X509 certificate error for HTTPS on BizTalk - biztalk

I want to send a request to HTTPS adapter through BizTalk server 2009. My BizTalk adapter is dynamic and it's takes configuration details from database instead of directly mentioning it on server.
I have installed X509 certificate in my browser and imported it in MMC.
I am getting following error in my BizTalk
A message sent to adapter "HTTP" on send port "sndHL7" with URI "https://xxxxxxxxx/imm/test (https://xxxxxxxxxxxxx/imm/test)" is suspended.
Error details: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
I searched for this error, but every where I got following response only :
Error: – Details: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Solution: The error message normally occurs if the client certificate is not configured correctly. You should check that you have configured your client certificate in certificate store under BizTalk service account that hosts the HTTP adapter.
I am not getting how to configure that certificate in proper certificate store. I have 3 files wih extension .cer, .cer and .pfx. The file with extension .pfx requires password to install it in any store.
Also, how to configure certificate under BizTalk service Account? Should I select "Service Account" while adding snap in in MMC and then select BizTalk service from the list of services.

I don't know about biztalk but if you are presenting a cert you need the associated private key. A cert is like a photo ID. It is hard to forge, but it still doesn't prove your identity unless you can present your face for someone to compare with the ID. Assuming the file extensions match the actual format of the files, the cer files are either DER, BER or PEM encoded certificates without the private key. So you need the pfx file. So if the proposed solution from the error message is correct, you need to find that password and install the certificate and private key from the PFX file into the store.

The two .cer files must be the root authority and server certificates and you must trust them.so you need to place them in your LOCAL MACHINE- Trusted Root Certification store. (use MMC)
Now the .pfx file will have the client authentication certificate that you will be passing into get authenticated. Import this certificate to LOCAL MACHINE,Personal (or MY certificate store if using command line) check private key as exportable.
Now allow BizTalk service account access to the private key of this certificate.
MMC use add snap in and add local machine.
select the client certificate in Personal right click- AllTasks- Manage private keys. Now add your BizTalk service account as a user and give access.
Or else use winhttpcertcfg tool in command line

Related

SSL Self-Signed certificate not trusted by ASP.Net app

I have an ASP.Net app that requires SSL certification in order to connect to a Dynamics NAV instance via SOAP.
I've created a self signed SSL certificate using the New-SelfSignedCertificateEx.ps1 script. The exact command used was:
New-SelfSignedCertificateEx -Subject "CN=<computerHostname>" -IsCA $true -Exportable -StoreLocation LocalMachine -NotAfter $([datetime]::now.AddYears(5))
Afterwards I copied the certificate to Trusted Root Certificates and added the thumbprint in the NAV instance settings, yet every time I try to connect my app to said NAV instance I receive an error stating:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '<computerHostname>:<NavInstanceSOAPPort>'
A self signed certificate is not a trusted certificate, you need to provide one from a trusted authority
Try Let's Encrypt, ZeroSSL, FreeSSL or any party you like, they will offer you free 90-day certificate good enough for your tests

Does BizTalk WCF-BasicHttp adapter actually verify the service certificate?

I have a WCF-BasicHTTP send port configuredas follows:
Security tab Security mode:Transport;
Transport client credential type: Certificate;
Client certificate: (thumbprint of our client cert);
Service certificate: (thumbprint of the service's public key cert).
General tab, Endpoint Identity: everything is left blank.
There is a send pipeline component that substitutes alternative endpoint addresses depending on the interaction type (all endpoints share the same base URL).
Recently, our trading partner has renewed their server certificate, and failed to notify us in advance. The send port continues working (good). However, the behaviour leads me to believe that even though BizTalk forced me to specify some service certificate thumbprint, the adapter then does not actually verify the service certificate thumbprint against what's set in the binding. I can't figure out if this is a bug or by design?

