On GameSpot: Mass Effect 2 hitting stores January 26
BNET Business Network:
BNET
TechRepublic
ZDNet

July 20th, 2007

How to implement SSL or TLS secure communications

Posted by George Ou @ 2:40 am

Categories: Infrastructure, Microsoft, Mobile/Wireless, Networking, Security, Servers, Vista

Tags: Procedure, Digital Certificate, TLS, Server, Microsoft Windows, SSL, George Ou

This information is also available as a TechRepublic download.

SSL (Secure Socket Layer) and its successor TLS (Transport Layer Security) are two technologies that enable secure communications on a massive global scale. To facilitate SSL or TLS encryption between any two computers, an X.509 Digital Certificate is required on at least one end of the connection. The Digital Certificate is usually installed at the Server end because it makes it simple for any end user to make a secure SSL or TLS connection to the server without a Digital Certificate on the client end. A trusted third party called a CA (Certificate Authority) like VeriSign, Entrust, GeoTrust, or GoDaddy asserts the authenticity of the Digital Certificate with a Digital Signature so that the client knows that the Server isn’t fake. This trust comes from the fact that these Certificate Authorities have their Root Certificates with Public Keys pre-installed in every nearly every Operating System and Application on the market.

Therefore to enable SSL or TLS secure communications on a Server with the general public, Server administrators need to acquire a Digital Certificate from any trusted third party CA and this is usually done through an offline web-based request. Since I’ve gotten requests from Administrators who read my blog entry “A secure Wireless LAN hotspot for anonymous users” how to go about doing this, I’ve created the following procedure for buying a Digital Certificate. This procedure works on VPN Concentrators, Web Servers, RADIUS Servers, or anything that uses standard X.509 Digital Certificates.

The Certificate generated using this Windows-based procedure will work for any device or Operating System that uses standard X.509 Digital Certificates. No additional tools are needed if you’re running this procedure on Windows Vista computer. On any other version of Windows Client or Server OS, you will need to make sure that the Windows Server 2003 Admin Pack is installed so that the needed command line tools are available to you. You can download a copy here from Microsoft but it is also available on any Windows Server 2003 installation CD. There is an alternative procedure for doing this if Microsoft IIS is installed but this procedure will focus on the command line technique.

The first step is to prepare a text file that contains the desired parameters with the following format. You will need to put in your own server name with your DNS qualifier at the end of it. The “CN” field is the Common Name field and it is the key identifier for our Digital Certificate. If we were going to set up a secure server called secure.zdnet.com for example, the CN field will need to be secure.zdnet.com. If we were setting a secure RADIUS server for Wireless LAN authentication, we can call it something like RADIUS.zdnet.com. We can create a file called CSRParameters.txt and put in the following text.

[NewRequest]
Subject=”CN=MyServerName.MyDomainName.com,C=GB”
KeyLength=2048
MachineKeySet=TRUE
Silent=TRUE
Exportable = TRUE

Assuming you’re running Windows Vista or you’ve installed the Windows Server 2003 Admin Pack on Windows Server 2003 or Windows XP, you will need to start a command prompt. Windows Vista requires the following special procedure to start a command prompt in Administrator mode.

Start a Vista command prompt as Administrator:

Hit the “Start” button on the keyboard (CTRL-ESC) and type “cmd”. You’ll find cmd.exe returned on the top of the start menu where you will then right click on cmd.exe. Click “Run as administrator” and Windows Vista UAC will ask you for permission to escalate permissions. Click “Continue” and you’ll get a command prompt that’s running under the context of Administrator. If you’re running older versions of Windows, you just log in as any Administrator and hit the “Start” and “Run” command and launch cmd.exe.

Once you’re at the command prompt, type the following command to generate a CSR (Certificate Signing Request):

certreq -new CSRParameters.txt CSROutput.txt

Note that this is assuming CSRParameters.txt is in the directory that you’re running the command in. If it isn’t in the same directory, you’ll either need to move it there or type out the entire path of the file for the input parameters. After a few seconds, the output file called CSROutput.txt will be generated and you’ll be able to open it up like any text file.

<Next page - Buying a Digital Certificate>

Pages: 1 2 3 4

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 39 Talkback(s)
Open SSH works in Windows too
You also have free FTPS solutions on Windows.
http://www.formortals.com/Home/tabid/36/EntryID/39/Def
ault.asp... (Read the rest)
Posted by: georgeou Posted on: 01/04/09 You are currently: a Guest | | Terms of Use
Informative post - Thanks George  WiredGuy | 07/20/07
Why not a free certificate?  ktenbrook@... | 07/20/07
Because it's not trusted by the public by default  georgeou | 07/20/07
Self-signed certificates  JDThompson | 07/21/07
For encrypted email transport, you're dealing with the entire Internet  georgeou | 07/21/07
Fingerprint  JDThompson | 07/23/07
Sorry, that just doesn't work in the real world  georgeou | 07/23/07
indeed  apotheon | 08/02/07
You could just as easily generate your own certificates.  B.O.F.H. | 07/20/07
ot the right area for security  greenteeth | 07/20/07
Linux  Sickthing | 07/20/07
You'd probably use OpenSSL  georgeou | 07/20/07
ANY OS  Sickthing | 07/20/07
FTP usage is just crazy  georgeou | 07/20/07
Not in the windows world anyway.  Suicida| | 07/22/07
Open SSH works in Windows too  georgeou | 01/04/09
SSL on Linux shared hosting  apotheon | 08/02/07
Personal Cert  Sickthing | 07/20/07
magic  Sickthing | 07/20/07
I have a Self-Signed procedure that I linked to  georgeou | 07/20/07
You can try this link to  georgeou | 07/20/07
Thanks  Sickthing | 07/20/07
Well we don't spam people here at CNET Networks  georgeou | 07/20/07
Why exclude UNIX/Linux/Mac OS X information on the subject?  YinToYourYang-22527499 | 07/20/07
Mac users  tonymcs@... | 07/22/07
One exception to the cheap SSL rule is mobile services  eric.nesvick@... | 07/20/07
Windows Mobile accepts GoDaddy certs  georgeou | 07/20/07
Thanks for the tip.  odubtaig | 07/20/07
And people accuse Linux of being techie  CobraA1 | 07/22/07
In case you missed it, this is for ADMINS  georgeou | 07/22/07
y?  CobraA1 | 07/22/07
Oh dear  georgeou | 07/22/07
So?  CobraA1 | 07/22/07
You can auto-distribute or use a browser interface  georgeou | 07/22/07
Doesn't make them right!  NonZealot | 07/22/07
It is wrapped up in a GUI.  Suicida| | 07/22/07
Why use CAcert?  alaricd | 07/25/07
I didn't recommend CACert  georgeou | 07/27/07
Export & delete - how do you use it if it has been deleted?  jetechbz@... | 08/07/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    Enterprise Applications

    • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
    • New Online Dashboard
    • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline