Certificate on Janik von Rotz

E-ID

Thu, 22 Dec 2022 17:16:38 +0100

Die E-ID ist ein staatlich anerkannter Identifikationsnachweis. Alle Informationen zur E-ID werden unter http://eid.ch publiziert. Ich verfolge das Projekt nur am Rande, bin am Thema aber sehr interessiert. Kryptographie, Politik und Wirtschaft treffen hier aufeinander.

Bei AdNovum war ich als Identity und Access Management (IAM) Integrator angestellt. Dabei habe ich viel über Zertifikate, Infrastruktur, Kryptographie und Systemtechnik im Allgemeinen gelernt. Mit diesem Wissen habe versucht eine E-ID zu skizzieren. Die folgende Grafik zeigt wie eine E-ID konzeptionell funktionieren könnte:

Ich bin gespannt wie sich das Projekt entwickelt wird und mal schauen ob es Überschneidungen mit meiner Vorstellung gibt.

Generate PEM key- and truststores With Puppet

Thu, 07 Mar 2019 10:23:04 +0100

This post is a follow-up of Generate pkcs12 key- and truststores with Puppet.
In this post we are going to create PEM key- and truststores with Puppet.

PEM files are base64 encoded X.509 certificates. Enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- multiple PEM files can be concatinated into key- and truststores. And that is exactly what we are going to do using a Puppet manifest.

For the example use case multiple certificate files are required. Using the commands from the Create a certificate authority and sign server certificates without prompting using openssl post the following files must be provided:

localhost_cert.pem
localhost_key.pem
example.com_cert.pem
ca_cert.pem

The certificates will be concatinated into the following stores:

webservice-keystore.pem
- localhost - private key entry
webservice-truststore.pem
- ca - trusted cert entry
custom-truststore.pem
- example.com - trusted cert entry
- ca - trusted cert entry

All the files are processed in /var/tmp/certificates.

The manifest file is defined as followed:

modules/certbox/manifests/init.pp

class certbox (

    String $host = 'localhost',
    String $cert_dir = '/var/tmp/certificates',

    String $server_ca_cert = "${cert_dir}/ca_cert.pem",
    String $server_cn = $host,
    String $server_cert = "${cert_dir}/${host}_cert.pem",
    String $server_key = "${cert_dir}/${host}_key.pem",
    String $server_key_pass = 'password',
    String $server_keystore = "${cert_dir}/webservice-keystore.pem",
    String $server_truststore = "${cert_dir}/webservice-truststore.pem",

    Array $custom_trust_entries = [
      {
        cn => 'example.com',
        cert => 'example.com_cert.pem'
      },
      {
        cn => 'ca',
        cert => 'ca_cert.pem'
      },
    ],
    String $custom_truststore = "${cert_dir}/custom-truststore.pem",

    String $owner = 'root',
    String $group = 'root',
    String $file_read_mode = 'a=,ug+r',

) {

  # component-wide defaulting of the exec path attribute
  Exec {
    path => ['/usr/bin', '/bin']
  }

  # create copy of sever cert, if file state changes notify keystore assemble task
  file { "${server_cert}.tmp":
    ensure => file,
    owner  => $owner,
    group  => $group,
    mode   => $file_read_mode,
    source => $server_cert,
    notify => Exec["certbox - create server keystore"],
  }

  # check if keystore file does not exist and notify creation task
  exec { "certbox - check if server keystore exists":
    onlyif => "test ! -f $server_keystore",
    command => 'echo "File does not exist."',
    notify => Exec["certbox - create server keystore"],
  }

  # create server keystore if temporary file state changed
  exec { "certbox - create server keystore":
    refreshonly => true,
    command     => "cat ${server_cert} > ${server_keystore}; cat ${server_key} >> ${server_keystore}",
  }

