Tag Archive : SSL

/ SSL

SANnav SSL Certificate

SANnav Management Portal utilizes by default a self-signed certificate, which in most cases is considered as vulnerability. Therefore, it is highly recommended to replace it by a CA signed certificate. The SSL/TLS certificate ensures that the connection between clients and the server is secure.

The replacement is done in 2 steps. First, we will create a Certificate Signing Request, which will be signed by our Certificate Authority. Then the signed certificate will be imported to the SANnav. In addition, you will also need the root and the intermediate certificates to be imported.

Make sure to read the SANNav Management Portal guide for detailed information.

Creating SANnav Certificate Signing Request

  1. Log in to your SANnav server (RedHat/CentOS)
  2. Additionally, create a new directory under /root/, you can call it /root/certificates/
    cd /root
    mkdir certificates
    cd /root/certificates
  3. To start, we will create the certificate signing request (.csr)
    openssl req -newkey rsa:2048 -nodes -keyout sannav.key -out sannav.csr
  4. Enter the certificate information regarding to your host and the company information
  5. Let your SANnav (sannav.csr) be signed by your Certificate Authority

At this point you would have received the signed certificate, together with the accompanying root and intermediate certificate.

Replacing the self-signed certificate

  1. Copy your signed certificate, together with the company’s root and the intermediate certificate to /root/certificates/
  2. First, we will need to merge the root and the intermediate certificate into one file. Use the following command:
    cat intermediate_certificate.crt root_certificate.crt > bundleCertificate.pem
  3. Launch the script replace-server-cert.sh found under /<sannav-installation-directory>/bin/
  4. Complete the certificate file paths as requested by the wizard:
    – Enter the path for the ssl certificate including file name: /root/certificates/sannav.cer
    – Enter the path for the ssl key including file name: /root/certificates/sannav.key
    – If you have root and intermediate CA certificates, please chain them into a single certificate file and provide the path to the file. Press enter to skip this step. /root/certificates/bundleCertificate.pem
  5. Run the script restart-server.sh found under /<sannav-installation-directory>/bin/ to restart SANnav
  6. Restart your browser and you’re SANnav Management Portal will show a valid certificate.

Read here related articles about SANnav Management Portal
Preparing RHEL / CentOS Server for SANnav
Installing SANnav Management Portal 2.0

Any suggestion or question? Leave a reply below, or feel free to contact us.
Make sure to subscribe to our mailinglist to get the latest. No spam. Promised!

This article will focus on implementing CA-signed certificates and enabling the HTTPS protocol on Brocade switches. I assume you already have a Certificate Authority implemented and you can sign certificates requests.

Required/used freeware

Putty: Used to connect to the switch.
Alex’s FTP Server: Used to upload and download files from or onto the switch.
OpenSSL: Used to convert and test certificate files.
Dos2Unix: Used to convert Windows-created filed to Unix/Linux files.

Deprecated commands:
secCertUtil
secCertUtil CLI will be deprecated. Use secCertMgmt for Certificate related operations.

The command seccertUtil is replaced by secCertMgmt.

It is highly recommended to back up your switch configuration before performing any changes. For tracing purposes, I have configured my Putty terminal to log every session. It will also flush the log file frequently.

Generating Certificate Signing Request (.csr) file

To list available certificates on the switch use the command:

secCertmgmt show -all

To create the .csr file in interactive mode type

seccertmgmt generate -csr https
Generate the Certificate Signing Request
Generate certificate signing request file on Brocade switch

Generate the file and export it locally. Accordingly, request your CA to have it signed.

The following command exports the .csr file in an interactive mode:

seccertmgmt export -csr https -protocol ftp
Export Certificate Signing Request
Export Certificate Signing Request (.csr) file using FTP

Preparing certificates for import

I signed the client’s certificate and got it in a .cer file. I also have the Root and Intermediate certificates in my possession.

Brocade switches require to have root and intermediate certificates merged into one file. The merge order is also important, first the Root certificate then the Intermediate. Work your way up the chain to the root certificate.

Before merging the certificates we will convert them to .pem files. To convert them from .cer to .pem file format use the following command

openssl x509 -in <certificate path & file name> -out <certificate path & file name>
Convert certificate .cer to .pem file
Converting certificate .cer files to .pem file format
Convert certificate files from .cer to .pem format
Converting certificate .cer files to .pem file format

Combining Root and Intermediate certificate

To merge the certificates use the Windows copy command. The /B parameter prevents Windows to append ASCII characters (CTRZ – Z) to the file.

copy /B <file name path 1> <file name path 2> <destination file name path>
Merge certificate files
Merging root and intermediate certificate files

Converting Windows files to Unix

Files created in Windows are sometimes incorrectly read in Unix/Linux. It’s because of Windows handling i.g. newlines and carriage returns in a different way.

