HTTPS & SSL Third Party Certificates…

HTTPS & SSL THIRD PARTY CERTIFICATES TUTORIAL

TERMINAL SERVICE PLUS HTTPS & SSL FEATURES

The Web Server included with Terminal Service Plus can manage HTTPS protocol, SSL encryption with either self-signed certificate or CA certificate delivered by a Certificate Authority (CA). The HTTPS protocol encrypts the communication between the client and the server.

The unique certificate, generated from a 2048 Bits RSA key, includes the encryption key and the certification of the Server or the Domain Name on which the user is connected.

The user is informed that the communication is encrypted and the Server or Domain name is certified by a Certification Authority. This information appears in the address bar of the navigator, as a green padlock.

In this tutorial, we will learn how to install a certificate in the Terminal Service Plus Web Server, providing users the security of HTTPS, 2048 SSL encryption and Domain name certification.

In order to receive an SSL Certificate we recommend you purchase it from a trusted vendor as GoDaddy or DigiCertPlease follow the this procedure to order and install your SSL on the TSplus Gateway / Server.

TUTORIAL CONTENT

  1. Certificates and Certification process
  1. Certification Process
  2. The Certificates
  3. Certificates Properties
  4. Important notice about the Key Pair (Private Key)
  1. How to do a CA Request and Get a Certificate
  1. Reminder – Certification process
  2. How to generate a CSR (Certificate Signing Request)
  3. How to get a SSL Cert
  4. How do I generate what I need for TSplus?
  1. Trouble shooting
  1. I received only one file (.crt or cer) which contains MydomainName.com Certificate
  2. My private key is .pem. I cannot import my private key  in Portecle
  3. HTTPS errors
  4. Notice concerning Terminal Service Plus and Microsoft IIS web server

CERTIFICATES AND CERTIFICATION PROCESS

1. CERTIFICATION PROCESS

The certificates are delivered by the Certificates Authorities (CA). The process has 3 steps.

  • The generation of a Key Pair or Private Key in standard RSA 2048 bits. This key will be used to generate a CA Request based on it.
  • b) The CA Request generated is transmitted to the CA. It contains all the information that are necessaries to the provider to deliver a certificate (Country Name 2 letters code, State or Province Full Name, Locality Name, Organization Name e.g. Company, Organization Unit Name e.g. Section, valid email address and Common Name (CN) e.g. MyDomainName.com).
  • c) The Certificate authority verifies the information you transmitted and returns the certificate. It contains your certificate certifying your Domain name, and eventually also intermediates Certificates that are requisite to access to your certificate. The certificate also contains the CA Reply (the validated Private Key). Once you have the certificate, the CA reply, its key pair (private key), and the intermediates certificates, they must be imported in the key store handled by Terminal Service Plus.

2. THE CERTIFICATES

The delivery usually contains several files. Each file is a certificate. As said previously, the authority delivers the certificate of your Domain name and intermediates Certificates that are mandatory to access to your certificate.

The common format file is .cer or .crt. These extensions are recognized by the OS which associates the certificate Icon.

In our example above, we received 4 files (.crt). The first, second and third are intermediate certificates (CARoot, TrustCA, DomainValidationCA). The fourth is our Certificate which certifies our domain name MyDomainName.crt. They all have to be installed together.

For a best understanding of how to proceed, let’s examine the certificates.

3. CERTIFICATES PROPERTIES

The properties of the certificate CA Root show its path. Each certificate has a path from the root to the certificate of your domain name.

The properties of our certificate show all the general information about the certificate (purposes, addresses, issued to (CN), issued by and validity.

What is important to notice is the certification path. It includes the entire path needed to access our certificate. It displays all the intermediate certificates that are included inside ours.

This is a simple process. We must import this entire certification path, plus the Key Pair in the Terminal Service Plus Key store file.

