The below command adds a certificate to trusted root:
certutil.exe -addstore -f "root" "wienticket.cer"
But this seems to add the certificate only for the current user. What changes do I need to make to install it for all users ?
Related
I have a local server without any domain or public IP for that. I'm gonna to setup SSL self sign certificate for BigBlueButton. How I can do it in my local server?
Without host and domain names, self-signed certificates will be the only option which means they will not be valid SSL certificates. I don't know BigBlueButtom but it's documentation doesn't recommend this set up for production environments. Not every browser will accept it either.
However, if you want to give it a try, you can generate self-signed SSL certs on Linux using this command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt
These options will create both a key file and a certificate. You will be asked a few questions about the server in order to embed the information correctly in the certificate.
And then you can try to adapt the instructions here.
I was setting up BBB environment recently.
Self-signed certificate is no good. To get it working I had to:
Use a real server setup (with let's encrypt) and a real domain to get real certificates
copy the certificates to my local development setup (and update nginx config of course)
set up /etc/hosts locally
Use real SSL certificate. I had to:
Install BBB. Use ip instead hostname. See
https://docs.bigbluebutton.org/2.2/install.html#configure-nginx-to-use-https
Example:
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v bionic-230 -s 10.211.55.9 -e me#example.com -a -w
Configure nginx to use HTTPS for you real domain (Order of certificates is very important). See
https://docs.bigbluebutton.org/2.2/install.html#configure-nginx-to-use-https
Add to hosts file ip and you domain. Example:
10.211.55.9 example.com
Use command to change domain.
bbb-conf --setip example.com
I have created VSTO Addin project which is signed using a Password protected PFX certificate and added the project to VSTS,
Now while building I get an error as failed to import certificate, to fix that I need to import PFX certificate, so as suggested on different SO posts and microsoft support, I am trying to import certificate using sn tool as follows,
I had created an .cmd(bat) file which has following commands,
C:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\
sn -i "%1\Sixmod5PFX\Sixmod5Certificate.pfx" VS_KEY_BD774ABB8BB29878
and added Run batch script task to build definition before MSBuild step,
but as we know when we run this command on local machine, it prompts for a password which user can enter,
Same thing happens on VSTS and fails, as it don't get password.
Is there any way to solve this.
You need to setup a private build agent (e.g. Deploy an agent on Windows), then install PFX certificate manually on that agent machine (as run the command on local machine and specify password in prompt window)
I'm trying to set up a PostgreSQL db server with ssl. Or more specifically, I've successfully set up the server and ssl is working... as long as there are no intermediate certificates. It's not working if there is an intermediate cert.
Background / Setup:
I have a root CA.cert.
I used the CA to sign an intermediate.csr and create an intermediate.cert.
I used the intermediate.cert to sign a postgres.csr and create a postgres.cert.
The CA.cert, postgres.key and postgres.cert have been installed on the server.
The CA.cert has been set as a trusted certificate.
postgresql.conf has been modified to point to the above files.
I used the intermediate.cert to sign a client_0.csr and create a client_0.cert.
I used the CA.cert to sign a client_1.csr and create a client_1.cert.
I create a client chain.cert: cat client_0.cert intermediate.cert > chain.cert
Proper extensions have been used, both client certs have their common name set to the (username) of the db being connected to.
Fun, aka The Problem.
psql "sslmode=require hostname=(host) db=(db) sslcert=client_1.cert sslkey=client_1.key" -U (username): Great success!
psql "sslmode=require hostname=(host) db=(db) sslcert=client_0.cert sslkey=client_0.key" -U (username): alert unknown ca. This is expected, client_0.cert is not signed by CA.cert.
psql "sslmode=require hostname=(host) db=(db) sslcert=chain.cert sslkey=client_0.key" -U (username): alert unknown ca. Uh oh.
Confusion
Documentation for connecting to a postgresql instance with ssl enabled and intermediate certificates present:
In some cases, the client certificate might be signed by an
"intermediate" certificate authority, rather than one that is directly
trusted by the server. To use such a certificate, append the
certificate of the signing authority to the postgresql.crt file, then
its parent authority's certificate, and so on up to a certificate
authority, "root" or "intermediate", that is trusted by the server,
i.e. signed by a certificate in the server's root.crt file.
https://www.postgresql.org/docs/9.6/static/libpq-ssl.html
I have also tried cat-ing the full chain, client inter ca > chain , nothing doing.
Question
What have I done wrong here?
Thank you,
In my Microsoft.PowerShell_profile.ps1 document, I've had to add ssh-add ~/.ssh/github_rsa following the poshgit examples in order for it to connect to my GitHub repos.
# Load posh-git example profile
. 'C:\tools\poshgit\dahlbyk-posh-git-8aecd99\profile.example.ps1'
ssh-add ~/.ssh/github_rsa
If I don't have that in my profile, I Github gives me permissions errors when I try to connect.
If I do it manually, it will work for the entire duration of my desktop session, but as soon as I reboot my computer, I need to re-run the command.
Why doesn't poshgit and ssh-add remember the rsa that I've added? It seems wrong to have to re-add it every time.
It's because your rsa key is not the default name ( id_rsa ) so you either need to use ssh-add (which adds it to a running service that remembers the key decrypted with your passphrase) or just add an entry into your ~\.shh\config
~\.ssh\config (create or edit):
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_rsa
Or, if github is the only thing you use ssh keys for, just rename the key to id_rsa and then git (well ssh.exe) will find it for you automatically AND poshgit will ssh-add it for you (to handle passphrases).
I am attempting to import a Certificate into the Current User -> Personal store using the command line: "importpfx -f [certificate name.p12] -p [password] -t USER -s Personal".
It works, but for reasons I don't understand there are now two Personal stores under the Current User, and the imported certificate is in the new Personal store.
When I try to connect to the website of [a well-known money transfer service], it fails. However, if I manually import the certificate using MMC into the original Personal store, it works.
My question is: How can I force IMPORTPFX to import the certificate into the original Personal store, and how can I delete the new Personal store?
Context:
I need to do a silent import of certificates on 3000+ remote point-of-sale Windows XP devices, so it needs to be a silent install via PSEXEC (SysInternals).
Thank you. Pieter.
“Personal” is a just friendly name of the certificate store which is internally identified as My. You need to use
importpfx -f [certificate name.p12] -p [password] -t USER -s My