Am trying to distribute the Private Key(.p12) certificate from Server to Client using GPO. It's been reflected in my client after invoking the gpupdate /force command in the Client Machine.
Here i tried winhttpcertcfg.cer to give the Access for the certificate to everyone.
but i got an error, that states the user who installed the certificate can only access.
My question here is;
1. Can we install the Private key (.p12) certificate from Server to Client ?
Is there anyway to install the certificate without manpower in windows machine?
Related
I have created certificate request from IIS for my application server and prepared .cer file with the help of CA authority. While i am using complete certificate steps from IIS ,its not giving any error, but when i am trying to bind the https:// certificate disappears from IIS -> Server certificates. i am installing webhosting certificate into windows based server.
I am trying to access a Filezilla Server using FtpWebRequest in Powershell, like this:
$ftprequest = [System.Net.FtpWebRequest]::Create($sourceuri)
$ftprequest.Method = ([System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails + " -a")
$ftprequest.Credentials = New-Object System.Net.NetworkCredential($username,$password)
$ftprequest.EnableSsl = $true
In Filezilla Server there is a "Generate New Certificate" which is what I used to create the certificate. This created a .crt file that Filezilla is pointing to for both the private key and certificate file.
The server is also configured with the options "Enable FTPS" and "Allow explicit FTP over TLS".
I am able to happily access the server using the Filezilla Client (although it warns that the server's certificate is unknown).
To access the server from a Powershell client, without getting complaints about the certificate, my understanding is the best thing to do is import the certificate on the client machine. I managed to do this by downloading the .crt file, manually stripping out the private key portion using Notepad, and then running:
Import-Certificate -FilePath .\filezillaCertificate.crt -CertStoreLocation cert:\CurrentUser\My
However, trying to connect using FtpWebRequest I still receive the error "The remote certificate is invalid according to the validation procedure."
Can anyone point me in the right direction?
This is not a PoSH issue. It is a pure PKI 101 (cert implementation) issue.
Self-signed certificates will always be considered untrusted in most cases, because there is no way to validate it, no public registered body for it and no public CRL (Certificate Revocation List / Authority) associated with it.
You cannot create a PKI cert for a remote location on your local machine. You must create the cert on the remote location, or buy a public cert and install it on the remote location certificate store. The public and private key must reside on the remote server / site. For any server / site, the certificate must be registered / issued to that server then manually assigned to a site (FTP/s, HTTP/s).
Then, you download the public cert from the destination and install that on your local machine. Normally installed to the local machine store. If you cannot download that public certificate and certificate chain using a browser, by clicking on the lock, after visiting the site, then you must request that the destination server/site owner send you the public cert for you to install locally. Again, normally installed to the local machine store.
I know your post is about a Filezilla server (Full Disclosure: I've never seen on used one), but the approach as shown in the articles below on setting up FTP over SSL on IIS should be similar.
FTP over SSL
The element specifies the FTP over Secure Sockets Layer (SSL)
settings for the FTP service; FTP over SSL was first introduced for
IIS 7 in FTP 7.0.
Unlike using HTTP over SSL, which requires a separate port and
connection for secure (HTTPS) communication, secure FTP communication
occurs on the same port as non-secure communication. FTP 7 supports
two different forms of FTP over SSL:
https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/security/ssl
https://learn.microsoft.com/en-us/iis/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7
Update to find the FileZilla SSL guidance
Install a SSL certificate on FileZilla FTP Server
https://www.tbs-certificates.co.uk/FAQ/en/FileZilla_FTP_Server.html
Installing a certificate on an OpenSSL-based server is really similar
than doing so on Apache: Install an Apache certificate, except that
the instructions indicating the path to th files are not the same!
for FTP FileZilla server, via the interface: FileZilla Server
Option -> SSL/TLS settings:
•import the private key (.key file generated along with the CSR) in
"Private key file".
•import the certificate and the certification chain in the same file:
1) on your certificate status page, download the "file.cer" file and
the certification chain "chain-xxx.txt" 2) concatenate those two
files into one 3) import the file in "Certificate file"
How to connect FTP over SSL/TLS in FileZilla?
Create Site
Go to File >> Site Manager >> New Site.
Following are the required details to fill up.
• Host: Enter Hostname(i.e. ftp.yourdomain.com) or IP address which we
have sent in Welcome e-mail. • Port: 21 (Default FTP port is 21, you
can also keep it blank). • Protocol: FTP - File Transfer Protocol. •
Encryption: Select Required explicit FTP over TLS from dropdown list.
• Logon Type: Select Normal from the dropdown list. • User: Your FTP
username. • Password: Your FTP Password.
https://manage.accuwebhosting.com/knowledgebase/761/How-to-connect-FTP-over-SSLorTLS-in-FileZilla.html
The FileZilla wiki also talks to how to do the SSL implementation.
