Digital Certificates Explained

Digital Certificates Explained KB ID 0001846

Problem

From setting up PKI environments, to migrating them, and a myriad of errors and problems in between, we have a lot of content on PNL referring to digital certificates and PKI. I’ve dealt with these technologies a lot over the past 20+ years and I’m always surprised how frightened of digital certificates people are. So in the space of a few minutes I’ll try and give you a basic understanding of what PKI is, how that relates to Digital certificates, then finish off with a few certificate ‘Golden rules‘.

Solution : Digital Certificates Explained

You will see I use the terms PKI environment, and Certificate Services  and interchange those two things a lot, Certificate Services is the name of the Microsoft ‘Role” that provides Certificate Services. If you simply want to setup certificate services, then use the following link.

Microsoft PKI Planning and Deploying Certificate Services

Before you understand certificates, you need to have a basic understanding of Public Keys, and Private Keys, how this key pair is used, and what Asymmetric Cryptography is (bear with me the maths might be mind boggling, but the concept is simple).

Public Key

The public key is shared openly and is used to encrypt messages or data. It is associated with a user (or entity) and can be freely distributed to anyone. Its primary function is to ensure confidentiality by allowing others to encrypt messages that only the owner of the corresponding private key can decrypt.

Private Key

The private key is kept secret and is known only to the owner. It is used for decrypting messages or data that have been encrypted with the corresponding public key. The private key is crucial for ensuring the authenticity and integrity of the data because only the person with the private key can decrypt and access the information.

Digital Certificates Explained: How These Keys are Used for Encryption

Encryption

1. Sender obtains the recipient’s public key and uses the recipient’s public key to encrypt the message.
2. Encrypted message is sent to the recipient.

Decryption

3. The recipient, (who possesses the corresponding private key), can then decrypt the message.

The strength of the security lies in the complexity of the key pair. Asymmetric cryptography is based on mathematical principles, making it computationally infeasible for someone to calculate the private key even if they have the corresponding public key. This makes it a secure method for tasks such as secure communication, digital signatures, and online transactions.

Digital Certificates Explained: Use of Keys and Certificates

Public Key Infrastructure (PKI) is a framework that manages digital keys and certificates. it requires the following:

Key Pair Generation: The process begins with the generation of a key pair (the public and private keys) for a user or entity. As shown above the public key is shared openly, and the private key is kept secret.

Certificate Authority (CA):A Certificate Authority is a trusted third party (public) or you own (private) system for authenticating digital certificates. in a PKI system.
The user’s public key is combined with other information (such as identity details and time stamps,) and then signed by the CA to create a digital certificate.

Digital Certificates: A digital certificate is a data structure that binds a public key to an individual, device, or service. It includes the public key, and information about the entity, the digital signature of the CA, and other metadata. So the digital certificate serves as a way for others to verify the authenticity of the associated public key and ultimately the identity of the entity.

Certificate Lifecycle: Certificates have a defined lifecycle, including issuance, and expiration. Note: They can also be revoked before expiration for example if compromised, or if the associated private key is lost.

Usage in Secure Communication

When parties want to communicate securely, they exchange their digital certificates. So just like the example above, the sender encrypts data with the recipient’s public key, which they get from the certificate that the receiver has published publicly, ensuring only the recipient, with the corresponding private key, can decrypt it.
Note: Digital signatures, created using the sender’s private key, can also be attached to messages to ensure authenticity and integrity. The recipient can verify the signature using the sender’s public key.

Digital Certificates Explained: Golden Rules Of Certificates

You must trust the CA that issued (authorised) the Certificate.

Every certificate has a CA that issued/approved it you NEED TO TRUST that CA, there are several trusted Certification Authorities that are built into your computer, and these are updated regularly with normal updates. this is why if you self-sign a certificate or build your own CA – then you may need to manually get people to trust your CA before they will be trusted. Also Certificate Authorities are hierarchical (they can have parent CAs) these form a CHAIN, and you need to be able to see that chain and trust ALL the CAs in that chain, (all the way back to the Root CA).

 

Above on my (current) site certificate you can see it was issued by a CA called RapidSSL, and that CA was authorised by a Root CA called Digicert Global Root G2. This means my certificate was signed by an intermediate CA (sometimes called and Sub CA).

The Certificate needs to be In Date

Certificates a have a date they were issued and a date when they will expire, If you are not at a point in time between these two dates, then you will not trust the certificate. (Note: this can happen if the internal clock/date on YOUR machine is incorrect).

 

 

Note: A Certificate that is in date can also be revoked. This is done by the CA, which publishes a list of certificates that have been revoked, (that your computer can check.)

The Common Name (CN) and/or Subject Alternative Name (SAN)  needs to be correct.

In times gone by, the certificate CN had to be correct, but more modern browsers will require BOTH Common Name and Subject Alternative Name to be correct. these are fields in the certificate that hold the name of the entity for example mine is www.petenetlive.com (that is the Common Name) This is the address (or FQDN) that is typed into the browser window to get to the site that presents this certificate.

