I have a windows server 2012 machine, that is being used an certificate authority (using SCEP).
What is the default message digest algorithm ?
Is it possible to configure it to use a different one ?
I've being looking in documentation, but failed to find any way to do so.
Thanks
I was able to find how to do this.
You need to edit the registry and change the entry under:
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\\CSP\HashAlgorithm
to the algorithms you wish to use.
Related
I am trying to connect via SSL to a PostgreSQL using FireDac in Delphi. I have followed the instructions at the following site:
https://www.howtoforge.com/postgresql-ssl-certificates
I have created all the certificates. Configured the postgreql.conf as specified so it points to the required files. Copied the specified files to the client machine and installed the root.crt certificate.
Via FireDAC's connection params I have specified the following:
Params.values[SSL_ca']:=sslCertsPath+'root.crt';
Params.values['SSL_cert']:=sslCertsPath+'postgresql.crt.';
Params.values['SSL_key']:=sslCertsPath+'postgresql.key';
I am getting a connection error re invalid client certificate. I am not sure which certificate it is referring to and why it is invalid. Am I specifying the correct client certificates by way of the connection's params? If so, any suggestions as to why I may be getting the error please?
OpenSSL verify against the root.crt and postgresql.crt confirms the certificate is ok.
After over 3 weeks of frustration trying to set up PostgreSQL with SSL using FireDAC, I have finally figured out what the problem is and what the solution is.
For anyone wishing to connect using FireDAC, the howtoforge guide (see link in original post) works fine.
However, do not use the FireDAC parameters in my original post. PostgreSQL does not use them. You need to use the PGAdvanced parameter.
But even after figuring this out, I still could not get it to work for weeks until after testing I got an error message which finally made it clear what I was doing wrong. On Windows PostgreSQL strips out path delimiters unless you escape them (this is not mentioned in the PostgreSQL or FireDAC help files as far as I can see).
Below is an example of the correct way to connect using FireDac paramaters for ssl
Params.values['PGAdvanced']:='sslmode=verify-ca sslrootcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\root.crt sslcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.crt sslkey=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.key';
If you don't wish to use a root certificate set sslmode to require.
I've been trying to figure out how to do this much of this afternoon, so it's very possible I'm missing something simple.
I need to create a self-signed certificate on Windows Server 2012 R2 that is SHA256, 2048 bit, and doesn't expire for four years.
From my searching I see that PowerShell (PS) is the way to go, and see a reasonable number of examples - none of which have everything I need.
For example I tried searching for the PS command New-SelfSignedCertificate and adding the "-NotAfter" option, but I get the error message "A parameter cannot be found that matches parameter name 'NotAfter'."
Even though I see "[-NotAfter]" here: https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate (and that article has a March 2017 update)
I've tried a couple PS scripts people wrote, those seem to work with a 1+ year date, but they all don't work with one of the above criteria and, in any event, don't show up in IIS 8.5 for me to bind them to a site (I'm creating on the server).
$psversiontable on the server gives "PSVersion" = 5.0.10586.117
Thanks in advance for the help!
New-SelfSignedCertificate (PKIClient module) cmdlet with advanced parameters is available starting from Windows Server 2016. The article you've mentioned applies to Server 2016 only.
In Windows 2012/2012 R2 you only have this thing: New-SelfSignedCertificate (PKI module). It is useless.
You can try to use CertReq utility instead, but it is not automation-friendly.
I tried to find scripts for creating Qeues and Topics but could not find any powershell ones. We had to skip WAP to handle it thorugh the portal because WAP returns SSL/TLS error when creating namespace, does not like the certificate we have for this customer.
Anyone have any made or know where to find scripts for this?
Thank you in advance,
Jacob
We have decided to use the custom certificates and solve it in another way.
We will use Windows Azure Pack Portals to handle the Queues and Topics, so this matter is resolved.
I'm using lighty on an embedded device where power-users are allowed to manipulate the system configuration using an web interface. The users can upload an PEM file containing valid private key and certificate information.
Now I wonder how to avoid that lighty will not start if the file is corrupt? One idea is to check the file before installing it, but it seems that there is no easy solution.
My other idea is to configure lighty in a way that it will recognize the file is invalid (it does in fact) but it should not terminate. Instead it should run without SSL features, so HTTP only.
Is there a way to configure lighty for that? or is there a better solution?
This should provide just enough check options for your need
openssl verify --help
You could use a perlscript to comment out any ssl related config block if the cert check fails, but that is beyond this question.
Of course you need to edit the init/service script which starts lighttpd/lighttpd.service
Is it posible to read a certificate out from registry without booting windows, if you know login credentials and computer name.
I have writen a little tool which automate copying of data from standard windows user folders like my document.
This tool is then part of live linux distro which we use to copy users data when we making transition from previous to our IT. Only problem is that we can't get certifikates this way and i'd like to solve this, if it's possible.
This program can read from the Windows registry Hives under Linux: http://pogostick.net/~pnh/ntpasswd/ .
I don't know where the certificates are stored or in what format, but they're in the registry somewhere. Check MSDN for information or do a registry diff before and after storing a cert.
Betcha they're DER-encoded binary keys.