Month: December 2017

Troubleshooting: SSL with Qualys SSL Labs – SSL Checker

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. Majority of these checkers may vary on the information that they display or may have limitations, as they only perform their function as programmed. Aside from using an SSL Checker tool there is always the manual way of using your browser to check proper installations.

If you would like to learn how to check using a browser SSLSupportDesk features such an article Troubleshooting: Checking SSL installation with a browser.

Some SSL Checkers are extremely advanced and will not only check the validity of a SSL certificate, but can also point out flaws in a server’s configuration or software.

Qualys SSL Labs has an SSL Server Test (SSL Checker) tool that is well executed and implemented.

Please follow these steps to test your installation:

  1. Access the Qualys SSL Labs Server Test checker, click here
  2. Enter the URL/Domain name of the server that you wish to check & click Submit


Troubleshooting Unresolved https address:

SSL checkers will only work if your website is publicly accessible from outside your network. More than likely if your website is internal you will not get any results.

Example: We used a domain name that does not exist in the outside work and get this result.

Qualys Checker


How to read Qualys SSL Server Test Checker:

Using sslsupportdesk.com which is accessible to the open internet lets see how Qualys SSL Server Test Checker works.

With a successful installation we should see the following quality of the server system:

Qualys Checker

Summary:

  1. Overall Rating: Based on the quality of the server system running the Domain Name submitted. Factors that attribute to this Overall Rating are from combining the categories of Certificate, Protocol Support, Key Exchange, Cipher Strength.
  2. Certificate: Factors to this Quality are…
    1. Domain name mismatch.
    2. Certificate not yet valid.
    3. Certificate expired.
    4. Use of a self-signed certificate.
    5. Use of a certificate that is not trusted.
    6. Use of a revoked certificate.
  3. Protocol Support: The encryption protocols that are available to clients visiting this web server.
  4. Key Exchange: The distribution of the public and private keys and their strength when setting up encryption between client and server.
  5. Cipher Strength: Ciphers perform the actual encryption/decryption of the key pair running on the server system. Some can be considered weak, others strong.

Troubleshooting:

If there are any warnings or concerns the Qualys SSL Server Test Checker finds will be denoted below the Summary.

Qualys Checker

Screenshot_4

Red = Very bad
Yellow = Advisories or Industry changes that may turn into red over time.

More information regarding the checkers findings can usually be found by clicking MORE INFO.

Note: You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.


Authentication:

Server Key and Certificate # 1: States the information pertaining to the SSL certificate running on the Server System in Https:
Additional Certificates (If Supplied): Lists any additional Certificates that are also radiating off the server system. Usually these are Intermediate CA certificates.
Certification Paths: Shows the entire Chain Of Trust. Usually SSL Certificate > Intermediate > Root.

Note: The last certificate in this chain will be the root certificate. At times a yellow “Sent by Server” may appear on the Root. This only means that when a SSL connection is being made to the server that the server is presenting and forcing a root certificate to the client. Usually the Root certificate should only rest in the client’s browser Trust Store. Don’t be alarmed as some servers have to present this due to their programming. Although proper practice dictates that they shouldn’t.

Qualys Checker


Configuration:

Protocols: The encryption protocols that are available to clients visiting this web server.
Cipher Suites: The child protocols the perform the actual encryption session.
Handshake Simulation: Mimics the different browsers used to connect to the server.
Off Note: Most modern browser systems will automatically choose the best most secure connection the browser is capable of regardless of how the server is configured.
Protocol Details: More information regarding how the server system is handling protocols.
Miscellaneous: Server type running Domain Name, Timestamp check occurred, etc.


Qualys SSL Labs Server Test Checker tool is operated and managed by Qualys. This SSL Checker is one of many publicly available on the internet that can help you diagnose problems with your SSL certificate installation, or other errors that are associated with your server system.

Note: You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates, Symantec, Thawte, GeoTrust and RapidSSL.Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Encryption Standards Require Replacing SHA1 With SHA2 Certificates

What is SHA1 and why is it being depreciated?

Security always needs to be a proactive campaign. Not updating or keeping up with the progress of technology will open doors in security and will leave businesses open to be hacked.

SHA1 was the Algorithm that was used to create and sign encryption keypairs that are used to scramble data on websites, and applications. SHA1 was a replacement for MD5, and now SHA2 is the replacement for SHA1.

The CA/Browser Forum, is the governing entity of leading web browsers and certificate authorities (CAs) working together to stay proactive with security and publish their Baseline Requirements for SSL regarding the security standards of the web industry. These Requirements recommend that all CAs transition away from SHA-1 as soon as possible, and to discontinuing issuing SHA1 public facing certificates. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited.

