see sharp RSS 2.0
# Friday, 15 May 2009

First you need to enable the CA to accept SAN requests by changing the registry:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

An nice description on how to enable SAN's on a MS CA can be found here.

http://support.microsoft.com/kb/931351/en-us

I used that as a base to request WebServer certificates with certreq, but I had to remove the EncipherOnly line and I changed the Exportable flag to true in the INF file:

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=corpdc1.fabrikam.com"   
; must be the FQDN of domain controller
; EncipherOnly = FALSE
Exportable = TRUE         
; TRUE = Private key is exportable
KeyLength = 1024          
; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1               ; Key Exchange
KeyUsage = 0xA0          
; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer
;Omit  line if CA is a stand-alone CA
SAN="dns=.fabrikam.com&dns=ldap.fabrikam.com&dns=localhost"

 

The complete INF file syntax used by certreq can be found here: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx

EncipherOnly seems not to work in my 2008 environment or some other flags made that invalid.

 

In addition on creating the request, I specified the CA on the certreq commandline:

certreq -new request.inf certnew.req
certreq -config mycaserver\myca -submit certnew.req certnew.cer

the last line outputs the requestid needed for the next certreq command. Then, on the ca, issue the certificate if it is not automatically issued (depends on the template used).
after that you can retrieve & accept the the certificate:

certreq -config mycaserver\myca -retrieve myidreturendfromsubmitcommand certnew.cer
certreq -accept certnew.cer

After that, you have a certificate with multiple SAN's in your computers machine store (we specified MachineKeySet) which can be used in IIS.


Just to mention:

It's easy to add multiple Websites to IIS using hostheaders, but if you want to use SSL on those sites you have to add the SSL binding. The easiest i found was using the commandline. the commands depend on the version of your IIS.

IIS6:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/mysiteid/SecureBindings ":443:myhostheader"

The hostheader is pretty obvious, and the mysiteid can be found when you click on the WebSites node in the IIS manager (Its the Identifier column).

IIS7:

appcmd set site /site.name:"mysite" /+bindings.[protocol='https',bindingInformation='*:443:myhostheader]
 

Friday, 15 May 2009 10:00:26 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Authentication | Certificates | IIS
# Saturday, 09 May 2009
Ever wanted to test your Anti-Virus program?
 
Use the Anti-Virus Test File from the European Institute for Computer Antivirus Research (Eicar).
 
Saturday, 09 May 2009 19:35:52 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Thursday, 07 May 2009
If you need to zip a file or files you can use the java zip utilities supplied with VS.
All you have to do is to add vjslib.dll and vjslibcws.dll .net assemblies as project references.
They are present whe you install Visual J#. It can easily handle multiple files.
 
// ZIP Test
string inputFileName = @"C:\test.txt";
string zipFileName = Path.ChangeExtension(inputFileName, "ZIP"
);
string zipEntryName = Path
.GetFileName(inputFileName);
java.io.
FileOutputStream fileStream = new java.io.FileOutputStream
(zipFileName);
java.util.zip.
ZipOutputStream outputStream = new java.util.zip.ZipOutputStream
(fileStream);
java.io.
FileInputStream inputStream = new java.io.FileInputStream
(inputFileName);
java.util.zip.
ZipEntry zipEntry = new java.util.zip.ZipEntry
(
zipEntryName);
outputStream.putNextEntry(zipEntry);
sbyte[] buffer = new sbyte
[2048];
int
bytes = 0;
while
((bytes = inputStream.read(buffer, 0, buffer.Length)) > 0)
{
   outputStream.write(buffer, 0, bytes);
}
outputStream.closeEntry();
inputStream.close();
outputStream.close();

 
This was a nice try, but J# has been removed from VS2008.
To enable your application for ZIPs use dotnetzip: http://dotnetzip.codeplex.com/.
... or you may want to look at the OPC packaging API at http://msdn.microsoft.com/en-us/library/system.io.packaging.package.aspx
Thursday, 07 May 2009 19:29:30 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | OPC
# Wednesday, 06 May 2009

dasBlog is great, but it uses an older version of the nice freeTextbox to edit the posts.

