Friday 26 August 2011

C is not German

One of the perks of working for a big IT organization is that every so often we get requests, normally urgent, to help a project.

I love helping people, I really do, particularly at work, because it normally gives me the opportunity to look at how other people work, and sometimes gives me an opportunity to learn new things.

The only problem is that the person or people making these requests for help are normally moderately high up the management chain and rarely do they know what they are talking about. The average request goes something like this:

We need somebody with experience/skills in X. Have you got anybody in your team with experience/skills in X and a bit of spare time to help?
or
We've looked at your skill set and you have experience/skills in X. Could you spare some time to help this project?

The problem is that X tends to be a programming or scripting language rather than an actual problem (say configuring client certificate authentication in IIS).

A programming language is not like a language.  I might have been working with C# for the past four years but I've not really done any serious multi threading so I would probably be a hindrance to any project rather than be any help, not to mention that even if I could help, it is going to take me more than two hours on a friday afternoon to get up to speed with a project that has been running for more than several months.

I sometimes despair at the ignorance of IT middle management about technical issues. What makes this worse is that, some of them have risen through the ranks from technical positions, yet they seem to have forgotten about how much an actual programming language can encompass.




Tuesday 16 August 2011

Trust me, I'm a CA - Part 3. The joy of certificates - Part 5

This is a follow on post from this post.

So thus far, we have a CA and a secure web site, so the missing piece in the puzzle is the client certificate, thus let's dive right in, except that: It turns out that in order to create a client certificates the CA website must be running securely.

You can use the procedure described in my previous post to generate a new server certificate and then you can install it as follows: Start|Run|inetmgr


Although the GUI has changed, the procedure is the pretty much the same as described in my previous post, for both the request and then the completion of the request. Once completed, you'll have a new server certificate installed:

Now go the default website on IIS Manager and add a new Binding:


Note that I have selected the same certificate that I created before. We can now navigate to the CA website using ssl.

Note, that if you use https://localhost/certsrv you'll see a warning unless you specifically created the certificate for localhost, but if you don't you'll need to change you trusted sites settings so that activex controls can run.
We can now request a client certificate.


You'll get the following prompt, just press yes to continue:


Fill in the identity information, not shown, and then make sure that you tick mark keys as exportable and press submit.


You'll get the usual message about the request being pending, see my previous post for details on how to deal with this.


Once you have issued the certificate you'll need to install it, from the main CA webpage, go to View the Status of Pending Certificate Request:



Once the certificate has been installed, you'll need to export it, see this post for instructions. The one thing left to do is to export the public key, which I suggest you do on the web server. All you need to do is select (this will probably be your only option from the web server) to set up client certificate mapping, which you can do by following the steps in this post. One problem I found is that: it doesn't work, I get the following error:


In my case, it's failing to determine the revocation status, which means that I probably messed up somewhere. Irritation. See this post for a solution to this issue

Friday 12 August 2011

Trust me, I'm a CA - Part 2. The joy of certificates - Part 4

This is a follow on post from this post.

Run IIS Manager (Start|Run|inetmgr) and right click on the properties of the website you want to secure.



We now have a certificate request, which we can you to generate a certificate, so now back in the CA server:


Copy and paste the contents of certreq.txt as shown below:


Now, from the console (start|run|mmc), you can the CA snap-in:


Now, back on the web server. Go back to:


We know have a secure website (yay!):

See the next post for next instalment of the series.

Wednesday 10 August 2011

Trust me, I'm a Certification Authority.The joy of certificates - Part 3

I thought it would be instructive to install a Certification Authority (CA henceforth) using Windows 2008, I might do a windows 2003 CA if I'm bored one of these days, and show how to run a secure website with client authentication via certificates.

I have a brand new VM with Windows 2008 R8 datacentre edition installed that has been joined to my dev.com domain. Start the Server Manager:


When you select CA web enrollment, you'll get the following popup:


From here on, simply accept the defaults until you get to the last screen:



You can see that the CA certificate has been installed to the Local Computer Trusted CAs:


You can now create certificates by visiting http://localhost/certsrv


That's really it for a CA. In order to make this useful, your other servers will need to trust this CA, which you can do by hitting the Download a CA certificate, certificate chain, or CRL link:

You'll be prompted to save the certificate to a file, I accepted the default certnew.cer. You can now install this certificate in another server so this CA is trusted.

So, logged in to the remote server, double click on certnew.cer


 You can now drag and drop the certificate to the Local Computer Trusted Root Authority Store

Now we can install a certificate from this CA on our web server. See the next post for details on how to do this.