Swisscom Cloud SSL certificate - swisscomdev

We're rolling out some simple static web sites onto the Swisscom CloudFoundry cloud, and want to enable SSL for the sites.
Our product manager is not happy with the scapp.io or applicationweb.io names, and we want to be able to add SSL certificates for our domain, e.g "www.swisscom.io".
How do achieve this, given the fact that we're users and not administrators and don't have access to the "Operations Manager" tool? This question is specifically about the Certificate: The setting up of the domain and DNS is clear.

SSL certificates from Let’s Encrypt are now available on the Swisscom Application Cloud: SSL Secure Routes

The cloud guys can probably help you out more here, but one option would be to use: https://www.cloudflare.com/
I was able to use the cloudflare SSL certificate to secure the traffic to and from my application without having to upload a certificate or use the "Operations Manager" tool.
Cheers,
Allan.

I'm currently using an existing VM on https://www.digitalocean.com to serve as a reverse proxy (see https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension#enabling-ssl-reverse-proxy-support, e.g.). It works, but it's not very elegant.

Related

SSL application load balancer on AWS WITHOUT a custom domain

Is it possible to give a application load balancer on AWS a SSL certificate, allowing allowing only HTTPS connections, if I don't want to use a custom domain?
Currently developing some internal dashboard applications, so have no need/want for a domain name attached to them.
I can only dig up info and tutorials of creating to a certificate in Cloudformation, when wanting to add a domain forwarding to the LB.
The SSL certificate has to have a valid DNS name associated with it in order to work. You need to request a certificate via ACM and then attach that to the ELB. You can configure the ELB to only have an HTTPS listener to force secure communication.
Probably not.
It's not generally kosher to issue an SSL certificate to an IP address, and since all *.compute.amazonaws.com style DNS names are floating and could be reassigned at any moment, they damn well won't issue one for them either. (Same stands for Let's Encrypt, by the way: you have to have a DNS name not issued by a provider.)
Just give your internal service a DNS name, be it something like mydashboard.internal.mycompany.com or whatever; it'll be easier to access, too.

Automatic generation and renewal of Let's Encrypt certificates on Google HTTPS Load Balancer

I am using Google Kubernetes Engine and have the Google HTTPS Load Balancer as my ingress.
Right now the load balancer uses Let's Encrypt certificates. However, is there a simple way to ensure that the certificates are automatically renewed prior to their 90 day expiry?
You can now use "Google-managed SSL certificates" which is currently in beta: https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs
You have not specified how you configured Let's Encrypt for your load balancer. Right now Google does not offer this for you, so I assume you mean you set the Let's Encrypt certificate yourself. In this case, Google can't renew your certificate.
Until there's an official support you can install a third-party add-on like cert-manager to automate certificate configuration and renewal. There's a GKE tutorial for doing this at https://github.com/ahmetb/gke-letsencrypt.

SSL certificate for WebAPI

We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.

Installing Wildcard SSL Certificate on Azure VM

I'm developing an application on Azure VM and would like to secure it by using the wildcard SSL certificate that I'm already using with my main domain. The SSL cert works with any *.mydomain.com and the application on Azure VM is accessible through myapplication.cloudapp.net
Based on the research that I've done, CNAME should be the best option to do that (I can't use A record since we need to shutdown the VMs every week and turn them back on the next week and will lose the ip addresses).
My two questions are:
How can I have myapplication.cloudapp.net be shown as subdomain.mydomain.com?
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?
How can I have myapplication.cloudapp.net be shown as
subdomain.mydomain.com?
Yes - this is just the CNAME forwarding and ensuring that the appropriate SSL certificate is installed on the server.
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?
Well as you're already exposing the Application through the VM - this should happen seemlessly.
Just a word of caution, you mention that you're using the certificate on the main domain, but haven't mentioned where you're using this. Be aware that, out-of-the-box, you can only assign one SSL per HTTPS endpoint. You can enable multiple SSL certificates on an Endpoint for Azure / IIS using Server Name Identification and can be enabled directly or automatically. If you do take this route, remember to configure your SNI bindings first, then apply the default binding - it kinda screws up otherwise.

SSL Cert on Seperate Email Server and Web Hosting Server?

I am working with a client who needs SSL on their Email and Web Site.
We have their site hosted on a Rackspace Cloud Site (Wordpress so Apache and all that jazz).
From what I can tell their Email is on an ISS server of their own.
They want to apply this SSL Cert they bought through GoDaddy and apply it to this email server and to the site on our hosting server. Now I am only a Web Developer with enough server knowledge to get sites launched and running, But I don't think you can apply the same SSL Cert on two different types of servers.
What would the solution be for this?
Would you purchase a second ssl? Is that even possible?
Sorry if this is a all completely wrong I am trying to use my limited knowledge of SSL to describe the situation.
I'm pretty sure you can use the same certificate if it's going on two servers as long as they are both using the same domain. You don't need to purchase a second ssl. The tricky part might be if the two servers require different certificate file formats.
Also, just do the CSR part on ONE of the servers (use the one you trust the most). On the other server just install the certificate bypassing the CSR part.