  # ensure server keystore file permissions
  file { $server_keystore:
    ensure => file,
    owner  => $owner,
    group  => $group,
    mode   => $file_read_mode,
  }

  file { "${server_ca_cert}.tmp":
    ensure => file,
    owner  => $owner,
    group  => $group,
    mode   => $file_read_mode,
    source => $server_ca_cert,
    notify => Exec["certbox - create server truststore"],
  }

  exec { "certbox - check if server truststore exists":
    onlyif => "test ! -f $server_truststore",
    command => 'echo "File does not exist."',
    notify => Exec["certbox - create server truststore"],
  }

  exec { "certbox - create server truststore":
    refreshonly => true,
    command     => "cat ${server_ca_cert} > ${server_truststore}",
  }

  file { $server_truststore:
    ensure => file,
    owner  => $owner,
    group  => $group,
    mode   => $file_read_mode,
    notify => Exec["certbox - create server truststore"],
  }

  # create copy for each ca truststore entry
  $custom_trust_entries.each | Integer $index, Hash $entry | {

    file { "${cert_dir}/${entry['cert']}.ca_trust.icam.tmp":
      ensure => file,
      owner  => $owner,
      group  => $group,
      mode   => $file_read_mode,
      source => "${cert_dir}/${entry['cert']}",
      notify => [
        Exec["certbox - cleanup ca truststore"],
        Exec["certbox - add pem ${entry['cn']} to ca truststore"]],
    }

    exec { "certbox - check if ca truststore for ${entry['cn']} exists":
      onlyif => "test ! -f $custom_truststore",
      command => 'echo "File does not exist."',
      notify => Exec["certbox - add pem ${entry['cn']} to ca truststore"],
    }
  }

  # reset ca truststore if temporary entry file state changed
  exec { "certbox - cleanup ca truststore":
    refreshonly => true,
    command     => "echo > ${custom_truststore}",
  }

  # add ca truststore entry if temporary entry file state changed
  $custom_trust_entries.each | Integer $index, Hash $entry | {

    exec { "certbox - add pem ${entry['cn']} to ca truststore":
      refreshonly => true,
      command     => "echo >> ${custom_truststore};cat ${cert_dir}/${entry['cert']} >> ${custom_truststore}",
    }
  }

  file { $custom_truststore:
    ensure  => file,
    owner   => $owner,
    group   => $group,
    mode    => $file_read_mode,
  }
}

This manifest checks if the source PEM files have changed or the target stores does not exist. If one of these cases apply the manifests creates the key- or truststore. Finally, it sets the file mode and ownership.

To apply the manifest with Puppet run the following command:

sudo puppet apply --modulepath=modules/ -e "include certbox"

To verify if the files have been assembled correctly use this keytool commands:

sudo keytool -printcert -file /var/tmp/certificates/custom-truststore.pem

Let me know if this post helped you to resolve a particular use case.

Generate pkcs12 key- and truststores with Puppet

Wed, 30 Jan 2019 11:16:52 +0100

In my last post I have showed how to generate pkcs12 key- and truststores using openssl and keytool.

For this post we assume that we want to automate the store assembling with Puppet. Puppet is a configuration management tool that shares many ideas with Ansible. In the world of Puppet you define a manifest file that describes a state of how a file, service or any type of resource should look like. Puppet applies these manifests and makes sure that the targeted system reaches the defined state.

Using Puppets exec resource we are going to define key- and truststores using openssl and keytool.

Our manifest assure that the stores are assembled as defined. Puppet will be able to detect deltas and act accordingly.

For our use-case we assume we have generate multiple certificates under /var/tmp/certificates:

localhost_cert.pem
localhost_key.pem
example.com_cert.pem
example.com_key.pem
ca_cert.pem

Our fictive webservice requires a key- and truststore containing the provided certificates and keys:

webservice-keystore.pkcs12
- ca - trusted cert entry
- localhost - private key entry
- example.com - private key entry
webservice-truststore.pkcs12
- ca - trusted cert entry

Puppet is installed on our system and we are ready to declare and apply our manifest file.

Our Puppet module will be called certbox. Modules must follow a strict naming and folder structure.