Use Windows certificate manager to import keypair and all certificates into Windows keystore as described in Certificates and Certification process (make keypair exportable when importing!) and then export that key back from Windows keystore by checking the option “Include all certificates in the certification path if possible”. For the format choose per example *.p12 Now create a new keystore in JKS format on Portecle, and go to Tools>Import Key Pair and import that *.p12 file:

4. IMPORTANT NOTICE ABOUT THE KEY PAIR (PRIVATE KEY)

The key Pair is the RSA 2048 Bit key generated for the CA Request of the certificate. It has been generated either in the Portecle add-on we provide, or with another generator available like openssl, IIS, or online sites, CA provider’s applications.

You must have and keep this Private Key. It is either a flat file text format unsecured .pem or a secured format .p12 or .pfx. The Private Key generated is mandatory to be able installing correctly the certificates.

HOW TO DO A CA REQUEST AND GET A CERTIFICATE

As a reminder, here is the certification process explained. This process can be done either in the Portecle add-on we provide, or with another generator available like openssl, IIS, or online sites, CA provider’s applications.

1. REMINDER – CERTIFICATION PROCESS

The certificates are delivered by the Certificates Authorities (CA). The process has 3 steps.

  1. a) The generation of a Key Pair or Private Key in standard RSA 2048 bits. This key will be used to generate a CA Request based on it.
  1. b) The CA Request generated is transmitted to the CA. It contains all the information that are necessaries to the provider to deliver a certificate (Country Name 2 letters code, State or Province Full Name, Locality Name, Organization Name e.g Company, Organization Unit Name e.g Section, valid email address and Common Name (CN) e.g. MyDomainName.com).

The main job consists to create the Request inquiring correctly a form which asks for all the information listed above.

  1. c) The Certificate authority verifies the information you transmitted and returns the certificate. It contains your certificate certifying your Domain name, and eventually also intermediates Certificates that are requisite to access to your certificate. The certificate also contains the CA Reply (the validated Private Key). Once you have the certificate, the CA reply, its key pair (private key), and the intermediates certificates, they must be imported in the keystore handled by Terminal Service Plus.

2. HOW TO GENERATE A CSR (CERTIFICATE SIGNING REQUEST)

You will need Microsoft IIS installed on a server or even your desktop.

Simply Turn features on and off for Internet Information Services except for FTP (it can be removed later)

1) Open Internet Information Services (IIS) Manager

1.From Start, select Administrative Tools, and then select Internet Information Services (IIS) Manager. 2.In the Connections panel on the left, click the server name for which you want to generate the CSR.

3.In the middle panel, double-click Server Certificates.

4.In the Actions panel on the right, click Create Certificate Request.

5.Enter the following Distinguished Name Properties, and then clickNext: The following characters are not accepted when entering information:< > ~ ! @ # $ % ^ * / \ ( ) ? & – Common Name — The fully-qualified domain name (FQDN) — or URL — for which you plan to use your certificate (the area of your site you want customers to connect to using SSL). – An SSL certificate issued for www.coolexample.com is not valid for secure.coolexample.com. If you want your SSL to cover secure.coolexample.com, make sure the common name submitted in the CSR is secure.coolexample.com. – If you are requesting a wildcard certificate, add an asterisk () on the left side of the Common Name (e.g.,.coolexample.com or

*.secure.coolexample.com).

Organization — The name in which your business is legally registered. The organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, enter the certificate requester’s name in the Organization field, and the Doing Business As (DBA) name in the Organizational Unit field.

Organizational Unit — Use this field to differentiate between divisions within an organization (such as “Engineering” or “Human Resources”).

City/Locality — The full name of the city in which your organization is registered/located. Do not abbreviate.

State/Province — The full name of state or province where your organization is located. Do not abbreviate.

Country — The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.

6.For Cryptographic service provider, select Microsoft RSA SChannel Cryptographic Provider .

7.For Bit length, select 2048 or higher, and then click Next.

8.Click …, enter the location and file name for your CSR, and then click Finish.

3. HOW TO GET A SSL CERT

1) Open the csr which you have just saved with Notepad. Copy all of the text, including —-BEGIN NEW CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—- 2) Log into your preferred SSL Cert vendor and create or re-key a SSL Cert. Paste all of the text, including —-BEGIN NEW CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—-

Complete your vendors instructions an wait until it is ready. When you download it please use the IIS option. When the new cert is ready, please download it. It will be in a .zip. After the download unzip it.