Browser’s like Internet Explorer, Firefox and Chrome are inforcing these standards but placing errors within their browsers associated with these standards. According to Google’s “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
In short:
Most browsers will not trust certificates that use SHA1 After 12/31/2016.

If you do not want to get an error on your website you will have to replace that old SHA1 certificate with a newer SHA2.

 

How to Replace your old SHA1 certificate with SHA2?

To do list:

  1. Identify certificates that have a SHA-1 algorithm. Since the standard is already in effect you would definitely know if you still have a SHA1 certificate from the browser errors you would be getting in chrome.
  2. Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
    Note: If your SSL certificate was issued through Acmetek Click HERE.
  3. Install your new SHA2 SSL Certificate to your server.
  4. Test your SSL installation by using an SSL Checker.

These standards are always changing. Especially with how fast new technologies are coming out. SSL Certificates are a method of enforcing industry standards to make a more secure internet for everyone.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Acmetek’s Platinum Partnerships With Symantec & Thawte Brings You A Free SAN With Purchase of Your SSL

Acmetek’s Platinum Partnership with the worlds leading Certificate Authorities (CA’s) Symantec and Thawte are able to bring to Acmetek Clients a Free domain SAN with the enrollment
of an SSL/TLS Certificate.

 

This means your website will work when your clients visit your website by either www or without. No more forwarding of website traffic or paying extra for an extra Subject Alternative Name (SAN) domain. Something that should automatically come by default. Many CA’s the world over do not provide this functionality to their clients which causes a technical nightmare to web developers, and Network administrators. But Acmetek is able to provide you with a simpler solution.

Here is how it works:

  1. When enrolling for a standard Symantec or Thawte SSL product with a Certificate Signing Request (CSR) Common Name of www.domain.com (example) Symantec/Thawte will automatically add the base domain of domain.com as a free SAN to the certificate.
  2. If the Common Name of the CSR has only domain.com then Symantec/Thawte will automatically add www to the Certificate.
  3. For Wildcard Certificates products, when your CSR has the Required Common Name of *.domain.com, Symantec/Thawte will add the base domain of domain.com as a free SAN.

Products benefiting from free SAN from this change:

Symantec Thawte
Secure Site Pro with EV SSL Web Server with EV
Secure Site with EV SGC SuperCerts
Secure Site Pro SSL Web Server Wildcard
Secure Site Wildcard SSL Web Server
Secure Site SSL123

SSL/TLS Certificates are the first step in maintaining a secure website or network for your business. Symantec product especially contain the right tools along with with their Products to give you an overall security soltuion. Read more about Symantec and Thawte website security solutions on our site!

Symantec

Thawte

Acmetek is always brings the best security solutions to fit our clients needs. Our partnerships and tools are dedicated to providing easy solutions in website security.


Lead Engineer: Dominic Rafael
dsrafael@acmetek.com

Symantec Says Enough is Enough!

Firstly, key note is that Certificates today require no action – there is no security issue nor any issues with issuance !! Google’s unilateral changes to the Chrome browser do not require any action immediately. Enough is Enough.

On behalf of Symantec, we want you to note that Symantec is proud to be one of the world’s leading certificate authorities. Symantec strongly objects to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was certainly unexpected, and Symantec believes the blog post was irresponsible! Symantec hopes that this was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

Google’s statements about Symantec’s issuance practices and the scope of Symantec’s past mis-issuances is exaggerated and misleading. For example..

  • Google’s claim that Symantec has mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm as they were for test purposes .
  • While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google of recent has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

Symantec has taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.

Symantec operates our CA in accordance with industry standards and maintains extensive controls over our SSL/TLS certificate issuance processes and Symantec works to continually strengthen their CA practices. Symantec has substantially invested in, and remain committed to, the security of the Internet. Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers. Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Symantec’s most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

Note that Symantec wants to reassure their customers and all consumers that they can continue to trust Symantec SSL/TLS certificates.

Symantec will continue to vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post. Symantec is currently open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

“We suggest and strongly recommend that you continue as normal with your procurement of Symantec SSL Certificates as we are working to clarify Google’s statement. You can expect an update soon once we assess if changes are necessary.”

– Lead Engineer – Encryption , Acmetek Global Solutions, Kevin S Naidoo

CA/Browser Forum Passes Ballot 193 – 825 day Certificate Lifetimes

The Certificate Authority Browser Forum, Also known as CA/Browser Forum, is a voluntary consortium of Certificate Authorities such as Symantec, Digicert, Comodo, and tech Operating System makers such as Apple, Mozilla, Microsoft, etc.. decide the fate of security on the internet. The CA/Browser Forum purpose is to be proactive, and keep the internet secure for users and businesses all over the world.

The CA/Browser Forum recently passed Ballot 193 will effect all Certificate Authorities and those who manage SSL/ TLS Certificates. Effective almost immediately (April 22, 2017).

