Creating a PFX File for Wildcard SSL Certificate

I am trying to install a Wildcard SSL Certificate in IIS on Windows Server. It only accepts the .pfx file format for importing & installing an SSL certificate for hosted applications. I got the .csr file from CA as it was a wildcard cert.

I downloaded and installed OpenSSL for Windows (Latest version).

I placed the .crt file & .key file into C:\Program Files\OpenSSL-Win64\bin.

Then I ran this command to generate a random file:

set RANDFILE=C:\Program Files\OpenSSL-Win64\bin\<RANDOMFILENAME>.rnd 

Then I ran this command to give a path of config file:

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg 

Finally, I ran this command

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt 

The result of this was:

unable to load private key 140406554043456:error:0909006C:PEM routines: get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY 

I want to know if I’m making any mistake in the steps that I followed. I also want to know the reason of this error. I have the copy of private key & .crt file

Following are some more inputs which will make my question more specific.

  1. I have the copy of generated-private-key.key file & .crt file. I changed the file names before executing the OpenSSL command. I even created the random file & config file.

  2. The SSL certificate that I got from CA is a wildcard certificate, which I used to install on multiple subdomains of a customer. It was successful. Now while creating the .pfx file once again, I’m facing this problem.

  3. A .pfx file should be created only on the server which was used to create .csr file. In our case, we got the .csr file from CA as it was a wildcard certificate.

(Thanks in advance. Any help is appreciated)

Creating a PFX File for Wildcard SSL Certificate

I am trying to install a Wildcard SSL Certificate in IIS on Windows Server. It only accepts the .pfx file format for importing & installing an SSL certificate for hosted applications. I got the .csr file from CA as it was a wildcard cert.

I downloaded and installed OpenSSL for Windows (Latest version).

I placed the .crt file & .key file into C:\Program Files\OpenSSL-Win64\bin.

Then I ran this command to generate a random file:

set RANDFILE=C:\Program Files\OpenSSL-Win64\bin\<RANDOMFILENAME>.rnd 

Then I ran this command to give a path of config file:

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg 

Finally, I ran this command

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt 

The result of this was:

unable to load private key 140406554043456:error:0909006C:PEM routines: get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY 

I want to know if I’m making any mistake in the steps that I followed. I also want to know the reason of this error. I have the copy of private key & .crt file

Following are some more inputs which will make my question more specific.

  1. I have the copy of generated-private-key.key file & .crt file. I changed the file names before executing the OpenSSL command. I even created the random file & config file.

  2. The SSL certificate that I got from CA is a wildcard certificate, which I used to install on multiple subdomains of a customer. It was successful. Now while creating the .pfx file once again, I’m facing this problem.

  3. A .pfx file should be created only on the server which was used to create .csr file. In our case, we got the .csr file from CA as it was a wildcard certificate.

(Thanks in advance. Any help is appreciated)

Wildcard Query for SharePoint Rest API

I tried using this example as search parameter “Share*” but the result return nothing.

            KeywordQuery keywordQuery = new KeywordQuery(clientContext);              keywordQuery.QueryText = SearchParameter;              keywordQuery.EnablePhonetic = true;                keywordQuery.EnableOrderingHitHighlightedProperty = true;             //keywordQuery.SummaryLength = 500;               SearchExecutor searchExecutor = new SearchExecutor(clientContext);              ClientResult<ResultTableCollection> results = searchExecutor.ExecuteQuery(keywordQuery);              clientContext.ExecuteQuery(); 

Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization

I’m looking at the following setup. A web application uses a REST API to communicate with the server. All API responses include Origin: *. For authorization Authorization: Bearer <token> is used. Access-Control-Allow-Headers: Authorization is also included for appropriate preflight requests.

As Origin: * is configured, modern browsers will not send authorization data, such as the bearer token.

This makes it impossible to use API requests across domains, which require authorization (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials).

I’m struggling to justify, why this should be considered a vulnerability. It is bad practice to allow any origin. It could lead to data leakage, but not in this scenario.

Could this be exploited in another way, I’m not seeing right now, or is this in fact just bad practice and does not pose an actual threat?

wildcard dns not working properly

I initially added a wildcard subdomain as below on my cpanel account and it works fine (all level of subdomain works):

  1. *.example.com

but when I add following second wildcard subdomain to explicitly install ssl for that:

  1. *.co.uk.example.com

any domain ending with .uk.example.com no longer work (e.g. uk.example.com or test.net.uk.example.com … etc)

is there anything wrong with dns server bind or is this by design?

Haproxy Wildcard regex in ACL

Is it possible to have custom acl like *.test.com where it will work for :

test.com test.test.com test.test.test.com? 

I read the documentation and a serverfault thread but none helped. Any help will be appreciated.

P.S there was also another thread in serverfault but for me it wasn’t working. tested it. I am pretty sure now that i need regex to validate the request.

Any drawbacks to AWS certificate manager wildcard certificates?

Let’s say I’m using AWS Certificate Manager to get a certificate for example.com for use with AWS CloudFront. I can specify an alternate domain of www.example.com and point it to another CloudFront distribution in my DNS.