NOW THAT YOU HAVE THE CERT WHAT DO YOU DO?

1.Click Start, mouse-over Administrative Tools, and then click Internet Services Manager.

2.In the Internet Information Services (IIS) Manager window, select your server.

3.Scroll to the bottom, and then double-click Server Certificates.

4.From the Actions panel on the right, click on Complete Certificate Request…. 5.To locate your certificate file, click ….

6.In the Open window, select as your file name extension, select your certificate (it might be saved as a .txt, .cer, or .crt), and then click on Open.

7.In the Complete Certificate Request window, enter a Friendly name for the certificate file, and then click OK.

For Wildcard SSL certificates make sure your Friendly Name to matches your Common Name (i.e. *.coolexample.com)

4. HOW DO I GENERATE WHAT I NEED FOR TSPLUS?

1) Download and install (for example) the DigiCert Certificate Utility (https://www.digicert.com/util/)

a) click on SSL.

b) click on Refresh.

You will now see the cert that you have installed Highlight your cert:

Click on the bottom button “Export Certificate”:

Ensure that “Yes, export the private key and pfx file / Include all certificates in the certification path if possible are checked off.

Next, Save the file in the folder with the certs that you have unzipped.

For importation of your SSL certificate see this documentation.

Back to HTTPS, SSL & Certificates Tutorial Summary

TROUBLE SHOOTING

1. I RECEIVED ONLY ONE FILE (.CRT OR CER) WHICH CONTAINS MYDOMAINNAME.COM CERTIFICATE

Look at the path in the certificate properties. If your certificate is at the root, then you don’t have any intermediate certificate. You must only import the .cer ou crt you received.

If the path contains others intermediates certificates, then they will be needed. You can export theses certificates included in yours and create a file by certificate.

You can export each certificate listed in the path and get one file per certificate. Double click on the certificate you want to export. Then go to Details / Copy to file.

Click next. Default values are ok. Click next until you have to give a name. Confirm your exportation.

The result is a file .cer containing only the certificate exported. Repeat this exportation for each level of the path.

2. MY PRIVATE KEY IS .PEM. I CANNOT IMPORT MY PRIVATE KEY IN PORTECLE

You can convert you .pem in pfx format with Tools or online sites. For example, on this site: https://www.sslshopper.com/ssl-converter.html

You must have your Private Key and your certificate (e.g. MyDomainName.com)

Browse to select the certificate to convert and the Private Key that goes with it. Current certificate type is PEM. Type to convert to is PFX (PKCS#12).

As .pfx is a secured format, you must enter a password. You can choose whatever you want, but, at least, you will have to set it to ‘secret’. So you should enter the password ‘secret’.

The result is a .pfx format that you will be able to import in Portecle. As we saw in the installation section, this Private Key imported in Portecle must receive a CA Reply. See section Installation / CA reply for further information.

3. HTTPS ERRORS

SSL error no cypher overlaps.

The Private Key or the Key Pair has not been imported in cert.jks or is invalid. Others errors types give the same screen with another error code. Take a look at this code error. It concerns the certificate and something with it that goes wrong. It is usually because one of the fields of the certificate is not valid or blank. Have a look to your certificate Properties and Request.

Verify that all the fields are correct. Report to section how to do a Request for more information.

4. NOTICE CONCERNING TERMINAL SERVICE PLUS AND MICROSOFT IIS WEB SERVER

Please refer to our documentation about using IIS with Terminal Service Plus.

However, here is some important information about IIS and certificates:

When using IIS, the certificates has to be installed in the keystore cert.jks. This must be done in the same way as if we were using Terminal Service Plus Web Server, and as described in the previous chapter.

Don’t bind the 443 HTTPS port IN IIS, as this is the Terminal Service Plus Web server that handles the HTTPS protocol, the certificate and its encryption. Not any bind has to be created on port 443. So, IIS must only have port 81 bound.

We are free to use IIS Request Tool to create the Private Key and the CA Request. It is simple to export the Private Key from IIS (IIS/Default site/Certificates) in the .pfx format and import it in cert.jks as described in the previous chapter.

DOCUMENTATION