How to start your own certificate authority in seconds!

Do you fall into any of the following groups? You’re a:

  • Webmaster with a few internal websites that you’d like to protect with SSL but don’t want to pay anything?
  • Sysadmin with a few internal servers, you’re sick of certificate warnings and want a quick fix?
  • [Web] developer needing to test application compatibility with HTTPS and sick of self-signed certificate warnings?
  • Security penetration tester wanting to audit a platform in a test environment over HTTPS, but no one wants to pay money because “it’s only test”.
  • Quality assurance tester needing to test an application with HTTPS but your script breaks because of self-signed certificate warnings?

The best solution is to implement your own PKI or “public key infrastructure” which good ol’ Wikipedia tells us is a “set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.” The problem with that is it’s outrageously over the top.

Solution

Take a deep breath, count to 10… then go to this website (https://www.tinycert.org/).

Trusted connectionIn literally seconds you can implement your own certificate authority (CA). For the novices; the certificate authority (CA) is much like that best friend you have who knows everyone. If they trust someone, it’s very reasonable you can trust them too. It allows websites to say “I’m trusted by” your friend, so it’s safe for you to trust me – this is when the little green lock appears. With your own CA, you decide what is trusted and who new certificates are created for.

Life members out there will respond with “you’ve always been able to do that with OpenSSL on the command line” – and they would be correct.

But here’s 11 advantages to use TinyCert over traditional options:

  1. It literally takes seconds to implement (minutes if you’re a slow typer)
  2. No technical background is required to create the CA and start issuing your own certificates
  3. You don’t need to write a script or use the command line
  4. TinyCert.org is nice and easy to remember
  5. Share the logins among colleagues for self-service certificate creation
  6. You’ll get automatic renewal emails
  7. It’s not associated with Active Directory or any of the complexity surrounding it
  8. It’s perfect for non-production platform testing
  9. No domain name, company or staff verification, no paper-work, no IT department necessary
  10. Issue certificates by a name you choose (Acme Pty. Ltd.) and for common names you need (test.acme.net)
  11. The elegance is in the simplicity.

What’s the Catch?

No catch. And it’s 100% free.

Obviously you need to do a small amount of work to add your newly created CA into the “trusted certificate authority store” on computers you’re testing on.

Detailed help on the TinyCert website describes how to add your new certificates to Apache, nginx and IIS web servers; as well as adding your CA into your computer’s certificate store. If you need anymore help for your operating system or browser, Google is your friend as always.

Why are you mentioning this?

Because all users of technology have wrongly become accustomed with sending sensitive information across networks in plain text for too long and for no good reason. The public internet has long been a dangerous place, but one we still send our kids out to play in.

Any project that assists in improving application compatibility with secure protocols like HTTPS, aides making applications over SSL the norm, makes security easier to utilise and access – deserves a massive thumbs up from me!

Credit where credit is due

If you’re as pleased with their amazingly simple service as I am, buy them a cup of coffee as I did to show how much their hard work is appreciated. Maybe even two coffees… just a suggestion…. (Go on, you’d lose the $4.80 to the lounge cushion gods anyway, waste not want not).

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Leave a comment

Import/Export SQL Azure Database in Australia

It is common knowledge now that Microsoft has released Azure services in Australia to both Sydney and Melbourne. Microsoft’s documentation however is still coming up to speed even months after the announcement.

One such pieces of documentation are Export Database and Import Database REST API guides, where a list API endpoints is listed by region. In order to import/export SQL Azure databases in Australia East or Australia Southeast to/from blob storage though though, this document will leave you hanging.

I have however been able to confirm that the baseUri for Australia East or Australia Southeast are as follows.

  • Australia East – https://aueprod-dacsvc.azure.com/dacwebservice.svc
  • Australia Southeast – https://auseprod-dacsvc.azure.com/dacwebservice.svc

I hope this helps a few people out. This info can great help improve automation in Azure.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Leave a comment

Restoring broken Windows 2012 R2 Hyper-V directory permissions

A few weeks ago I made the terrible mistake of losing track of where I was up to in my notes, skipped ahead a little before getting back on track. The timestamp on the email prompt I left myself to blog about this was 10:17 PM, I recall I was still in the office and tired.

You know how when you add a new disk or partition to Windows, Windows will automatically give excessively high permissions to read and write new content to a fresh disk? One of the first tasks I usually do is wipe these via Advanced Permissions leaving only:

  • Administrators with Full Control
  • SYSTEM with Full Control
  • That’s it!

On an empty disk, I force inheritance on child objects which affects a few system locations only. This goes a long way in hardening the disk from attack in the future after sensitive data has been added.

Recently, I made the stupid mistake of doing the above on a Windows Server 2012 R2 Hyper-V host with VMs running on it. The permission structure of the “vms” directory is quite vast and unique to the virtual machines. Without spending hours (that I didn’t have) on research trying to understand how the giant jigsaw puzzle of explicit permissions were applied, I was in a spot of trouble.

The purpose of this post is to shout out to Mike J McGuire and an elegantly explained blog post he has written on recovering lost Hyper-V permissions. Not only was it well explained, he provided scripts to dynamically generate the permissions required for my problem server. Credit where credit is due Mike, well done on a fantastic post and thank you for your help!

A link to Mike’s post can be found below:

Restoring All Lost Hyper-V Permissions. Wipe Them Out… All Of Them.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Leave a comment