This little editor provides great enhancments for editing and formatting, and IE8 is known from Version 3.2.0, but thats not the version we are using in dasBlog.
Luckily IE8 has a 'Compatibility View' setting, which defines a list of websites that will receive the old (IE7) user-agent string.

 


Image: Tools->Compatibility View Settings

If you own the website, you can set the compat mode using a meta-tag:

<meta http-equiv="X-UA-Compatible" content="IE=7" />

Wednesday, 06 May 2009 12:38:58 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Sunday, 03 May 2009
So, this weekend I completed the move from simpleBlog to dasBlog, changing technology from PHP (which was good) to ASP.NET which is more suitable.
The content has to be migrated too, which will follow on one of the next weekends.

Sunday, 03 May 2009 10:07:55 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Saturday, 02 May 2009
Coding conventions are for whimps :-)
 
I like that:
It's written for JAVA :-), but it matches other languages like C# too.
 
Brad Adams writes on how to make it better >http://blogs.msdn.com/brada/pages/361363.aspx<
 
Saturday, 02 May 2009 19:26:56 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Thursday, 30 April 2009
Thursday, 30 April 2009 18:40:13 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Wednesday, 29 April 2009
You can increase the logging level of the Certificate service in the event log for troubleshooting.
This causes Certificate services to log more frequent and verbose Application Event log entries.
To increase the logging level of the Certificate service, run the command:

certutil -setreg ca\loglevel logginglevel

where logginglevel is the level you want to use, and then restart the service.

The following ranges are available:

0 CERTLOG_MINIMAL
1 CERTLOG_TERSE
2 CERTLOG_ERROR
3 CERTLOG_WARNING (Default)
4 CERTLOG_VERBOSE

taken from http://support.microsoft.com/kb/305018

and don't forget to restart the certificate services :-)

If you use CLM you may also want to set the loglevel for the Policy and Exit modules:

Policy module
Add a string value named Microsoft.Clm.PolicyModule to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\PolicyModules\Clm.Policy
 
Exit module
Add a string value named Microsoft.Clm.ExitModule in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ExitModules\Clm.Exit

Set the string value to the desired logging level (Info, Warning, Error or verbose), and then restart the CLM Service to apply the trace logging settings.

Policy module plugins
If you need logging for the CLM policy module plugins, you must create a config file.
Enabling trace logging for the policy module plug-ins causes CLM 2007 to write the error output to the system debug stream, viewable using DebugView.

To enable trace logging, you must create a config file for certsrv.exe file in the C:\WINDOWS\system32 folder.
Create a new text document and name it certsrv.exe.config;
open the new file and copy/paste the following configuration information (It's standard .NET tracing):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.diagnostics>
  <trace autoflush="true" indentsize="2" />
  <switches>
    <add name="Microsoft.Clm.PolicyModulePlugins" value="4" />
  </switches>
</system.diagnostics>
</configuration>

Wednesday, 29 April 2009 18:48:59 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing
# Saturday, 25 April 2009
Saturday, 25 April 2009 19:32:22 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else | C#
# Wednesday, 22 April 2009
Xpath is always fun when it comes to selecting nodes, but it gets even more fun when you have to select the node by attribute.

Assume this XML:
<test>
    <add key="one" value="two"/>
</test>


We can easily select the whole add node with the attribute 'one' by using this path: 

  /test/add[@key='one'] 

Thats perfectly fine, but now I want the value attribute for that node.
As we have an xpath to the node itself we can use this:

  /test/add[@key='one']/@value  

I always have to look such things up ;-)

A nice compilation of Xpath can be found >here<

Wednesday, 22 April 2009 18:53:44 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -

Archive
<2009 May>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2017
Hannes Köhler
Sign In
Statistics
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)