Tuesday, June 18, 2013

Using OpenSSL for Basic Certificate Management

A few years ago, I collected quite a bit of OpenSSL info into a series of notes. Here it is, finally, for all to see. I wrote most of this in 2006, so it may need a slight refreshing. YMMV.

The problem is, nobody out there is consistently doing things the exact same way. I had to google for quite a while to collect all this information, all of which I regard as pretty damn basic stuff that really SHOULD be collected in one place.

A note on all the file formats:
  • PEM is the default style on openssl for *NIX.
  • DER is the default style on older Macs and Java.
  • NET is an outdated style on Netscape and IIS <= 4.0
  • PKCS#12 is a Microsoft-Specific style.
If you google around, you will find lots of people using instructions that name the file extension on all of their certs *.PEM. This is perfectly fine, but I find it confusing. Personally I only apply the PEM extension to concatenated certs. The cert should have CRT, Key should have KEY, signing request should have CSR, and revocation should have CRL.

Sunday, April 14, 2013

Another Irish Drinking Song


Gather 'round ye lads and lasses, set ye for a while,
and harken to me mournful tale about the Emerald Isle.
Let's all raise our glasses high to friends and family gone,
and lift our voices in another Irish drinkin' song.

Consumption took me mother and me father got the pox,
me brother drank the whiskey 'till he wound up in a box.
Me other brother in the troubles met with his demise,
me sister has forever closed her smilin' Irish eyes.

Monday, March 11, 2013

Understanding Bandwidth vs. Throughput

A while back, I had a lengthy set of email exchanges where I needed to get it through someone's skull what the difference between Bandwidth and Throughput was. It seems they could not comprehend why upgrading from an underutilized 4.5Mb circuit to a 20Mb line didn't produce a noticeable speed boost when transferring large files.

Friday, March 8, 2013

Exchange 2007/2010 Autodiscover Configuration Without Bludgeoning Yourself Stupid

I'm going through some of my old collections of notes from blogs gone by. I'm going to start posting them here for anyone who should find such things useful.

First Up:

Configuring Exchange 2007/2010 Autodiscover Without Bludgeoning Yourself Stupid.

  1. Start the Exchange Management Shell.

  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:

  3. Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

  4. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:

    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

  5. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:

    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

  6. Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:

    Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

  7. Add to DNS the SRV record ‘_autodiscover’ protocol _tcp port 443 for mail.contoso.com

  8. [Only needed if you screwed up your SAN cert and need to redirect over port 80] Add a new virtual directory in IIS. Give it the host header name 'autodiscover.contoso.com'. Create a subdirectory 'autodiscover' and inside of that create a blank text file called 'autodiscover.xml'. Set this file as an IIS redirect to 'https://mail.contoso.com/autodiscover/autodiscover.xml'

  9. Add a CNAME to DNS for 'autodiscover.contoso.com' to 'mail.contoso.com'

  10. Go get a cert with 'mail.contoso.com' as the CN and 'autodiscover.contoso.com' as the SAN.

Sunday, March 3, 2013

The Parable of Hank

Written by someone else. Not by me.

This morning I heard a knock at my door. When I answered the door, I found a well groomed, nicely dressed couple. The man spoke first.

John: "Hi! I'm John, and this is Mary."

Mary: "Hi! We're here to invite you to come kiss Hank's ass with us."

Me: "Pardon me? What are you talking about? Who's Hank, and why would I want to kiss his ass?"

John: "If you kiss Hank's ass, he'll give you a million dollars; and if you don't, he'll kick the shit out of you."

Me: "What?! Is this some sort of bizarre mob shake-down?"

Sunday, February 1, 2009

And now, a Dead Milkmen moment.

Stuart


You know what Stuart? I like you. You're not like the other people here in the trailer park. Oh no, don't get me wrong, they're fine people, good Americans. But they're content to sit back, maybe watch a little Mork and Mindy on channel 57. Maybe kick back a cool Coors 16-ouncer. They're good fine people, Stuart. But they don't know what the queers are doing to the soil.