Below is a copy-and-paste definition for our Puppet module. Create the manifest file and folders as showed.

modules/certbox/manifests/init.pp

class certbox (

  String $certDir = "/var/tmp/certificates",

  String $caCert = "$certDir/ca_cert.pem",

  String $cn1 = "localhost",
  String $cert1 = "$certDir/${cn1}_cert.pem",
  String $key1 = "$certDir/${cn1}_key.pem",
  String $keyPassword1 = "password",

  String $cn2 = "example.com",
  String $tmpKeystore2 = "$certDir/$cn2.pkcs12",
  String $cert2 = "$certDir/${cn2}_cert.pem",
  String $key2 = "$certDir/${cn2}_key.pem",
  String $keyPassword2 = "password",

  String $keystore = "$certDir/webservice-keystore.pkcs12",
  String $truststore = "$certDir/webservice-truststore.pkcs12",
  String $keystorePassword = "password",
  String $truststorePassword = "password",

  String $owner = "root",
  String $group = "root",
  String $fileReadMode = "a=,ug+r",

) {

  exec { "remove keystore for $cn1 if password changed or is empty":
    onlyif => "/bin/keytool -list -storetype PKCS12 -keystore $keystore -storepass $keystorePass | grep 'password was incorrect\\|file exists, but is empty'",
    command => "/bin/rm $keystore1",
  }

  exec { "create pkcs12 keystore for $cn1":
    onlyif => "/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert1 | cut -f2 -d \"=\");test $? -eq 1",
    command => "/bin/openssl pkcs12  -export -in $cert1 -inkey $key1 -passin pass:$keyPassword1 -certfile $caCert -out $keystore -passout pass:$keystorePassword -name $cn1",
  }

  exec { "remove keystore for $cn2 if password changed or is empty":
    onlyif => "/bin/keytool -list -storetype PKCS12 -keystore $tmpKeystore2 -storepass $keystorePass | grep 'password was incorrect\\|file exists, but is empty'",
    command => "/bin/rm $tmpKeystore2",
  }

  exec { "create pkcs12 keystore for $cn2":
    onlyif => "/bin/keytool -list -keystore $tmpKeystore2 -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d \"=\");test $? -eq 1",
    command => "/bin/openssl pkcs12 -in $cert2 -inkey $key2 -passin pass:$keyPassword2 -export -out $tmpKeystore2 -passout pass:$keystorePassword -name $cn2",
  }

  exec { "merge $cn2 into $cn1 keystore":
    onlyif => "/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d \"=\");test $? -eq 1",
    command => "/bin/keytool -importkeystore -storetype PKCS12 -destkeystore $keystore -deststorepass $keystorePassword -destkeypass $keystorePassword \
      -srckeystore $tmpKeystore2 -srcstoretype PKCS12 -srcstorepass $keystorePassword -alias $cn2 -noprompt",
  }

  file { $keystore:
    ensure => file,
    owner => $owner,
    group => $group,
    mode => $fileReadMode,
  }

  exec { "remove truststore for $cn1 if password changed":
    onlyif => "/bin/keytool -list -storetype PKCS12 -keystore $truststore -storepass $truststorePass | grep 'password was incorrect'",
    command => "/bin/rm $truststore",
  }

  exec { "create pkcs12 truststore":
    onlyif => "/bin/keytool -list -keystore $truststore -storepass $truststorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $caCert | cut -f2 -d \"=\");test $? -eq 1",
    command => "/bin/keytool -importcert -storetype PKCS12 -keystore $truststore -storepass $truststorePassword -alias ca -file $caCert -noprompt",
  }

  file { $truststore:
    ensure => file,
    owner => $owner,
    group => $group,
    mode => $fileReadMode,
  }
}

Edit 1: Compare sha1 of cert to assert if import should be executed.
Edit 2: On create keystore check not if store file already exist, but check if cert in keystore matches the sha1. The check should also act as expected if file does not exist.
Edit 3: Remove the create empty truststore task. If the truststore file does not exist, the keytool import command will create the file.
Edit 4: Added exec task that remove the store file if the password has changed.

The manifest is kept fairly simple. However, you might ask why we have to merge our second certificate from a pkcs12 store. The answer is a bit more complicated. The openssl and keytool utilities help generating and managing key material. They provide similar tasks, but differ heavy in specific features. Here are the most important differences:

Openssl cannot manipulate existing pkcs12 stores.
Openssl cannot create pkcs12 with multiple certificates and keys.
Keytool cannot import certificates and keys into an existing pkcs12 store, however, it can import a pkcs12 store into an existing one.
Keytool cannot create pkcs12 stores from a certificate and key.

