I have recently been tasked with automating our certificate issuance/renewal process via PowerShell. Having never worked in this space prior, I'm doing a lot of on the fly learning.
The idea is to make the execution stateless, meaning we can have one server running a script that requests certificates and simply store them to be installed on the appropriate machines later. That will likely be automated as well. My question is this: when I generate a CSR on the server, and the certificate is ultimately issued by DigiCert, can that certificate only be installed on that server? My research says yes, and yet I tested this by installing an already issued certificate on my local machine and it worked. I had not generated the CSR for that certificate on my machine, yet I was able to install it without error. Would the problems only come in when binding the certificate to a site?
Any insight would be greatly appreciated.
Related
My team is building a web application for our capstone project. We deployed it to digitalocean using dokku, everything was fine but one of us(aka me) accidentally deleted the database. Since my team and I don't know anything about deployment, we ended up hitting our rate limit on letsencrypt for the certificates trying to redeploy. Reading through there documentation it says we have to wait a week before being able to get another certificate. I was wondering if it was possible to find the certificates that was issued and applying to the domain? Or if there is another solution? Thank you.
I am developing a clickonce C sharp project in Visual Studio.
On my main computer, I have generated a self-signed certificate for the clickonce manifest.
This works fine, I can compile, deploy and run.
I also sync this solution to my github account, and regularly pull updates down to a backup computer.
The backup computer is not able to simply compile this solution, as it gives errors in regards to self-signed keys.
I could generate a new one on the backup computer, but then when I deploy to same testbed, it causes issues because the certificate is from a different location.
I want to quickly be able to deploy from the backup computer in the event that there is an issue with the main.
How can I share the main computer's generated certificate with my backup environment without issue?
My apologies if this is straightforward or I am missing something obvious.
Run certmgr.msc (user) or certlm.msc (computer) and look in My Certificates for the certificate. Right click it an check if you can export it with the private key resulting in am PFX file (PKCS#12).
If this is not possible generate a new one with the -ExportPolicy Exportable option.
I came across very little literature to use code signing certificates without a private key being exported. Hence, requesting some basic info regarding including the code signing certificate in the installshield 2013 to sign our setup.exe file.
So it goes like this...
We had a certificate from Symantec and/or Verisign that expired a few days ago. So we got a new certificate from them which is a SHA-256 cert. However, they won't release the private key. Hence we cannot generate a .pfx file which used to include in our installshield. They say that, here on who ever wants to do the code signing using installshield needs the dongle attached to the computer to get the private key verification done. I don't quite understand what they mean. However, it is clear that they want us to connect with the dongle for private key verification. So if I do not have the pfx file, how can I achieve code signing using installshield 2013? I also read on the Web that the support for SHA-256 certs was not available in 2013 and that one would have to migrate to 2015 or above to do something of that sort. So we have hit a roadblock with this thing and our automated build process is failing.
Hence, request you to provide me any pointers as to how can we get this thing done.
Thanks and Regards,
Bhushan.
InstallShield 2015 or so added support for signing using certificates from certificate stores. Before that, some people have intercepted the call to signtool, implementing their own calls to either the real signtool or the APIs it calls. This should give you the freedom to use your dongle-based private key, or anything else you need.
(On the downside, InstallShield 2015's and later implementation doesn't let you do this interception trick.)
Ok...So it goes like this...We have a rights issue. As per Symantec, only the person who is the owner of the certificate, can generate a private key on his machine with his admin privileges and that too using IE 11 browser. Now the issue is, the certificate request goes to a helpdesk portal, pending an approval and then forwarded to symantec after the necessary approval. Looks like the approver has to act as the owner, even though the requesting team has paid for the certificate. That is weird but true. So the person who receives all the certificates first hand has to download the certificate, export the certificate along with the private key into the .pfx file and then send us the .pfx! Meanwhile, is there any possibility that I run the export certificate wizard from the browser and the export .pfx option is disabled just because the user launched the browser with insufficient privileges? How may I confirm that this is a rights issue? Thanks.
Further to these, I simply have a very general question about signing. The thing is, even though I know what code signing is and some of the applications might absolutely need it, I do not see a substantial need for the windows based desktop applications. I may be wrong on this. However, all the literature I see points to the fact that the authority that is publishing should be trusted. Now we as a team are responsible for a suite of desktop applications that are being packaged using installshield and code signed by Symantec SHA 256 class certificates. We only sign the set.exe file and as a result it shows a typical trust prompt to the user who installs our software. Our users are a rather closely knit group of clients and are easily approachable. Also, I do not see a risk of our network being intercepted and hacked to tamper the content of setup. In such a situation, is having a certificate justified?
I have a few questions with respect to SignTool as well. I understand that the signing for our certificate is currently failing because we have not yet procured the private key for it. However, the timestamp verification is also failing for a self signed certificate that I have generated for testing purposes. So I need to understand what exactly is a timestamp doing in installshield when Signtool is invoked? Installshield is a good product; however the supporting documentation provided by Flexera is rather pathetic. Thanks.
I have:
server domain, where the application is developed and deployed
my own machine, not part of the server domain, on which I test the application
When I install the app on my machine - it asks me if I trust the publisher (and whether to continue with installation or not). What I want to achieve is to make the publisher trusted beforehead I run the installation and proceed the installation smoothly without questions about trusting publishers, whatsoever.
For this purpose I have created a self-signed certificate from the server domain (I tried with both.p7b and .pfx types of certificates), get the certificate file on my testing machine and deploy it (import the certificate in Trusted Publishers (and eventually tried to import it in other directories also).
Despite these actions, when I run the installation, it still asks me whether I trust the publisher.
I am supposed to fulfill a common-for-most-developers request to build/consume secure services using ssl/tls... via various communication protocols, not necessary wcf (web) services.
My problem is that I don't know much about certificates and I have been trying to get my background knowledge up to speed on the entire process.
The organization I am coordinating with issued 3 files for me to use:
AppName.cert.pem
AppName.csr
AppName.Key.pem
and also gave me a password for these.
The organization also gave me another certificate:
Organization.cert.pem
which is supposed to be used with their test tools.
The scenario is that the organization provided a test suite that runs on one vm, and the software I am building on another. I am supposed to import both of the certs into the vm with my software, and I think the organization's cert into the vm with the test software.
Problem is I don't know how, and the help links they provided are pointing to OpenSSL and some Java2SE tracing the secure requests/responses from either side....
Well, my code is written in C#, and both VM's use Windows Server 2008R2 x64 Standard/Enterprise. I am not sure how to import the certs, and configure them a) on a per application basis for a specific PORT and b) per domain basis?
Thanks,
Any help and guidance would be greatly appreciated!
Well, I downloaded the OpenSSL windows client and converted the AppName.cert.pem, AppName.csr AppName.Key.pem into a single consolidated AppName.PKCS12.
I later imported the result using the Cert Manager (MMC Snap In) in each WS2008R2 VM environment and it worked just fine.
It turns out that the Cert Manager also does understand what is a *.cert.pem file so I was able to import the Organization.cert.pem as well on both VM's.
Thanks
PS: Never read instructions about Windows config written by a Linux/Unix nut-job. This whole exercise of certificate management would've been easier if the person that wrote the test software manual (which I ported from Linux by the way...) didn't send me on a wild goose chase due to his lack of understanding of the capabilities of the Windows Server Environment... No need for OpenSSL.
<bleepzter/>