ict.ken.be

1. Validate your identity

• Validations Wizard - Email Address Validation - Confirmation mail - Valid for 30days

• Validations Wizard - Domain Name Validation - Confirmation mail

• Validations Wizard - Personal Identity Validation
• Upload scan of both sides of identity card.
• Upload scan of first page of international passport.
• Confirmation call
• Upload additional documents requested
• Wait for email confirmation

• Validations Wizard - Organization Validation
• Upload scan of trademark
• Upload scan of company registration
• Upload scan of authorization letter
• Wait for email confirmation

2. Create certificate signing request

• MMC - Certificates (Local Computer) - Personal - Right-click - All Tasks - Advanced Operations - Create custom request
• Proceed without enrollment policy - CNG Key - PKCS#10
• Certificate Information - Click Details - Properties
• General - Friendly name : start with astrix eg. *SAN for my domains (description is not needed, but handy)
• Subject - Name - Add Email, Common Name (eg. *.ken.be), Organisation, Location, State, Country
• Subject - Alternative Name - Add DNS for each domain and wildcard for sub-domains (eg. ken.be and *.ken.be)
• Extensions - Key Usage - Add Digital signature, Key encipherment, Key agreement (a8)
• Extensions - Extended Key Usage - Add Server Authentication, Client Authentication
• Private Key - Key Options - Key Size >= 4096
• Private Key - Make private key exportable
• Private Key - Select Hash Algorithm - sha256 or higher
• Save as base64 .csr file
• MMC - Certificates (Local Computer) - Certificate Enrollment Request - Export the request with private key

3. Web Server SSL/TLS certificate

• Certificates Wizard - Skip - Paste your csr - Continue
• Add each domain and then the subdomains
• Wait for confirmation mail
• Toolbox - Retrieve Certificate
• Save as .cer file
• MMC - Certificates (Local Computer) - Certificate Enrollment Request - Import the cer file.
• It will merge with your request and you can then export it to a .pfx that contains both public and private key.

4. Install Intermediate Certification Authorities

• MMC - Certificates (Local Computer) - Intermediate Certification Authorities
• Make sure all the intermediate certificates are at least sha256 or you will get 'The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.'
• Also make sure not old sha1 stay behind in both the local and the current user store (right-click find certificate)
• I had to reboot the server to get rid of the old intermediates.

5. Install your certificate on your server

• IIS Root - Server Certificates - Import
• You can now use it in your bindings (remember only on for each IP)

6. Remove cyphers that have been broken

• Prevent Beast, Poodle, ...
• You can do this all manually or use a simple tool like IISCrypto
• Do not disable cyphers that you might need to remote desktop !
• Test with SSLLabs

More
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
https://www.nartac.com/Products/IISCrypto/
https://www.ssllabs.com/ssltest/analyze.html

To SSL or not to SSL, that is the question.
We are not running a bank, so my business doesn't need that. Does it?

Ano 2013, still millions of sites on the internet are running insecurely over http port 80 and who can blame them. Switching your site to https puts more pressure on your web server, makes your ranking in the SERP drop and on top of that it is a pain to get a good certificate working. Or so they say...

So, let's check this out.

1. yes, you will lose money while transfering serp ranking, it takes on average around one and a half month to transfer it. More of an issue is the fact that adsense doens't support https... yes dumb very dumb... you can change the protocol but then you do not comply with the agreement... yes, can't understand this one either. 
2. difference in speed is only a few miliseconds, so no problem there
3. yes, it is not easy to set up correctly when it is your first time

And last but not least, yes you should put your whole site on ssl. Well actually tls. And this means everything, not just parts of it or your users will get sslstripped away... so educate your users.

And then my checklist, the reason I am posting it here.

Testing with a self-signed certificate

Types:

• Basic : one ip, one domain
• Wildcard : one ip, one domain + subdomains
• SAN aka UCC : one ip, multiple domains
• SNI : multiple certificates on one ip (eg. not supported on IE for XP)

Requesting a certificate

• Lot of personal details + calls
• DNS records should match your personal details 

Import certificate and trust intermediate certificates

• Especially Firefox doesn't like it, if you forget to trust the intermediates

IIS Settings

• Bindings
• Use an astriks * in front of the friendly name, so you can use the GUI to set the hostnames 
• OR use appcmd set site /site.name:"<IISSiteName>" /+bindings. [protocol='https',bindingInformation='*:443:<hostHeaderValue>']
• Rewrite with 301 (do not use 302)
• Add strict security headers for HTST, and use chrome://net-internals to check if they are correct. (Strict-Transport-Security / max-age=16070400; includeSubDomains)

Additional settings for mojoPortal

• SSLAvailable on true
• SSLIsRequiredByWebserver (web.config) & Require SSL on All Pages (admin ui -> will update cannonical)
• SSLCookies in two places + different cookie name
• Robots file for ssl, you probably need same as default one
• Test also for page that doesn't exists
• If using paypal, make sure your update your url protocols

Update your content

• <link rel='canonical' href='https...
• using // for img and javascript
• update your own links to https where posible
• hopefully you don't use third party that doesn't support https
• recommend and social links: point an og:url meta tag for both URLs to the https one

Update your webmaster tools

• http and https are seen as different sites

more on https:

• https://www.eff.org/https-everywhere/deploying-https
• https://support.google.com/adsense/answer/10528?hl=en (no adsense https support)

update (aug 2014)

Today google announced to take https into account for their search ranking. I hope they also do something about the adsense, but at least it is a step in the right direction. Read more at http://googlewebmastercentral.blogspot.be/2014/08/https-as-ranking-signal.html.

Most likely you do not want these headers to be displayed in your responses:

• Server Microsoft-IIS/7.5
• X-AspNetMvc-Version 3.0
• X-AspNet-Version 4.0.303319
• X-Powered-By ASP.NET

Removing X-AspNet-Version

In web.config add this:

<system.web>
<httpRuntime enableVersionHeader="false"/>

Removing X-AspNetMvc-Version

In Global.asax.cs add this line:

protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}

Removing or changing Server

In Global.asax.cs add this:

protected void Application_PreSendRequestHeaders()
{
//Response.Headers.Remove("Server");
Response.Headers.Set("Server","FooServer");
Response.Headers.Remove("X-AspNet-Version"); //alternative to above solution
Response.Headers.Remove("X-AspNetMvc-Version"); //alternative to above solution
}

Removing or changing X-Powered-By

IIS 7 - You can also remove the X-Powered-By header by including these lines to the <system.webServer> element:

<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>

or manually go to IIS7 Management Console and open HTTP Response Headers

The most common site bindings used is both net.msmq and msmq.formatname to localhost.

This will however make iis search through all the queues installed in Server/Features/Message Queuing/Private Queues

Best way to bind is to have the private queue named exactly as the .svc wcf service url and then binding to localhost/exactname. It is allowed to use wildchars. eg. net.msmq binds to localhost/logservice/logservice_int.*

For msmq activation read this article: msdn on MSMQ activation

If you need more of an introduction read this: Getting msmq, wcf and iis to work together

Other things to remember

• appcmd set site "Default Web Site" -+bindings.[protocol='net.msmq',bindingInformation='localhost']
• appcmd set app "Default Web Site/MsmqService" /enabledProtocols:net.msmq
• aspnet_regiis.exe
• aspnet_regiis.exe -iru

selfssl7.exe
/N cn=foo1.com;cn=foo2.be;cn=foo.bar.eu
/K 1024 /V 18250 /X<
/F my-selfsigned-san.pfx /W mypassword /q