Hope this helps to understand the design decisions made here much better.

To apply the manifest with Puppet run the following command:

sudo puppet apply --modulepath=modules/ -e "include certbox"

At this point Puppet should create the key- and truststores.

If you ended up with an error or faced some other issues let me know!

Create pkcs12 key- and truststore with keytool and openssl

Tue, 22 Jan 2019 14:05:15 +0100

In my last post I’ve showed you how to create a custom certificate authority and sign a server cert using openssl without user interaction.

For this post I assume that we want to set up a webservice that requires a pkcs12 keystore. Using openssl and the java keytool we are going to create a pkcs12 store and add our ca cert, server cert and server key. Further, we assume that the application also requires a truststore containing the ca cert only.

Make sure to walk through the last post before getting started.

Configure new environment variables.

APPLICATION_NAME=webservice
KEYSTORE_PASSWORD=password
TRUSTSTORE_PASSWORD=password
SERVER_CERT_PASSWORD=password
SERVER_CERT_CN=localhost

Create the pkcs12 store containing the server cert and the ca trust.

openssl pkcs12 -in ${SERVER_CERT_CN}_cert.pem -inkey ${SERVER_CERT_CN}_key.pem -passin pass:$SERVER_CERT_PASSWORD -certfile ca_cert.pem \
  -export -out ${APPLICATION_NAME}_${SERVER_CERT_CN}-keystore.pkcs12 -passout pass:$KEYSTORE_PASSWORD -name $SERVER_CERT_CN

Show the content of keystore.

keytool -list -storetype PKCS12 -keystore $APPLICATION_NAME-keystore.pkcs12 \
  -storepass $KEYSTORE_PASSWORD

Openssl cannot create a pkcs12 store from cert without key. This is why we create the truststore with the keytool.

Create a pkcs12 truststore containing the ca cert.

keytool -importcert -storetype PKCS12 -keystore $APPLICATION_NAME-truststore.pkcs12 \
  -storepass $TRUSTSTORE_PASSWORD -alias ca -file ca_cert.pem -noprompt

Show the content of the truststore.

keytool -list -storetype PKCS12 -keystore $APPLICATION_NAME-truststore.pkcs12 \
  -storepass $TRUSTSTORE_PASSWORD

Edit 1: Removed keystore ca import step. The openssl certfile parameter accepts a bundled .pem containing trusted certs.
Edit 2: Removed the create empty truststore step. Keytool will create the truststore file if it does not exist.

Not sure if it is a bug that openssl cannot create pkcs12 stores from certs without keys. Nonetheless, the two step workflow is a convenient solution. Openssl creates the initial pkcs12 store and the keytool manipulates the store as required.

Note: It seems you cannot import a certificate and its key with keytool. So you need to create the store with openssl in order to import the key.

Source: Stackoverflow - How to import an existing x509 certificate and private key in Java keystore to use in SSL?

Create a certificate authority and sign server certificates without prompting using openssl

Mon, 21 Jan 2019 16:20:35 +0100

Most of the times people want to get a certificate for the hostname localhost, let’s encrypt wrote a nice post about this, but sometimes people want a certificate for any hostname. And further, signed by a custom CA and if possible should the key material be generated without user interaction. In this post I have covered the less likely case.

Below you’ll find a list of bash commands. You can copy and paste all of them into a bash script or run each command at a time in the shell.

Set environment variables for key material configuration.

CA_CERT_PASSWORD=password
SERVER_CERT_PASSWORD=password
SERVER_CERT_CN=localhost
SERVER_ALT_NAME=localhost

Create the CA key.

openssl genrsa -des3 -passout pass:$CA_CERT_PASSWORD -out ca_key.pem 4096

Create the CA certificate.

openssl req -x509 -new -nodes -key ca_key.pem -passin pass:$CA_CERT_PASSWORD -sha256 -days 1825 -out ca_cert.pem \
  -subj "/C=CH/ST=Bern/L=Bern/O=AdNovum AG/CN=ca"

Create the server key.

openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}_key.pem 2048

Create the server certificate signing request.

openssl req -new -key ${SERVER_CERT_CN}_key.pem -passin pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}.csr \
  -subj "/CN=$SERVER_CERT_CN"

Create server certificate extension configuration.

cat > ./${SERVER_CERT_CN}.cnf <<EOT
authorityKeyIdentifier=keyid,issuer
keyUsage=digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $SERVER_ALT_NAME
EOT

Sign the server certificate signing request.

openssl x509 -req -in ${SERVER_CERT_CN}.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial \
  -out ${SERVER_CERT_CN}_cert.pem -days 1825 -sha256 -extfile ${SERVER_CERT_CN}.cnf

To create additional server certificates use the snippet below.

