It is currently Tue Aug 11, 2020 3:36 pm

All times are UTC - 7 hours [ DST ]

Recent News:



Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sun Jan 20, 2013 10:37 am 
Offline
Newbie
Newbie

Joined: Sun May 23, 2010 2:32 pm
Posts: 4
Thanks: 0
Thanked: 3 times in 3 posts
If you want to enable anywhere access on the windows server 2012 Microsoft gives you several options to do so. Microsoft even provides the creation of a domain in ...remoteacces.com with a valid certificate.

In my case I wanted to reuse my existing dyndns domain and I don't want to buy a certificate. The only persons that access the website is me and my family, what means that it is ok to install a self signed domain certificate or a CA certificate on all ouf our machines / browsers.

OpenSSL

The first answer one can find on the internet, if you want to create your own certificates is "use openssl". There are a lot of howtos, with completely different targets what to achive and it is quite difficult to find out, what applies to my case and what not. E.g. it is possible with openssl to create a certificate without having a valid root authority (CA) (e.g. http://www.faqforge.com/windows/use-openssl-on-windows/). The anywhereaccess wizard will not accept these kind of certificates. From what I understand you will need to setup, publish and maintain a CA certificate (e.g. see http://www.werthmoeller.de/doc/microhowtos/openssl/) and the create a domain certificate that is valid against the CA. To support the CA certificate you will need to setup a lot of complicated infrastructure, for example to revoke invalid certificates. On this point I gave up with OpenSSL.

Domain Certificate

Fortunately Microsoft already did that CA task with their own toolset! Your Windows Server already has a CA-infrastructure (certserv). You can administrate the certificate infrastructure with the certserv mmc. If you type "certserv" in the start menus search box the tool will open. Around this core tool there are other programs that utilize this infrastructure, like the IIS.

To create the self signed domain certificate you will need the IIS-Manager:
1. Open the Internetinformationservices (IIS)-Manager.
2. Select your server
3. From the start page select "Servercertificates"
4. In actions select "Create domaincertificate"
5. In the first field (CN) enter your (dyndns) domain.
6. Save the certificate with a reasonable name

Now we have a self signed domain certificate which is trusted by our server. Our server trusts this certificate, but no one else in the world.

7. Now export the certificate to make it available to the anywhereaccess wizard. Select it in the "servercertificates" list and click "Export..." in the action bar. Don't use an empty password, when exporting it. The wizard will not accept that.

If you have a valid (dyndns) domain, you now have everything you need for anywhereaccess wizard.

Anywhereaccess Wizard

8. Click through the wizard, enter the domainname that you entered when creating the certificate. The wizard tests if the domainname can be resolved via dns.
9. Select manual domain setup. Select an empty domain prefix and "use an exisiting ssl-certificate".
10. Now select the exported certificate an enter the password that you used when exporting it.

Serverside done. Now the clients.

Internet Explorer

For the Internet Explorer this is easy, for all clients that are already connected to the server. The CA is already known. To prove that:

1. Start the Internet Explorer
2. Select "Internet Options", "Content", "Certificates", "Intermediate CA"
3. You should find your server as a certification authority here.

This means that the certificate that is used by our domain, can be validated against this certification authority.

To make it available in other browsers like Firefox you have the option to export it from the Internet Explorer or use the CertEnroll Share on your server.

Variant a) Export from IE
i) Select the certificate of your server in the Internet Explorer dialog we have just opened and push the "Export" button.
ii) Click through the wizard and save the cer-certificate (e.g. on a network share).

Variant b) Use CertEnroll-Share

Firefox

6. Open the Options-Dialog
7. Select "Advanced", "Encyption", "View Certificates", "Servers"
8. Select "Import" and import the certificate from the CertEnroll-Share or that we have exported from the Internet Explorer. Note that imported certificates are not trusted by default. So we have to decide, if we trust the certificate, which we obviously can here.
9. Select the imported certificate and press "Edit Trust..."
10. Select "Trust the authenticity of this certificate"
11. "Edit CA Trust" > Check at least "This certificate can identify websites".

Firefox will now validate certificates against our windows server CA. To prove that this works enter the webaddress of your dyndns domain in Firefox. Firefox shall now validate our domain certificate agaist the certificate of our server. The must not be a warning.

Notes

Note that you can now revoke or create certificates with the certsrv tool, without touching the clients / browsers anymore, because the clients / browsers trust the CA of our server.

You should be able to use https outside via https://<myfullyquallifieddnsname> or in the intranet via https://<myservername> at the same time.

Backup
It is important to have a good image based server backup. In the case the server disk dies, all keys and certificates are lost and cannot be recreated. The certsrv mmc plugin on the server has a function to export the private keys used for encryption. If you cannot rebuild your server, e.g. because you cannot get the appropriate hardware anymore it is good to have that information backed up.

I am by no means a security expert. This is just what I found out by googeling around. I wanted to put these lines down, because I did not find any similar howtos. All kinds of comments are appreciated. Especially if you think that I understand something wrong, please let me know.


Top
 Profile  
Thanks  
The following user would like to thank myberg for this post
T-Bone

Attention Guest: Remove this ad by Registering with the MediaSmartServer.net Forums. It's Free!
PostPosted: Sun Mar 24, 2013 6:58 pm 
Offline
3.0TB storage
3.0TB storage

Joined: Thu Aug 06, 2009 8:38 pm
Posts: 411
Location: Central California
Thanks: 2
Thanked: 24 times in 22 posts
You can get a real root certificate for free from cacert.org
Just register to verify your the owner of your domain then issue the cert.

_________________
Current DIY server DL380 G6 2xquad core 2.8ghz 32GB rdimm ram 512mb 2xHP 410 raid with 2x sas expanders (2 X norco RPC-4220) 48 slots stacked with room to grow.
30TB (Movie/File/Music)Win 2012 essentials 64bit Storage spaces
Ex490 E6400 4gb ram


Top
 Profile  
Thanks  
PostPosted: Thu Jun 06, 2013 2:41 pm 
Offline
Max Contributor
Max Contributor

Joined: Fri Jan 25, 2008 4:17 pm
Posts: 1110
Location: Roseville, California
Thanks: 10
Thanked: 22 times in 21 posts
any new info here? Im using TZO...


Top
 Profile  
Thanks  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 7 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group