I have read through this post on signing a PowerShell script with a certificate. This is more on using external certificate from VeriSign (or similar) to encode and protect the code I have developed within a PowerShell script.
I am just trying to find out if this will actually work. I would expect the process to go as:
Purchase code-signing certificate from VeriSign
Install certificate on my computer
Sign the PowerShell script
Execute the script on desired device
Since this script would be signed with a external CA wouldn't Windows be able to authenticate the certificate since Windows trust VeriSign root CA? My guess would be since Windows has the root CA for VeriSign already and trust it, if I happen on a system that does not allow Internet access that the certificate will still be verified and allow me to run it?
That should work. I've never tried it, though, but your logic makes sense.
I looked at the cert store on my Win7 machine and it has an Oracle code signing cert issued by "Verisign Class 3 Code Signing 2010 CA". That CA is an intermediate CA. The root CA is "Verisign Class 3 Public Primary Certification AUthority - G5". That root CA is in Windows trusted root CA store. So what I gather from this is:
That yes you can do it - Oracle does it
Verisign does issue code signing certs, but they are signed with an intermediate CA.
This means Windows has to obtain this cert somehow. The Verisign
intermediate cert does have the "Authority Info Access" field which
is one way Windows can retrieve an intermediate cert. But the
machine would have to be able to access the internet.
An alternative (if internet access isn't available) is to install the intermediate cert on your users' machines. Could be part of an installer. I think that must be what Oracle did on my machine
For an Authenticode EXE, another alternative (if machine can't access
internet) is to make sure intermediate cert was embedded in the
authenticode signature in the EXE. However I don't know if
Powershell would support that.
As another confirmation you could call/email Verisign to verify their support.
Executing the script on desired device still requires you to set the execution policy to at least AllSigned on that device. And you will still get a question if you want to trust this publisher, unless you add the certificate to the device or the domain. See here.
I have this weirdest problem. First off: I'm VERY new to this certificate thingy. I've done a fair amount of searches and reading up though.
The CA Cert that I install into the Trusted Root Certificate
Authorities store in my server automatically get removed/disappeared
as soon as a client web-browser try to connect to a web-site using an
SSL cert created with that CA cert.
DETAILS:
Windows Server 2008 R2 (development server).
I've created my own Certificate Authority Cert; which I use it to generate an SSL server cert (to install on my IIS 7 Server) and a client cert (for use at my local PC to connect to the WCF Webservice on the development server which is set to Require SSL and Require Client Cert).
I installed the CA Cert into the Trusted Root on both Server and local PC.
Installed the SSL server cert into the IIS7 for that particular site and did the https binding to port 443.
As soon as I launch my browser to access that site with HTTPS, the CA
cert in automatically removed on the server (from the Trusted Root
Certificate Authorities store). and my local PC browser will report
an error 403.
This is driving me nuts... anyone knows what is happening?
Apparently, after a lot of running around, it is due to too many of the same certs in many stores.
I open the MMC.exe > Add/Remove SnapIns > Certificates
Notice there are 3 types there (My User Account, Service Account & Computer Account).
Open up My User and Computer Account, go through all the stores for each one and DELETE all of the CA cert with the same name. Then add the CA cert in either My User Account or Computer Account, depending on how you access the certs (in the event of the cert being used programatically, install it in the Computer Account, [Trusted Root Certificate Authorities].
Just 1 place, then the problem will dissappear.
Just got my Lync server deployed on Windows Server 2008 R2 and am trying to connect via Lync client on a different machine. When attempting to sign in, the client throws an error saying "Cannot sign in to Lync: There was a problem verifying the certificate from the server.".
Looking deeper, into the client box's event viewer, I see the following error "The certificate received from the remote serer was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate. ....
My organization has an internal CA, which is in charge of issuing all required certificates to the Lync server. My client box has installed the internal CA (root) as a trusted CA provider. To me, this should cause any certificates that issues, including the Lync certificates, to be trusted.
I installed Lync client on the same box that Lync server is hoted, and am able to log in fine. My error only occurs when connecting from a different box.
Can anyone shed some light? Thanks!
I had same issue. To resolve: from client, hit url of CA Authority, some thing like http://CAservername/certsrv this provided option to download a CA Certificate Chain.
Put this into local computer trusted root certs and I was good to go.
As mentioned in the error message ("Cannot sign in to Lync: There was a problem verifying the certificate from the server"), this is clearly a certification error. If you work in a big company (where they have they own internal CA - (Certification Authority)) in most cases they would have used their internal certificate to establish trust relationship. If you just install/export the Root certificate of the CA under "Trusted Root Certificate Authorities” of “Local Computer” account, this error should be resolved.
If your company doesn't have own CA, then find our who issued the certificate for Lynch and install/export the root certificate of that CA to the same location as above, this issue should be resolved.