CA_CERT_PASSWORD=password
SERVER_CERT_PASSWORD=password
SERVER_CERT_CN=hostname
SERVER_ALT_NAME=hostname

openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}_key.pem 2048
  
openssl req -new -key ${SERVER_CERT_CN}_key.pem -passin pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}.csr \
  -subj "/CN=$SERVER_CERT_CN"
  
cat > ./${SERVER_CERT_CN}.cnf <<EOT
authorityKeyIdentifier=keyid,issuer
keyUsage=digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $SERVER_ALT_NAME
EOT
 
openssl x509 -req -in ${SERVER_CERT_CN}.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial \
  -out ${SERVER_CERT_CN}_cert.pem -days 1825 -sha256 -extfile ${SERVER_CERT_CN}.cnf

Configure Let’s Encrypt auto renewal for certificates

Sun, 14 Feb 2016 22:28:26 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/ddce334cd8ab21a40941.

Introduction

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. So far it works well and makes it easy to obtain a free certificate. Now the created certificates will expire withing 90 days. This post will show you how you can auto renew these certificates before they expire.

Requirements

Installation

Create a new bash script and it to the monthly cron folder for sheduling.

cd /etc/cron.monthly/
sudo vi letsencrypt-renew
sudo chmod +x letsencrypt-renew

Add the following code to the letsencrypt-renewscript.

cd /usr/local/src/letsencrypt
sudo service nginx stop
sudo -H ./letsencrypt-auto renew
sudo service nginx start

Now run the script and check if it succeeds.

sudo ./letsencrypt-renew

Source

Official Let’s Encrypt client documentation - Renewal

Install Let’s Encrypt and create a free SSL certificate

Fri, 04 Dec 2015 11:23:57 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/2e0ee4cf7e04bb75742d.

Introduction

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). This guide shows you how you can obtain a free SSL certificate.

Requirements

Installation

Download the client code from the Github repository.

cd /usr/local/src/
sudo git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Run the letsencrypt wrapper script.

sudo -h ./letsencrypt-auto

If you experience an error like this:

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: 
          InsecurePlatformWarning: A true SSLContext object is not available. 
          This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. 
          For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning

You have to update some pyhton libraries by running this command.

pip install pyopenssl ndg-httpsclient pyasn1

Now you can request a new ssl certificate. I assume you’re running Nignx as your web server. To request a certificate we have to stop the web service temporarily.

sudo service nginx stop
sudo -H ./letsencrypt-auto certonly --email hostmaster@domain.com -d domain.com
sudo service nginx start

The new certificates are stored here: /etc/letsencrypt/live/domain.com

Update the Nginx configuration file for your domain.

sudo vi /etc/nginx/conf.d/domain.com.conf

Add the new certificates:

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

Test your Nginx configuration file.

sudo nginx -t

And restart the service

sudo service nginx reload

Finally check your Nginx SSL configuration here: https://globalsign.ssllabs.com/

Source

Official Let’s Encrypt client documentation

free SSL for everybody

Mon, 23 Mar 2015 09:09:11 +0000

Let’s Encrypt is the latest initiative by the Internet Security Research Group (ISRG). Their goal is simple, every site on the internet has to be SSL secured.

They want to achieve that by serving an open certificate authority (CA) and also provide a tool to set up a secured site the easiest way possible.

And now the big deal about this, their service is free of charge!

If this is really a thing, it will be a disaster for the SSL economy. As you might know SSL certificates are everything else than cheap. So good luck to every company that relays on selling SSL certificates as their core competence.