  • Effective April 22, 2017
    Reduces the length of time that authenticate information can be re-used to authenticate subsequent certificate, from 39 months (3 years 2 months) to 27 months (825 days / 2 years) New, Renewal and Replacement certificates will be subject to this change. This seems a little abrupt and might be changed in order for the CA’s to prepare for this new standard but should not effect the majority of clients while this transition is taking place.
  • Effective March 1, 2018
    Decreases the maximum validity period of SSL/TLS Certificate to 27 months (825 days). Eventually there will be no more three year option. No certificate after this date can have a validity passed 27 months.

Things to know:

Authentication:

  • Existing certificates:
    • Are not effected. The authentication work is already complete and no action is necessary.
  • Reissue (replacement) of your SSL Certificate:
    • DV (Domain Validated Certificates) –
      DV certificate reissues such a Quick SSL or Rapid SSL Products currently undergo domain validation; this there is no impact to DV certificate reissues. Reissued 3rd certificates after March 1 2018
    • OV (Organization Validation) –
      Some OV reissues for products like True ID or Secure Site may not instantly issue in the event that the authenticated data used to approve the original certificate is older than 825 days or is otherwise no longer valid. In some cases, reissues will undergo authentication, though many reissue will continue to be instantly issued. Typically 3 year certificate may be effected by this revalidation and not get automatically reissued.
    • EV (Extended Validation) –
      EV reissues are not impacted due to their already 2 year 825 validity day nature.
  • Renewal certificates:
    • Certificate renewal will continue to leverage existing authentication and automation whenever possible, and in many cases will be quickly approved.
    • With the shorter validity of authentication data (27 months), renewals will require more frequent authentications.
    • With the shorter validity period network admins will have visit their server & networks more frequently for CSR generation and SSL installation.

Technical:

  • Reissues/Replacements:
    • Since the technical validity of a certificate after the date of March 1, 2018 can only have a 27 month / 825 day lifespan if for whatever reason a reissue is needed the certificate may have time removed from their certificate.
      Example: If an Admin gets a new/renewed 3 year certificate on February 29th 2018 and needs to perform a reissue due to a technical matter we could see a certificate cut to 27 months instead of 37 months.
      Note: Due to this technicality Acmetek will be proactive and will put a stop to 3 year certificate enrollments to closer the deadline approaches to prevent this scenario the best we can.

To keep up with the progress of technology the CA/Browser Forum is always coming up with new industry standards. These standards guide and move the internet to a more safer and secure environment for its users. Information regarding the CA/B Forum on is always made publically available at cabforum.org


Lead Tech Engineer, Acmetek
Dominic Rafael

Symantec/Digicert- Google Reissue

You May Have to Reissue your Certificate!!

Since announcing the acquisition, DigiCert has actively engaged with the security community to explore paths that address browser concerns about Symantec/Geotrust/Thawte/Rapidssl-issued certificates while balancing the SSL/TLS implementations currently deployed. 

Symantec-issued certificates impacted by browser timelines will need to be replaced to bring them under the new Digicert platform. These will be replaced at no cost to all certificates issued prior to December 1st 2017, and Digicert will work to ensure a smooth process. Many customers have already received information on certificate replacement, and more information will be forthcoming for affected parties.

Acmetek is currently working on a smooth transition for their clients and will be notified if they have an effected cert by this transition in the next couple of months. 

Things to know:

  • This reissue only pertains to SSL Certificates where clients access websites/applications via Chrome. 
  • If your clients are not using Chrome you do NOT need to perform the reissue. 
  • Symantec/Geotrust/Thawte/Rapid SSL Certificates Issued Prior to December 1st 2017 will have to be reissued into the new chain hierarchy under the Digicert umbrella. 
  • All Certificates Issued after December 1st 2017 will automatically be placed under the Digicert umbrella new chain hierarchy. 
  • All Certificates Renewed after December 1st 2017 will automatically be put under this new chain hierarchy. 
  • These Reissues will allow your certificates to be trusted by all versions of Chrome.
  • Symantec Roots are NOT being removed.
  • This does not effect code signing or other non SSL products.
  • Newly issued 3 year certificates issued before Dec.1st and during 2017 must be reissued/renewed before Feb 1st 2018.
  • Max Deadline to have all certificates reissued, or renewed is August 1st 2018. Some Reissues may need to be re-authenticated depending on when the certificate was last issued.

