel-mode code that is signed with a SHA-256 […]

Read More

Troubleshooting: Unsupported Protocol – ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Not all browser related errors are associated with SSL Certificates. Many are due to server configurations that set up communication between the website/server to the clients browser. Different browsers will showcase errors differently. But ultimately the troubleshooting process regarding these errors are the same. What is a Protocol or a Cipher? Protocols and Cipher Suites are the actual communication language that performs encryption. When the browser and the server/website communicate they are require to speak the same language. If a server is not configured to use the languages that the browser wants to use then both the browser and the server will not be able to communicate. This results in a communication failure. Errors typically seen pertaining to protocols & […]

Read More

How To Make A Master pkcs7 Format Certificate?

Unlike a x509 (.pem, .cer, .crt) format certificate a pkcs7 format certificate will include an SSL Certificate and its Intermediate CA within its coding. Microsoft type systems utilize pkcs7 format. x509 format is usually used for Apache type systems. Majority of all CA’s will only include the SSL Certificate and its Intermediate CA within a pkcs7 format certificate. Typically roots are not required during installation, but some rare systems such as SAP, versions of Java, IBM, or some other application by design may need it. A Master pkcs7 format certificate will contain the following.. SSL Certificate (Comes standard) Intermediate CA (Comes standard) *Root Certificate* In order to make a full master pkcs7 format certificate for whatever reason, One that contains […]

Read More

Troubleshooting: SAP Incomplete FCPath, need certificate of CA, Certificate chain error

During installation of an SSL Certificate on a SAP system you may get the following error: “Incomplete FCPath, need certificate of CA” (CN=VeriSign Class 3 Public Primary Certification Authority – G5, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, OU=VeriSign Trust Network, O=”VeriSign, Inc.”, C=US) “import_own_cert: Installation of certificate failed” Causes: Why this error can happen is for the following reasons: SAP systems want to see an the entire SSL Certificate Chain during installation of your SSL Certificate. You are not installing a PKCS7 (.p7b) format certificate. Resolutions: If you receive this error when you are installing an SSL Certificate from any CA you must have a complete Master pkcs#7 format certificate that includes the following.. SSL Certificate Intermediate CA *Root […]

Read More

Troubleshooting: Error: “The certificate is invalid for Exchange Server usage”

In Windows Exchange systems you may receive the following error message after the installation of a digital certificate. “The certificate is invalid for exchange server usage”   This warning message occurs due to the following: The SSL certificate cannot be verified to a trusted certificate authority. The SSL certificate that was installed is missing its intermediate CA certificate that helps chain the trust to the root certificate on that system. Resolution: You will have to manually install the correct intermediate CA certificate that goes with your SSL certificate product. Contact your Certificate Authority (CA) for this supplementary certificate. Note: If you purchased your Standard SSL Certificate product from the following CA’s Symantec, GeoTrust, Thawte or RapidSSL you can find the links directly to […]

Read More

Troubleshooting: At least one other site is using Https binding and the binding is configured with a different certificate.

In Windows Internet Information Services (IIS) you may receive the following error when assigning a certificate to a site binding. “At least one other site is using the same HTTPS binding and the binding is configured with a different certificate. are you sure that you want to reuse this HTTPS binding and reassign the other site or sites to use the new certificate?” This warning message occurs due to the following: Only one certificate can be used for a given IP address and port combination. Multiple websites on the server are using the same IP and port regardless of using multiple certificates. Resolution: In this situation the resolutions can be the following.. Assign each site a different public IP address in the […]

Read More

Troubleshooting: Checking SSL installation with a browser

After you have installed your SSL certificate you may want to check installation. There ware two ways to go about checking its installation. By using a browser. This article will show case Google Chrome. By SSL Checker. See our article Troubleshooting: SSL with Qualys SSL Labs – SSL Checker to learn more. Lets get started.. Using Chrome: type in https://yourdomain.com (use the actual domain you want to check) you should see a pad lock to the left of the “Https.” Note: If you do not see a padlock or see a yellow exclamation point where the padlock would be, this may be due to Mixed or Insecure content. To troubleshoot this review troubleshooting article Troubleshooting: Unsecured or Mixed Content. If you do see […]

Read More

OpenSSL Commands

OpenSSL is used for many things other than running encryption on a website. It is also used for the generation of CSR keypairs, and more importantly within this article converting. The Italic parts in the conversions below are examples of you own files, or your own unique naming conventions adapt these Italic name examples to your own files names for openssl commands. Note: .pem, .cer, crt. are all the same type of x509/pem certificate only with different extensions. Obtain OpenSSL: Note: In order for OpenSSL software successfully installed on a computer system. You must have local system administrator privilege on the computer. Download and install OpenSSL to perform a certificate conversion. Windows Linux Use the following OpenSSL commands to convert SSL […]

Read More

Troubleshooting: Ciphers, Protocols, or SSL with Qualys SSL Labs – SSL Checker

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. Majority of these checkers may vary on the information that they display or may have limitations, as they only perform their function as programmed. Aside from using an SSL Checker tool there is always the manual way of using your browser to check proper installations. If you would like to learn how to check using a browser SSLSupportDesk features such an article Troubleshooting: Checking SSL installation with a browser. Some SSL Checkers are extremely advanced and will not only check the validity of a SSL certificate, but can also point out flaws in a server’s configuration or software.  Qualys […]

Read More

Troubleshooting: Unsecured or Mixed Content – “Your connection to this site is not fully secure”

Mixed Content warnings happen with all certificates now regardless of certificate type.  The most drastic loss in functionality though is EV certificates. Even though an Extended Validation (EV) SSL certificate may have been installed in https (The channel of the website that performs encryption) on a website some browsers may require that the entire site, all resources, images, and links be secured within in https as well. Failure to do this may turn off the EV green URL bar. Which is a desired feature when purchasing a EV SSL certificate.  If the certificate is not an EV SSL certificate, just a Domain Validated (DV) or Organization Validated (OV) SSL certificate  then typically there may be a padlock missing near the URL bar even though […]

Read More