But AWS Certificate Manager also allows me to specify a wildcard *.example.com as an alternate domain, which would allow me in the future to set my DNS to route blog.example.com to yet another CloudFront distribution if I decided I needed that.

Is there any downside to adding a wildcard domain such as *.example.com to the AWS Certificate Manager? Does it cost more? Does it make my configuration inflexible in some way? Why wouldn’t I want to always specify a wildcard *.example.com as an alternate domain, as this gives me flexibility to add a subdomain in the future whenever I want to?

Is there a way to signify a wildcard placeholder when recording a workflow with Automator?

I have a task that is very repetitive, with only a few minor caveats. Usually, the caveat is as simple as a name change, but the task jumps between Finder, Xcode, and uploading files via a storage service.

I can record and automate the creation of the task, but only with a particular name. It would be great if I could simply input what the wildcards would be while recording, and then receiving an input dialog at the start of the workflow asking me to fill in the names for this particular run. Is there any way to do this?

Event ID 15021 HttpEvent on a wildcard SSL certificate but only get the error on a couple sites

I have IIS running on Windows Server 2012 R2. I have a wildcard SSL certificate on 14 subdomains. I’m seeing a lot of errors in the Event Viewer.

Event ID: 15021 Source: HttpEvent

An error occurred while using SSL configuration for endpoint my.domain.com:443. The error status code is contained within the returned data.

However, I’m only getting this error on 2 of the sites, the other 12 are not logging this error. The 2 sites creating this error load up fine in a web browser. I’ve checked the binding in IIS and they both have the wildcard SSL selected.

If there is a certificate problem, I would expect this error coming from all 14 sites, not just 2 of them.

Though those 2 sites load fine in a browser, I’m not comfortable seeing thousands of these errors on our two biggest sites.

Installing a commercial wildcard SSL cert on Nginx

I’m trying to install a Godaddy wildcard SSL certificate on AWS Lightsail (Ubuntu/Nginx). The nginx.conf is mainly the default one that gets installed with nginx…

user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf;  events {      worker_connections 768; }  http {      server {              listen              80;              listen              443 ssl;              ssl                 on;              server_name         sub.domain.com;              ssl_certificate     /etc/ssl/ssl-bundle.crt;              ssl_certificate_key /etc/ssl/privatekey.key;              root                /var/www/html;               ##              # SSL Settings              ##              ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE              ssl_prefer_server_ciphers on;      }       ##      # Basic Settings      ##      sendfile on;      tcp_nopush on;      tcp_nodelay on;      keepalive_timeout 65;      types_hash_max_size 2048;      # server_tokens off;       # server_names_hash_bucket_size 64;      # server_name_in_redirect off;        include /etc/nginx/mime.types;       default_type application/octet-stream;        ##       # Logging Settings       ##       access_log /var/log/nginx/access.log;       error_log /var/log/nginx/error.log debug;        ##       # Gzip Settings       ##       gzip on;       # gzip_vary on;       # gzip_proxied any;       # gzip_comp_level 6;       # gzip_buffers 16 8k;       # gzip_http_version 1.1;       # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;        ##       # Virtual Host Configs       ##       include /etc/nginx/conf.d/*.conf;       include /etc/nginx/sites-enabled/*; } 

I did a sudo nginx -t and everything looked good so I restarted nginx. In a browser I get “This site can’t be reached”. When I do a curl it hangs. I’ve turned debug on for the error.log, so now I get an error like this…

2019/03/30 22:08:13 [debug] 11579#11579: accept on 0.0.0.0:80, ready: 0 2019/03/30 22:08:13 [debug] 11579#11579: posix_memalign: 0000557BF61CDE90:512 @16 2019/03/30 22:08:13 [debug] 11579#11579: *2 accept: 212.105.165.121:55888 fd:3 2019/03/30 22:08:13 [debug] 11579#11579: *2 event timer add: 3: 60000:1079834032 2019/03/30 22:08:13 [debug] 11579#11579: *2 reusable connection: 1 2019/03/30 22:08:13 [debug] 11579#11579: *2 epoll add event: fd:3 op:1 ev:80002001 2019/03/30 22:08:26 [debug] 11579#11579: *2 http wait request handler 2019/03/30 22:08:26 [debug] 11579#11579: *2 malloc: 0000557BF61CE8A0:1024 2019/03/30 22:08:26 [debug] 11579#11579: *2 recv: eof:1, avail:1 2019/03/30 22:08:26 [debug] 11579#11579: *2 recv: fd:3 0 of 1024 2019/03/30 22:08:26 [info] 11579#11579: *2 client closed connection while waiting for request, client: 212.105.165.121, server: 0.0.0.0:80 2019/03/30 22:08:26 [debug] 11579#11579: *2 close http connection: 3 2019/03/30 22:08:26 [debug] 11579#11579: *2 event timer del: 3: 1079834032 2019/03/30 22:08:26 [debug] 11579#11579: *2 reusable connection: 0 2019/03/30 22:08:26 [debug] 11579#11579: *2 free: 0000557BF61CE8A0 2019/03/30 22:08:26 [debug] 11579#11579: *2 free: 0000557BF61CDE90, unused: 120 

Any ideas why this isn’t working?