In order to “clean” the certificates, we will use the tool dos2unix to convert them into Unix files.

dos2unix.exe <file name>

The file is rewritten and the output is saved under the same location.

Convert windows to unix files
Use dos2unix to convert Windows files to Unix-readable files

Testing certificates

Additionally, we can test the certificate chain and our client certificate using the following command.

openssl verify -verbose -purpose sslserver -CAfile <root certificate.pem> <switch certificate.pem>
Test certificate
Testing client certificate compatibility with the certificate authority chain

Importing certificates

First, we will import the root certificate using the command below.

seccertmgmt import -ca -server https
Importing CA root certificate
Importing CA chain certificate onto the switch

Finally, we can import the switch certificate file.

seccertmgmt import -cert https
Importing client certificate
Importing the client’s certificate onto the switch

We have enabled the switch to communicate over HTTPS protocol and HTTP requests are redirected to HTTPS.

I’ve noticed my Brocade Network Advisor claims that the switch is unreachable after installing the certificate. Finally, I got this resolved by performing a hareboot. The hareboot restarts the web linker daemon which is responsible for web communication.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Having a web-based app running over unsecured protocols like HTTP, might not only be unsafe but also unprofessional. Therefore, most of the enterprises opt for secure traffic over HTTPS. In this article, we will implement Service Processor SSL Certificates signed by CA. 3PAR StoreServ Service Processors run by default over unsecured HTTP protocol. Installing an SSL Certificate is something every administrator should consider.

A technical whitepaper of Best Practices for Implementing HPE 3PAR Service Processor can be found here.

How to?

Creating a Certificate File Request

  1. Navigate to your Service Processor webpage https://<sp_name>
  2. Log in with you customer credentials
  3. On the left pane, click on Support > SP Certificate
  4. On this page, click on Generate CSR
  5. Enter your information, including certificate’s Common Name and SAN (Subject Alternate Names)

    Adding a SAN record is very important as recent web browsers still give errors when a certificate does not contain this information.
  6. Click on Generate CSR and return to the previous window.
  7. On the next step click on Export CSR
  8. After exporting the file, click on Download File and save it locally

    Signing and importing the Service Processor SSL Certificates

    At this point, we have created a request file which will be signed by our Certificate Authority. In large enterprises, certificate handling is done by a separate department. You could also give a try by yourself. Here is a good article about signing certificates with Microsoft CA.
    Once you have signed your certificate, you will get a file with .cer as an extension.

  1. Navigate to your service processor’s webpage and select Import Certificate
  2. On the first step we’re going to load the Service Processor SSL certificates we have just signed in the previous step.
    (Bear in mind the sequence)
  3. Browse the certificate’s location and click on Load Certificate
  4. On the following screen, we are going to load the intermediate certificate of the CA or the Issuing Certificate.
  5. Finally, we will upload the Root Certificate. Browse the file and click on Import Certificate.
  6. Once the 3rd certificate (the certificate from the previous step) the Web Service of the Service Processor will restart.
  7. Make sure to close any active browser before navigating again to the service processor
  8. Next time you navigate to the array’s SP the SSL certificate should be valid.

 

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Free SSL certificate for your website

05/03/2019 | WebDev | No Comments

 

Nothing more annoying that browsing a website that indicates insecure content with an red sign on the address bar.

Imagine running a website that deals with sensitive data, being it personal records coming from a web form or anything else where the connection is insecure. Your visitors wouldn’t be happy with that.

Today, most of the professional websites utilize SSL certificates. Even Google pushes towards secure URL in its indexing mechanism. Some sources even claim that HTTPS-links are better crawled by search engines.

In the article, we will go through some possibilities on how to get rid of the “red sign address bar”. Furthermore, implementing an SSL certificate on your website doesn’t need to be costly – if not free of charge 😉

What is SSL or an SSL Certificate?

SSL stands for Secure Socket Layer and it is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that visitors (=customers) data remains private and encrypted during transmission.
An SSL Certificate is a digital certificate that proves the host (website’s visitors) that the corresponding web service has the ownership of the domain. The issuance is done by the Certificate Authority (CA).

