Sometimes you need an SSL cert, but you don’t have a request generator. This works very well:
Category: Certificates
Certificate Signing Request (CSR) Generator
article #1580, updated 467 days ago
Let's Encrypt Certificates for IIS
article #1257, updated 1001 days ago
Just grab the latest code here:
https://github.com/PKISharp/win-acme/releases/latest
unpack it into a folder you will keep (I used “E:\Let’s Encrypt”), and run letsencrypt.exe in the folder. The multi-site (SAN) mode works only if IIS is set up in certain ways; but the manual mode for a single site is simple and easy, and it sets up a scheduled task in Windows for the needed automatic updates.
Also recently discovered this, have not tested yet but it can come by Chocolatey, which means automatic updates are easy:
To manually enable TLS 1.2
article #1487, updated 1021 days ago
From the excellent Brigg Bush. Do all of these in Powershell:
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
When Software or Drivers Won't Install in Windows - Replace All Internal OS Certificates
article #1382, updated 1795 days ago
Sometimes, when software won’t install, especially something like ShadowProtect SPX which includes a driver, it is because of corruption of one or more internal Windows certificates. A method recommended to some extent in a few Microsoft resources:
certutil.exe -generateSSTFromWU roots.sst Import-Certificate -FilePath .\roots.sst -CertStoreLocation 'Cert:\LocalMachine\Root' -Verbose
This does not always work. The only thorough method currently known to this writer, is to download this:
http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip
which contains a binary called “rootsupd.exe”. It will unpack itself if one runs it in administrative CMD, with syntax like this:
rootsupd.exe /c /t:C:\rootsupd
It will create the folder C:\rootsupd. Then go into C:\rootsupd, and do these (administrative CMD, not Powershell for some reason!):
updroots.exe authroots.sst updroots.exe -d delroots.sst updroots.exe roots.sst updroots.exe updroots.sst
rootsupd.exe was, according to Google, available by download from Microsoft, but is not at this writing.
One does not have to reboot the system after doing the above, so far it just works.
RWW failure due to certificate issue
article #1167, updated 2638 days ago
Remote Web Workplace. Certificates are verified AOK, and yet at the point of RDP, you receive a popup reading “Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server. Contact your network administrator for assistance.”
To fix this, you’ll need the Remote Desktop Gateway Manager. If you have it, it’s in Start, Administrative Tools, Remote Desktop Services. If you don’t have it, install it:
dism /online /Enable-Feature:Gateway-UI
Then:
- Open the RDGM.
- Right-click the server object, open properties.
- Open the SSL Certificate tab.
- Click Import Certificate.
- Choose the correct certificate — it’s the Exchange list, if this is SBS — and click OK.
A tool to retrieve, examine, and test SSL certs in servers
article #1085, updated 2831 days ago
From the excellent Matt Quick:
http://www.netscantools.com/ssl-certificate-scanner-standalone.html
Replace self-signed Exchange certificate
article #740, updated 3890 days ago
Here’s how to replace a self-signed Exchange certificate in the Exchange Shell.
First get the list with details:
Get-ExchangeCertificate | fl
You’ll see all of the certs, with expiration dates (“NotAfter”) and thumbprints. For each one that you need to replace, do this:
Get-ExchangeCertificate -thumbprint <thumbprintcontents> | New-ExchangeCertificate
Then say Yes.
Self-signed certificate wizard in SBS 2008
article #596, updated 4277 days ago
Rather helpful:
http://titlerequired.com/2011/12/07/quick-fix-sbs-2008-sites-self-signed-certificate-expired/
Import Certificate for SBS 2011 Remote Access
article #495, updated 4536 days ago
First copy the cert from the server to a file. Log into the server as administrator, and in CMD:
certutil -ca.cert ca_name.cer
Then copy ca_name.cer onto the desktop of the client PC, double-click on it, click “Install Certificate…” on the General tab, click “Place all certificates in the following store”, click “Browse…”, click “Trusted Root Certification Authorities, and click OK. Click Next and Finish.
Outlook and SBS Certificate Issues
article #323, updated 5072 days ago
Several certificate issues involving Outlook 2007/2010 and SBS 2008/2011 are covered here: