Confused over SSL implementation

[sathenzar]

Hey guys, I have a development environment I just setup via virtual machines (all with bridged connections). I understand in theory how SSL works, but the implementation is weird. Why do I have to export all of my root CA keys, along with my site SSL to each client machine to get it to work? That seems like it defeats the purpose. When I use RSA encryption in C#, the service never gives its private key to the client, only the public key.

 

If I just export the public key, chrome complains that that data is scrambled, and that it can not recognize the data being sent.

 

That was a bit of history on my previous problems. Now, I have configured SSL again (using AD CS), and I can not get a single client to connect to the server over SSL. The servers themselves can load the page (which makes sense). I can see the requests hitting IIS logs with the port for SSL, so I know it's (IIS) at least getting the requests from the clients, so it's not a firewall / port forwarding issue). The clients just complain that the server timed out. The error logs show a 500 error code on each request.

 

Anyone have any ideas?

My current VM setup:

VM 1: Windows Server 2012 R2

Active Directory Controller

AD CS (Root with Enterprise role installed)

 

VM2: Windows Server 2012 R2

SQL Server (no other role is installed on this server)

 

VM3: Windows Server 2012 R2

IIS / sharepoint server 2013

Requested IIS domain cert & signed via the Root server (VM1)

Thanks

[sc302 Veteran]

first, self hosted ssl is not trusted by default.  If you want your computer to trust the certificate provided you must install or find a way to allow the root to be trusted by the computers on the network.  If you are using a ad ca, you can set the computers to trust that ca by using group policies. 

 

https://technet.microsoft.com/en-us/library/cc754841.aspx

This way you will not have to import them into computers that are joined to the domain.

[Brandon Live Veteran]

Hey guys, I have a development environment I just setup via virtual machines (all with bridged connections). I understand in theory how SSL works, but the implementation is weird. Why do I have to export all of my root CA keys, along with my site SSL to each client machine to get it to work? That seems like it defeats the purpose. When I use RSA encryption in C#, the service never gives its private key to the client, only the public key.

 

If I just export the public key, chrome complains that that data is scrambled, and that it can not recognize the data being sent.

 

Err, what?

 

If you're using a self-signed cert for testing, then you'll need to install that certificate as a trusted signing authority for testing purposes only. In general, though, you're going to do local testing without SSL. Then have your production (and maybe your live test/staging deployments) use a real cert from a trusted authority.

 

BTW, if you're using Azure, AWS, or Heroku, they provide a test domain (i.e. x.azurewebsites.net) with a wildcard cert (*.azurewebsites.net) so you can test your HTTPS configuration there without a custom cert.

[binaryzero]

What you want to do is create a Root CA (non domain joined\stand alone CA\powered off VM), then a subordinate CA (Domain joined\Enterprise CA\powered on).

 

I imagine this would be for internal network traffic only (encryption and authentication). 

 

There's a couple of CBT Nugget videos that explain how to do this.

 

Edit: https://mizitechinfo.wordpress.com/2013/08/29/step-by-step-deploying-a-sthandalone-root-ca-in-server-2012-r2-part-1/

 

I haven't followed myself, but looks to include the info you need.

[sathenzar]

Thanks for the link, I will check it out. Hopefully I will be able to get it working with it To the other posts, I did import the CA as a trusted root authority, I already understood that concept. I just don't get how it's safe to have to export all of your private keys to each client machine that will connect to the site. Clearly there is something I'm missing, b/c that defeats the purpose of asymmetric encryption.

 

If everyone has your private key, anyone can decrypt your messages, intended party or trojan on your computer. Then that trojan in theory could upload the private key and just decrypt everyone's messages for traffic going to that server until the CA renews the key. There is a hole in my knowledge of the implementation, I'm missing something and I don't know what it is.

[+BudMan MVC]

You do not need to export your private key - where you go that idea from I have no idea.

[MorganX]

PKI gets many. Remember to focus on it's two main components, separately; Trust and Encryption. Understand them separately, and when you put them together, PKI based encryption will be much easier to understand and deploy.

[sc302 Veteran]

Thanks for the link, I will check it out. Hopefully I will be able to get it working with it To the other posts, I did import the CA as a trusted root authority, I already understood that concept. I just don't get how it's safe to have to export all of your private keys to each client machine that will connect to the site. Clearly there is something I'm missing, b/c that defeats the purpose of asymmetric encryption.

 

If everyone has your private key, anyone can decrypt your messages, intended party or trojan on your computer. Then that trojan in theory could upload the private key and just decrypt everyone's messages for traffic going to that server until the CA renews the key. There is a hole in my knowledge of the implementation, I'm missing something and I don't know what it is.

You don't export your private keys.  If you are, you are doing something very wrong or have not explained the situation properly to us. 

 

I think that you have some sort of radius setup which requires each user to have a registered cert to be able to connect with....this would be the private key that would need to be loaded on each user profile specific to that user.

 

See if what I posted above helps.  If not we will need to dig a little deeper as to what exactly is happening with authentication.

[sathenzar]

So I followed that article, everything works on the servers when I access my web site, when I access the websites from my physical computer, I get access denied, even after installing the root ca and sub-ca public key signatures...allI want to do is have a temporary SSL installed on my server so I can connect over ssl when I'm on my laptop in public places so I'm not sending credentials in clear text, that's it. I really don't see why it should be this hard

 

EDIT: specific error code from chrome: Error code: ERR_NETWORK_ACCESS_DENIED

 

EDIT2: I restarted the server and now it's working o.O not sure what happened.

[sc302 Veteran]

What does eventviewer state on both the computer and the server you are connecting to and on the ca server.

 

probably want to be looking through the security event logs.  Also make sure your time and date are correct and in the correct time zone.