Authentication Things to Know:

  • Digicert has a more robust, modern, and quick Authentication platform. Please review Digicert’s Certificate Validation Process to know more. 
  • Initially, The biggest hold-ups that customers can control are:
    • DCV (Domain Confirmation Verification) for security the verification goes to the domain admin, not the cert admin.
    • The verification call (making sure someone is aware at the main number that there will be a verification call within the next 24 hours)
    • Having you provide the correct legally registered name for the organization to avoid Digicert having to ask for it later.
    • After initial Authentication has been processed…as long as the contact and organization info is the exact same.. Digicert will streamline the processing for future orders or Reissues. 
If you already know your Symantec/Geotrust/Thawte/RapidSSL Issued SSL Certificate is effected you simply need to perform a free reissue of your current certificate order. Acmetek client’s will see a notification and eventually receive a communication on how to perform the reissue their SSL Partner Center.

DigiCert Completes Acquisition of Symantec’s Website Security and Related PKI Solutions

Digicert Acquired Symantec

DigiCert acquired Symantec under the terms of the agreement, $950 million acquisition of Symantec Website Security and PKI solutions related to SSL/TLS certificates business received in upfront cash proceeds and approximately 30% stake in the common stock equity of DigiCert.

DigiCert completes acquisition of Symantec’s certificate authority business on 31st October. The deal to acquire Symantec’s Website Security and Related PKI Solutions was first announced on August 3rd. DigiCert is a leading provider of scalable identity and encryption solutions.

Speaking on this occasion DigiCert CEO John Merrill said, “Today starts an exciting era for the current customers and partners of both Symantec and DigiCert, For Symantec customers, they can feel assured that they will have continuity in their website security and that we will provide a smooth transition. Our customers and partners will benefit from our accelerated investment in products and solutions for SSL, PKI, and IoT. DigiCert will also lead to shape PKI security standards through our participation in industry standards bodies to ensure our customers stay at the forefront of security practices. DigiCert is prepared for this opportunity.”

“The addition of Symantec Web PKI solutions to DigiCert will provide a customer experience that is second to none. We are excited for Symantec customers to benefit from solutions that help advance and strengthen website security,” said Greg Clark, Symantec CEO. “We expect Symantec and DigiCert customers to benefit from focused investment in the next generation of security solutions for our respective customers, and today’s action helps advance this important objective”

This acquisition will bring together the best minds in the industry and provide customers a reinforced technology platform, unparalleled customer support, and cutting-edge innovations. DigiCert will continue its operations from its headquarters at Lehi, Utah with a combined strength of around 1,000 professionals.

What Symantec Customers Can Expect

DigiCert has a strong reputation in the industry for being fast, reliable and excellent customer support. Symantec customers can experience this DigiCert’s service in addition to industry-leading OCSP response times, and award-winning PKI and IoT management platforms.

DigiCert’s platform is highly scalable and is designed for high-volume deployments for SSL and IoT and stress tested for billions of certificates. DigiCert will be able to continue providing industry-leading issuance times, even with the added Symantec Website Security business.

What DigiCert Customers Can Expect

The addition of Symantec’s Website Security to DigiCert brings together the best talent in the industry which will further the efforts to reinforce the SSL, PKI, and IoT based solutions.

Since announcement to acquire Symantec Website Security in the month of August 2017, DigiCert has focused to work on fixing the browser requirements for Symantec issued certificates and plans to replace with affected certificates for free and without disturbing to ongoing customer business in order to ensure continued trust.

“DigiCert is well positioned for this opportunity,” said Jody Cloutier, former senior program manager, Microsoft Cryptographic Ecosystem. “During my time at Microsoft managing the root store program, I always found DigiCert to be committed to advancing online trust. I expect that this acquisition will lead to increasing investments in new platforms and products that will benefit customers.”

DigiCert look forward to building a big security company and supporting all of Symantec’s Website Security and PKI solutions and their customers well into the future.

What Acmetek Can Offer Its Customers & Partners?

Acmetek will be able to offer an even wider range of solutions from both Symantec and DigiCert. Current Symantec customers can continue to order and purchase certificates the same way they always have. In addition, they can still use existing Symantec management tools. Account management contacts, existing contracts, brands, and validity periods for certificates will remain the same, as does pricing as off now.

We are worked up about bringing together the best of what Symantec has to offer with DigiCert. Acmetek partners and customers are having amazing opportunities in terms of various advanced security solutions. With this acquisition is the best situation for all parties like DigiCert, Symantec clients, partners, and resellers. The SSL and PKI solutions platform have a great bright future with a new responsible leader in the website security industry.

We’ll keep on updating to our customers and partners for transmitting updates with regular communication for further questions. Acmetek has dedicated support team is standing by around-the-clock, ready to assist you with any questions or concerns you may have. Do you want to buy an SSL Certificates at low cost? Simply you can click on request a quote form to submit your requirements.

For the latest Acmetek news and updates, visit www.acmetek.com/announcements/ or follow us on Facebook @Acmetek and Twitter @Acmetek