Configure hybrid search results from SharePoint Online in SharePoint on-premise

Wed, 14 May 2014 07:03:29 +0000

This post of is part of my Install SharePoint 2013 Three-tier Farm project. Get the latest version of this article here: https://gist.github.com/10871110

Introduction

In this post I’ll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.

Requirements

User synchronisation ActiveDirectory to Office 365 with DirSync
DirSync password sync or ADFS SSO
SharePoint Online
SharePoint 2013 on-premise
- Enterprise Search service
- SharePoint Online Management Shell

Instructions

All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.

Set up Sever to Server Trust

Export certificates

To create a server to server trust we need two certificates.

[certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.

[certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.

First launch the Internet Information Services (IIS) Manager
Select your SharePoint web server and double-click Server Certificates
In the Actions pane, click Create Self-Signed Certificate
Enter a name for the certificate and save it with OK
To export the new certificate in the Pfx format select it and click Export in the Actions pane
Fill the fields and click OK Export to: C:\[certificate name].pfx Password: [password]
Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate and click on View…
Click the Details tab and then click Copy to File
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, click Next
On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
As file name enter C:\[certificate name].cer and then click Next
Finish the export

Import the new STS (SharePoint Token Service) certificate

Let’s update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# import it
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert

Type Yes when prompted with the following message.

You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you sure, you want to continue?

Restart IIS so STS picks up the new certificate.

& iisreset
& net stop SPTimerV4
& net start SPTimerV4

Now validate the certificate replacement by running several PowerShell commands and compare their outputs.

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"

# get the encrypted pfx certificate object
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# compare the output above with this output
(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

Establish the server to server trust

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module MSOnline 
Import-Module MSOnlineExtended

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# set the onpremise domain that you added to Office 365
$SPCN = "sharepoint.domain.com" 

# your onpremise SharePoint site url
$SPSite="http://sharepoint"

# don't change this value
$SPOAppID="00000003-0000-0ff1-ce00-000000000000"

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# get the raw data
$PfxCertBin = $PfxCert.GetRawCertData()

# create a new certificate object
$X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

# import the base 64 encoded certificate
$X64Cert.Import($X64CertPath)

# get the raw data
$X64CertBin = $X64Cert.GetRawCertData()

# save base 64 string in variable
$CredValue = [System.Convert]::ToBase64String($X64CertBin)

# connect to office 3656
Connect-MsolService

# register the on-premise STS as service principal in Office 365

# add a new service principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
$MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
$SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
$SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames

# get the online name identifier
$MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
$MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
$MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"

# establish the trust from on-premise with ACS (Azure Control Service)

# add a new authenticatio realm
$SPSite = Get-SPSite $SPSite
$SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $MsolServicePrincipalID

# register the ACS application proxy and token issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"

Add a new result source

To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don’t forget to update the settings region

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# region settings 
$RemoteSharePointUrl = "http://[example].sharepoint.com"
$ResultSourceName = "SharePoint Online"
$QueryTransform = "{searchTerms}"
$Provier = "SharePoint-Remoteanbieter"
# region settings end

$SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
$FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
$SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa  

$ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
if(!$ResultSource){
    Write-Host "Result source does not exist. Creating..."
    $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
}

$ResultSource.Name = $ResultSourceName
$ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
$ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
$ResultSource.CreateQueryTransform($QueryTransform)
$ResultSource.Commit()

Add a new query rule

In the Search Administration click on Query Rules
Select Local SharePoint as Result Source
Click New Query Rule
Enter a Rule name f.g. Search results from SharePoint Online
Expand the Context section
Under Query is performed on these sources click on Add Source
Select your SharePoint Online result source
In the Query Conditions section click on Remove Condition
In the Actions section click on Add Result Block
As title enter Results for “{subjectTerms}” from SharePoint Online
In the Search this Source dropdown select your SharePoint Online result source
Select 3 in the Items dropdown
Expand the Settings section and select “More” link goes to the following URL
In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
Select This block is always shown above core results and click the OK button
Save the new query rule

Source

Display hybrid search results in SharePoint Server 2013
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync –Part2

Nginx SSL website

Thu, 03 Apr 2014 07:54:04 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9408793.

Introduction

This best practice shows you the most advanced SSL configurations for your Nginx website. For productive usage it’s recommended to use only public-signed certificates.