Installing SSL wildcard certificate on IBM HTTP Server

I'm running 2 IBM HTTP Servers (7.0) on different machines, and I'm updating the SSL certificates for both. The certificate is a wildcard certificate.
I have successfully updated the certificate for the server that I generated the update request from, and all seems well there.
My problem occurs when trying to re-use the certificate on my second server. I have read several sites that state that I need to export the certificate from the first server (using iKeyMan), then copy it to the second server. Then create a new KDB file, and import the certificate. I've done this, and when looking at the contents of the new KDB file it seems complete (it has all the certificates required - root, intermediate, etc).
However when I try to use the files (the KDB and the corresponding STH file) in my server configuration, it fails - the server starts but my certificate is not installed.
Anyone know what I'm doing incorrectly?
The error message "SSL Handshake Failed, Specified label could not be found in the key file" reported in the error log file the IBM HTTP Server was not able to find a personal certificate stored in the KDB key database file and is because of the SSL configuration:
For example:
Listen 0.0.0.0:443
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<VirtualHost 0.0.0.0:443>
ServerName fullyqualifyname or site name.
SSLEnable
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "c:/program files/ibm http server/key.kdb"
This is the most commonly used SSL VirtualHost Stanza configuration.
The IBM HTTP Server is design to search for a personal certificate stored in the KDB key database file from personal certificate section marked as default.
Open the KDB key database file using ikeyman utility, inside the personal certificate section, double click on the certificate label name or click on View/Edit button to display the Key information certificate context and look at the bottom left corner there is a box to place a check mark to “Set the certificate as default”. Once place a check mark and click OK the certificate label name will change:
From:
*.ibm.com
To:
* *.ibm.com
Stop and start the IBM HTTP Server to recognize the changes made in the KDB key database file. Retry to send an https request to the IBM HTTP Server. Now, the web server search finds and presents the personal certificate marked as default to the client browser during an SSL handshake.
If there is only one personal certificate stored in the IBM HTTP Server KDB key file recommend to use this method. Using the SSLServerCert directive with the certificate label name, it a valid option. However, it is useful and required when you have multiple certificates stored in the key database file along with multiple SSL Virtualhosts stanza configuration. Review the following IBM Technote click here for guidance on how to configure SSL within the IBM HTTP Server.
As discussed in the comments, the SSLServerCert directive value must match the label of the certificate to be used in the .kdb file. Using the Key Management Utility (IKEYMAN) utility labels can be inspected in the Personal Certificates section.

IIS 7.5 Client certificate authentication

I have asp.net site on my local machine.
IIS configuration:
binding: https binding with self-signed certificate,
ssl settings: Require SSL and Require client certificates
I have installed next certificates on my machine:
CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store.
Client certificate issued by 'CA Center' in Personal store
I go to site and accept server certificate. But next i get error:
HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
That means browser (IE) doesn't send applicable client certificates to server.
What's wrong? Should I configure something else?
I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:
certutil -addstore -v -enterprise root CertificateAuthority.cer
It sounds like the browser never prompted you to select a client certificate to send which means something is incorrect with the SSL Handshake. Try testing this with OpenSSL.
Additionally, a very common problem is having too many certificates in the Trusted Root CA folder. When the server sends the list of CAs, there is a limit to how large the list can be so if it exceeds the limit, it will truncate the remaining CA certificates. Make sure the Trusted Root CA folder doesn't have too many certificates. One way to check this is temporarily modifying the SCHANNEL in the registry editor to not send the CA List, and then re-try.
Start > Run > 'regedit' > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL >
right-click > New > DWORD > 'SendTrustedIssuerList' > Value:0
Re-install the certificates and check their effective dates. From Microsoft Support:
Download the root server certificate in a browser on the server
computer. Run the Iisca.exe command line utility that is located in
the Inetsrv directory.
Check the effective date on the client certificate and make sure that
the date and time has arrived.
Check the expiration date and make sure that the certificate has not
expired. Contact your certificate authority to see if your
certificate has expired.

Sql Server can't see my certificate

I need to install a certificate for encryption (replication) between an external vendor and my company.
I cannot get a third party certificate for the FQDN of my server because the net part of that does not match a domain that we own (ie my FQDN is sqlservername.company.root.net but we don't own a domain called company.root.net.). We do own mycompany.com, so I got sqlserver.mycompany.com on the cert and have a DNS entry to alias sqlserver.mycompany.com to sqlservername.company.root.net.
I cannot use a self generated cert since the vendor needs to trust the cert authority.
I have a cert that I have purchased and installed, but SQL Server won't see it since the FQDN doesn't match.
I tried installing it by putting the thumbprint of the cert into the registry directly, but then SQL server won't start with the following errors:
The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030e. Check certificates to make sure they are valid.
Unable to load user-specified certificate [Cert Hash(sha1) "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
(where the x's above match the thumbprint of the cert without spaces)
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
What do I need to do differently to get this working?
You need to use MMC to install your certificate in the certificate store and then use the SQL Server Configuration Manager to link the certificate to your SQL Server service. See https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi
Then, make sure that the service-account running you SQL Server service has full permission on the certificate. In MMC, right-click on the certificate, select Manage private key, and then grant full access to the service-account running you SQL Server.
You should restart your SQL Server for the changes to take effect.
Before anything else, you must install the certificate in the Windows certificate truststore.
Did you do that?
The error
You should verify that the certificate
is correctly installed
seems to indicate you did not do this.
I was expecting that the hostname verification would be configurable but from here SSL in MS-SQL2008 r2 it seems as an absolute requirement.
To be honest I am not sure if the trick you did with the DNS entry will work.
It seems that some tweeking works for cluster installations ssl for cluster installations
In your case, may be you should have bought the certificate using the IP as subject name and use DNS to resolve to the FQDN you say.
But of course this implies use of a static IP and most likely it would not be feasible as well anyway.....

Resources