Renew Expiring SB & WF Certs

My service bus & workflow certificates (AppServerGeneratedSBCA) are expiring in Feb.

I have created 2 self signed certs and followed steps from: Changing my Workflow Manager Farm Certificates to replace the expiring certs.

Now, when I run Get-WFOutboundCertificate, it outputs with:

The underlying connection was closed, could not establish trust relationship for the SSL/TLS secure channel.

Is this the correct method to renew these certs? Or, how can I renew AppServerGeneratedSBCA instead?

DOD PKI CA access outside of of those specific certs?

I work for the government and mostly everyone installs the DOD PKI Certs on their private computers to be able to check email, admin stuff, etc.

I’m getting into networking, security, white hat hacking more and more and from my research, if I’m not mistaken, it sounds like if you install someone’s certs they have access to all data that passes through HTTPS.

I was always under the assumption that they could only access that data if you were accessing an application that they controlled (e.g. government email).

If the case is that they can still MITM attack everything once you’ve installed the certs then this makes me fairly uneasy. Can someone explain how this is possible? Thanks!

percentage of X.509 certs using rsaEncryption as signature algorithm

Quoting 2017_TLS_Telemetry_Report.pdf:

Not surprisingly, 2048-bit keys now protect 90% of the world’s TLS hosts. The use of 4096-bit keys have quadrupled, as a share of hosts, but we expect it to start shrinking again as Elliptic Curve Digital Signature Algorithm (ECDSA) gains favor.

That report was issued in 2017 however and I can find no newer report.

My question is… is there a more recent report that has more up-to-date stats?

Can I sign with two Code Signing certs to build reputation on the newer one?

I recently acquired a Microsoft Authenticode Code-signing certificate as a renewal of another one which will expire soon.

Obviously, the new certificate has no reputation attached to it, and will take some time and installs in order to be fully trusted.

My question is: If I sign an executable with both certificates, will the new one start building reputation?

I have already verified that the installer is trusted when it has both signatures.

Are self signed certs safe to a developer use in local debug?

The same computer I use for work in home, is the same for personal uses (gamimg, social medias) and of course, internet banking.

I’m back-end developer and recently, I started to work with fiddler to intercept requests coming from mobile apps to debug and API… And exploring the tool, I saw that fiddler has and configuration that use some of these certs and decrypt header and body of a request and response.

I’d like to know if it’s safe having these self signed certs installed in computer for some applications use, like Fiddler, Postman for instance, don’t they open security breaches?

openssl: Allow usage of insecure client certs

I have an application which has been distributed looooong ago. That application offers https interface to clients with client certificate authentication. By the time the application was released, providing 1024 bits key length certificates was probably OK. Albeit we always advertised customers to uupdate the default cert with their own PKI most of them are just using the default one, so I have thousands of instance running like this. Now I need to write a client (in python) to query that application. This client will run on more modern linux distros where libs and client apps are compiled against openssl 1.1.1a. As a result I always get the error bellow when trying to access the https interface using the weak default client cert: OpenSSL error:

140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small 

running the same code on older distros (with older openssl) or using application compiled against gnutls works ok.

A few questions:

  • Am I right thinking this is a limitation introduced for security reason in openssl?
  • If so, when was it introduced?
  • Is there a way to disable this check? (preerably without recompiling client libs)

IIS10 de-evolved for SSL CA Certs all appear as Issued to: localhost

I recently added a fourth SSL “COMODO RSA” cert to my IIS10 Server 2016.

This is a dev server so we have one IP address and use host headers for a variety of domains in IIS.

If i inspect bindings they are tied to the correct certificate and also the checkbox for “Require Server Name Indication” is on.

When the site is accessed the browse has a ssl warning and if inspect the cert it says “Issued to: localhost” .

I used mmc to look at the servers Local Computer \ Personal \ Certificates and they are there. I have restarted iis , restarted the server, reissued cert and the issue persists.

What else can i check?

How to run multiple Node.js sites (apps/servers) with separate SSL cert’s, on a single IP address?

The desired scenario is as the title suggests: Multiple Node.js servers/apps/websites, on separate domains, each with own SSL certificate, on a single server with a single IP address. So far I have tried:

A proxy catching all incoming requests and forwarding them to respective apps/servers, on separate, non-443 ports: Does not work, since the proxy server can only run on a single SSL certificate, which will throw an error for all but one of the domains.

Apps running on different ports and DNS pointing at these ports: Does not work, since an HTTPS connection, will always go to port 443. The SRV DNS record can’t change this, for ports 443 and 80.

Using a single SSL cert issued for an IP address: Is somehow possible, but after doing some research on this, it is not such a good idea.

Servers responding to specific hostnames: httpsServer.listen(443,'domain.name') throws Error: listen EADDRNOTAVAIL 123.456.789.000:443. This is where I expected the server to ignore all requests but those where hostname is the domain.name. But still, you can’t run multiple servers on a single port.

So back to square one: what I need is a proxy, which establishes a connection with an SSL certificate for the specific requested hostname, and forwards the request to an app/server running on a unique port. How?