Requirements

Installation

Create a ssl folder to store key and cert files

sudo mkdir /etc/nginx/ssl

Upload your key and cert files into this folder.

Now we need to generate stronger DHE parameter:

cd /etc/ssl/certs
sudo openssl dhparam -out dhparam.pem 4096

Add this Nginx configuration to your website config.

server{

        # set ssl port
        listen 443;
        
        ...
        
        # basic ssl configuration
        ssl on;
        ssl_certificate /etc/nginx/ssl/[certificate.crt.ca.bundle];
        ssl_certificate_key /etc/nginx/ssl/[host].key;

        # Force to use stronger DHE parameters 
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        
        # limitation of ssl protocols and algortyhtms
        
        # we don't want to support SSL v2 and SSL v3, it's known to be insecure
        # FIPS 140-2 compliance, TLS1+ only
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        
        # don't let the client decide what ciphers to use, we've told the server which to allow
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        
        # reduce ssl cpu load
        
        # we want to enable ssl session resumption to avoid
        # having to start the handshake from scratch each page load
        # so first we enable a shared cache, named SSL (creative!) that is 10mb large
        ssl_session_cache shared:SSL:10m;
        
        # save things in the cache for10 minutes
        # if you're not making a request at least every 10 minutes, this isn't going
        # to accomplish anything anyway
        ssl_session_timeout 10m;
        
        ...
}

If you wish to redirect all http traffic to https you can add this additional Nginx server configuration.

server{

      listen 80;
      
      server_name [host];

      return 301 https://[host]$request_uri;
}

Test config and reload Nginx service.

sudo nginx -t && sudo service nginx reload

Source

Nginx converting rewrite rules Configuring HTTPS servers Strong SSL Security on nginx by Raymii

Convert SSL certificates

Thu, 27 Mar 2014 14:01:50 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9413205.

Requirements

Get a free verified SSL certificate from StartSSL (optional)

Instructions

When buying a certificate from you CA (Certification Authority) e.g. a wildcard certificate for *.example.org, you have to convert this file to different formats in order to use them with your webserver installation.

To convert these files use OpenSSL.

First file you’ll need is the public certificate.

sudo openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Now you can chose between the encrypted and decrypted key file.

If chosing the encrypted key file your webserver will prompt every time starting the web service for the certificate pass-phrase.

sudo openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

Otherwise your webserver won’t prompt for an pass-pharase, but be aware, if you’re losing this decrypted key file you certificate will be worthless.

sudo openssl pkcs12 -in [yourfile.pfx] -nodes -out [keyfile-decrypted.key]

Certificate chain

During the SSL negotiation, a server provides its certificate along with the “intermediate” certificates that exist between it and the root. This allows clients to validate the server’s certificate without going through a discovery processes that not all browsers support, and for those that do, without an additional performance penalty.

Download the CA server certificate on their website

sudo sh -c "cat [certificate.crt] > [certificate.crt.ca.bundle]"
sudo sh -c "cat [certificate.ca.crt] >> [certificate.crt.ca.bundle]"

Get a free verified SSL certificate from StartSSL

Wed, 26 Mar 2014 10:29:07 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9430791.

SSL certificates aren’t cheap. You can create them on your own for private use. However for internet use you have to get a verified certificate.

Luckily there’s https://www.startssl.com/

They offer you a class 1 SSL certificate for free. Their site might not look trustworthy, but I’m quite shure they do a great job.

Apache vHost with SSL Certicate converted from .pfx Export file

Mon, 27 Jan 2014 14:03:40 +0000

This is an simple example for an Apache vHost SSL vHost configuration:

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/keyfile.key
</VirtualHost>

When buying a certificate from you CA (Certification Authority) e.g. a wildcard certificate for *.domain.com, you have to convert this file to different formats in order to use them with you Apache installation.

To convert these files use OpenSSL.

First file you’ll need is the public certificate.

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Now you can chose between the encrypted and decrypted key file.

If chosing the encrypted key file, Apache will prompt every time starting or starting the web service for the certificate pass-phrase.

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

Otherwise Apache won’t prompt for an pass-pharase, but be aware, if you’re losing this decrypted key file you certificate will be worthless.

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]