 

Note: That means if you are putting a certificate on ‘something‘ be that a website, or a device, the NAME needs to be both correct, and resolvable by the person (or entity) that you want to trust it, e.g. if the common name was www.petes-site.com and you needed to type in https://www.petenetlive.com to get there, it would not be trusted (even if both names resolved to the correct IP address!)

You need to trust the ‘Algorithm‘ that signed the certificate.

This is a more recent development, I mentioned above that there’s some very complicated maths going on, as time moves on the mathematics needs to get more complicated, as computers get more powerful to maintain security. So older methods of signing have been depreciated, if a certificate is using technology that’s been depreciated it will also not be trusted.

 

Here’s an example of what happens when the signature algorithm is not trusted.

ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Here’s an example of what happens if the CN or SAN values are wrong.

ERR_CERT_COMMON_NAME_INVALID

Related Articles, References, Credits, or External Links

NA

Using the VI Editor (For Windows Types)

KB ID 0001304 

Problem

I dont have a ginger ponytail, nor do I wear sandals, couple these two things together and you will understand why I find VI so confusing! Many times I’ve had to alter a config file on an appliance, or a Linux box, and sat frowning at VI wondering why I can’t change a one to a zero.

Note: Nano is easier, if possible try nano {filename} to save hassle. But on hardened appliances for example, it wont be there. 🙁

So, this article gives you enough information to open, edit, and save a file. If you want a massive tutorial on VI you are in the wrong place.

Solution

Not really part of VI but you need to know where the file is you want to edit, and the path to it;

[box]

For Example:

vi {filename}
vi {path}/{filename}

[/box]

You can ‘move around’ the file being edited with your arrow keys.

Deleting Text: Press the X key to delete the character that’s ‘under’ the cursor.

Selecting Text: Press (and hold) the V Key while using the arrow keys to select multiple text characters.

Note: From here you can CUT (press X), or COPY (press Y). To PASTE put the cursor where you want the text and press P.

Inserting Text: To actually type anything, you need to be in ‘insert‘ mode press I then type in your text.

Note: Some flavours of Linux give no indication you are in ‘insert‘ mode, (unlike the example below).

Saving and Exiting: you need to be in ‘command‘ mode to save and exit, to enter ‘command‘ mode press ESC. As above there may be no visual clue what mode you are in. To SAVE AND EXIT type :wq {Enter}. TO EXIT Type :q {Enter}. Basically q means quit and w means ‘write’ the changes.

Job done, now keep your Linux skills quiet or you may get your dinner money stolen, and not get a girlfriend.

Related Articles, References, Credits, or External Links

NA

Backing up a Remote Linux Machine With Windows (Using Rsync and Cygwin)

KB ID 0000892 

Problem

The goal here was for me to get a backup of my VPS server (Running CentOS 6). My background is primarily Windows based, so I wanted a solution where I can just run the backup from a Windows machine, (i.e. my my laptop) and let it connect, login and perform the backup.

What is Rsync? If you are familiar with Robocopy it’s similar, it can perform a backup/sync of data and encrypt that data while it’s passing over the network. In addition, once the initial sync has been done, the next time you run it, it only replicates the changes. This makes it ideal for backups.

What is Cygwin? Basically it’s a Linux ‘Shell’ that will run on a Windows machine.

Solution

 

Step 1: Install Cygwin on My Windows Client

1. Download Cygwin (URL is on the image below), and install on the machine that will be performing the backups. When prompted accept all the defaults to download form the internet > Accept the install directory C:cgywin64 > Install for All users > Set the local Package Directory to the Desktop > Internet = Direct Connection > Choose a Download site > Next.

2. When asked to select packages > Expand Net.

3. Select openssh and rsync to be installed.

4. Expand shells > Select bash to be installed. > Complete the installation.

Step 2: Generate SSH Keys in Cygwin

5. Launch Cygwin and generate some SSH Keys.

[box]

ssh-keygen -t rsa -b 2048

KEEP PRESSING ENTER TO ACCEPT THE DEFAULTS, AND HAVE A BLANK PASSPHRASE

[/box]

Step:3 Create a User (On the Remote Linux Host) to Perform Backups

6. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.

[box]

useradd {username} -s /bin/bash
passwd {username}
ENTER AND CONFIRM THE PASSWORD 

[/box]

7. To ensure your user has the correct folders in their home folder the easiest way is generate a pair of keys on the remote Linux machine (the same as you did before).

[box]

ssh-keygen -t rsa -b 2048

[/box]

Step 4: Copy the Public SSH Key from the Windows Machine to the Linux Machine

8. Above, Cygwin told us the keys are in /home/{username}/.ssh > Go to that directory and make sure they are there > Make a copy of the id_rsa.pub key > Call the copy authorized_keys > Copy that key to the correct folder on the remote Linux machine (via SCP).

[box]

cd /home/{username}/.ssh <<Note This is the username on the Cygwin machine)
ls
CHECK id_rsa.pub IS LISTED
cp id_rsa.pub authorized_keys
ls
CHECK authorized_keys IS LISTED
scp
authorized_keys {username}@{Linux Machine's name/IP}:/home/{username}/.ssh

Note The username (above) is the username on the Linux Machine

[/box]

9. Now check we can login to the remote Linux machine, from the Windows machine (without having to provide a password for the user we created). Note: Sometimes you need to do this twice before it will work.