There are different Certificate Authority entities worldwide, with Comodo, Symantec, GlobalSign, DigiCert being the well known. A W3Techs survey from May 2018 shows that IdenTrust, a cross-signer of Let’s Encrypt intermediates, has risen to be the most popular SSL certificate authority.

Let’s Encrypt and CloudFlare

Let’s Encrypt and CloudFlare are 2 SSL CA providers where I would like to pay attention at.

Let’s Encrypt is a non-profit certificate authority that provides X.509 certificates at no charge. The certificates issued by Let’s Encrypt remain valid for 90 days, and during the time they can also be renewed. The project’s goals are to make the World Wide Web servers standard encrypted.

On the other hand, CloudFlare is a company that provides content delivery network services, DDoS attack protection, internet security and Domain Name Server services. I personally recommend using CloudFlare’s services for your website.

CloudFlare

CloudFlare is my favourite free method to encrypt the traffic to my website. It is also easier and simple to configure.

All you need to do is create an account, verify domain ownership and replace your domain name servers with CloudFlare’s own nameservers.

Let’s Encrypt

Enabling and installing an SSL certificate on your web depends on the type of web hosting you own. If your web runs on a dedicated server and you have root permissions you can easily request and install an SSL certificate from Let’s Encrypt – just read the manual.

In my case, I use Linux (shared) hosting from GoDaddy and my host runs on a Linux Cloud OS with limited root access rights.

Basically, if your hosting provider does not support Let’s Encrypt by default, you’ll have to use alternative ways to create the certificate request and approve it by Let’s Encrypt.

Hosting providers that support Let’s Encrypt can be found here.

In order to create the Certificate Signing Request (CSR) we will use an online freeware called ZeroSSL.

  1. Navigate to ZeroSSL.com
  2. Click on Online Tools
  3. Click Start to start the FREE SSL Certificate Wizard
  4. Enter your domain name (include a record with and without www-prefix)
  5. Make sure to check the following boxes:
    – HTTP verification
    – Accept ZeroSSL TOS
    – Accept Let’s Encrypt SA (pdf)
  6. In my case, I only entered storcom.com without the www-prefix but the wizard asked if I wanted to add the prefix
  7. Hit Next to proceed
  8. At this point, we have received the CSR (Certificate Signing Request)
  9. Click Download or Save it manually in a text file
  10. Click Next to continue
  11. Once the Key Account is created, download it or save it manually
  12. At this point, we should have 2 separate files
    – The CSR file and
    – The Key Account file
  13. Next we will need to verify the domain ownership. Download 2 files below
  14. Navigate to your web hosting’s CPANEL and open the file manager
  15. On the root directory (i.g. public_html) create a folder .well-known and a subfolder acme-challenge. The directory structure should look like this:
  16. If the folder is not visible, go to Settings (top right corner) and check Show Hidden Files (dotfiles)
  17. Under the .well-known/acme-challenge upload the 2 files we downloaded from step 13
  18. Navigate back to the ZeroSSL web and click on the links

    If the links are resolved into text files you have uploaded, you should be OK to continue.
  19. Proceed by clicking Next and your certificate should be created and valid for 90 days.
  20. Below the page, download the Certificate file (CRT) and the Domain (Key) file
  21. Navigate to your hosting’s CPANEL and open TLS/SSL
  22. Click on Manage SSL sites
  23. Select your domain
  24. Copy the text from the Certificate (CRT) file and paste it into the Certificate: (CRT) text box

    Notice that the CRT file includes both: the certificate itself and the certificate bundle. Cut or remove the certificate bundle, and paste it below on the 3rd box Certificate Bundle.
  25. Copy and paste the Domain Key into the Private Key (KEY) text box
  26. Make sure the Certificate Authority Bundle (CABUNDLE) has been filled in and click Install Certificate
  27. Congrats! You have installed a free certificate on your website.

  28. Your website should indicate a valid SSL certificate.

Redirect HTTP to HTTPS

Finally, in order to use the installed certificate correctly, you will need to tell your webserver to always use HTTPS for incoming requests. 

WordPress

  1. Go to your WP admin panel
  2. Navigate to Settings > General
  3. Modify the WordPress (URL) and Site Address (URL) to point to https

Non-CMS

Another way to accomplish it is to tell your webserver to redirect all HTTP requests to https. This can be easily done by adding a code to the .htaccess file.

Redirect on Apache webserver

  1. Go to your hosting’s file manager
  2. On the root directory /public_html edit or create a file called .htaccess
  3. Append the following code at the end:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect on Nginx webserver

  1. Go to your hosting’s file manager
  2. Look for nginx config-file
  3. Append the following code:
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.