[box]

ssh {username}@{Linux Machine's name/IP}

[/box]

If successful, your prompt should change to that of the remote Linux machine.

10. To return to Cygwin, simply type exit.

Step 5: On the Windows Machine Create a Backup Job

11. On the Windows machine create a folder that will hold the backup files (create it in the C:cygwin64 folder).

12. Lets test our backup to that folder. (Note: This does not back any data up it just performs a ‘dry run’).

[box]

rsync -avzun {username}@{Linux Machine's name/IP}:/ /VPS-Backup

[/box]

Note: Above I’ve chosen the root ‘/’ directory, you may just want to select specific folders to backup e.g.

  • /var/www/ The Default location for Apache’s Website Files.
  • /var/lib/mysql The Default location for MySQL Databases.

Warning: Folder locations may differ depending on the server and how it was setup.

13. Tailor the following, and save it on the Windows machine, in the C:cyqwinbin directory as Remote-Server-Backup.sh

[box]

# Remote-Server-Backup.sh
#
#
# rsync tool to download server data
# from [Remote Linux Server name] to [Windows Backup Machine]
#
#
# download only those files on [Remote Linux Server name] in
#
[server directory]
# Only files that are newer than what is already on the
#
[Windows Backup Machine Directory]
#
# Syntax
#
# rsync -avzu [user name]@[Remote Linux Server name]:
#[server directory] [Windows Backup Machine Directory]
# Windows Shortcut Target Should be
#C:cygwin64binbash.exe --login -i '/bin/Remote-Server-Backup.sh'

rsync -avzu {username}@{Linux Machine's name/IP}:/ /VPS-Backup

[/box]

14. On the Windows machine create a new shortcut.

15. Browse to, and select c:cygwinbinbash.exe

16. Give it a sensible name > Finish

17. Open the properties of the shortcut and change the Target: to;

[box]

C:cygwin64binbash.exe --login -i '/bin/Remote-Server-Backup.sh'

[/box]

Note: You may also want to change the icon to the Cygwin one at C:cygwin64Cygwin.ico

18. Run the shortcut to perform the backup.

You could (if you wanted), use the Window scheduler to schedule this for you, but I prefer to do it myself.

Related Articles, References, Credits, or External Links

NA

Cisco VPN Client Install Error 28000

KB ID 0000945 

Problem

Seen when attempting to install or remove the Cisco VPN client software.

Error 28000: Before installing the Cisco Systems VPN Clients {version}, you must uninstall the previous version of Cisco Systems VPN Client {version}, using the Add/Remove Program Files option in the Control Panel. Then restart your system.

Solution

1. Firstly Windows Key +R > appwiz.cpl {Enter} > Locate and remove the VPN Client. Though sometimes you will not find it.

2. Locate ‘VPN Client’ Folder in program files > Locate the vpnclient.ini file and open it with Notepad, add the following two lines;

[box]

Remove Previous = 1
DelayRebot = 1

[/box]

Save the file.

3. Run the VPN Client software setup file with a ‘/quiet’ switch on it (as below). it will look like nothing is happening, go and have a coffee, then reboot and try to reinstall.

Manually Remove Cisco VPN Client

This is a little extreme, but if you have no other choice!

4. Windows Key +R > regedit {Enter} > Navigate to;

[box]

HKEY_LOCAL_MACHINE > SOFTWARE > Cisco Systems

[/box]

Delete the VPN Client Key.

5. Navigate to;

[box]

HKEY_LOCAL_MACHINE > SOFTWARE > DeterministicNetworks

[/box]

Delete the ALL the sub-keys (in the example below, there are two).

6. Navigate to;

[box]

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Uninstall

[/box]

Delete the ANY keys that match;

  • {1CE60928-8325-49A8-8B06-633E48DD2B67}
  • {51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}
  • {5624C000-B109-11D4-9DB4-00E0290fCAC5}

7. Navigate to;

[box]

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services

[/box]

Delete ANY keys that match;

  • CVirtA
  • CVPND
  • CVPNDRVA

8. Drill all the way back to the top of the registry (i.e. select Computer) > F3 (to launch ‘Find’) > Locate and delete all instances of the following;

  • Vpngui
  • Vpnapi
  • CVPND
  • CVPNDRA
  • Ipsecdialer

9. Windows Key +R > services.msc {Enter} > Locate and stop the Cisco systems, Inc VPN Service.

10. Delete the ‘C:Program FilesCisco SystemsVPN Client’ folder.

11. Delete the ‘C:Program FilesCommon FilesDeterministic Networks’ folder.

12. Delete the following files;

  • From %SystemRoot%system32drivers delete dne2000.sys (if it exists).
  • From %SystemRoot%inf delete dne2000m.inf and dne2000m.pnf (if they exist).
  • From %SystemRoot%system32 delete dneinobj.dl (if it exists).
  • From %SystemRoot%system32drivers delete cvpndrv.sys (if it exists).

 

Related Articles, References, Credits, or External Links

NA