ict.ken.be

1. Validate your identity

• Validations Wizard - Email Address Validation - Confirmation mail - Valid for 30days

• Validations Wizard - Domain Name Validation - Confirmation mail

• Validations Wizard - Personal Identity Validation
• Upload scan of both sides of identity card.
• Upload scan of first page of international passport.
• Confirmation call
• Upload additional documents requested
• Wait for email confirmation

• Validations Wizard - Organization Validation
• Upload scan of trademark
• Upload scan of company registration
• Upload scan of authorization letter
• Wait for email confirmation

2. Create certificate signing request

• MMC - Certificates (Local Computer) - Personal - Right-click - All Tasks - Advanced Operations - Create custom request
• Proceed without enrollment policy - CNG Key - PKCS#10
• Certificate Information - Click Details - Properties
• General - Friendly name : start with astrix eg. *SAN for my domains (description is not needed, but handy)
• Subject - Name - Add Email, Common Name (eg. *.ken.be), Organisation, Location, State, Country
• Subject - Alternative Name - Add DNS for each domain and wildcard for sub-domains (eg. ken.be and *.ken.be)
• Extensions - Key Usage - Add Digital signature, Key encipherment, Key agreement (a8)
• Extensions - Extended Key Usage - Add Server Authentication, Client Authentication
• Private Key - Key Options - Key Size >= 4096
• Private Key - Make private key exportable
• Private Key - Select Hash Algorithm - sha256 or higher
• Save as base64 .csr file
• MMC - Certificates (Local Computer) - Certificate Enrollment Request - Export the request with private key

3. Web Server SSL/TLS certificate

• Certificates Wizard - Skip - Paste your csr - Continue
• Add each domain and then the subdomains
• Wait for confirmation mail
• Toolbox - Retrieve Certificate
• Save as .cer file
• MMC - Certificates (Local Computer) - Certificate Enrollment Request - Import the cer file.
• It will merge with your request and you can then export it to a .pfx that contains both public and private key.

4. Install Intermediate Certification Authorities

• MMC - Certificates (Local Computer) - Intermediate Certification Authorities
• Make sure all the intermediate certificates are at least sha256 or you will get 'The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.'
• Also make sure not old sha1 stay behind in both the local and the current user store (right-click find certificate)
• I had to reboot the server to get rid of the old intermediates.

5. Install your certificate on your server

• IIS Root - Server Certificates - Import
• You can now use it in your bindings (remember only on for each IP)

6. Remove cyphers that have been broken

• Prevent Beast, Poodle, ...
• You can do this all manually or use a simple tool like IISCrypto
• Do not disable cyphers that you might need to remote desktop !
• Test with SSLLabs

More
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
https://www.nartac.com/Products/IISCrypto/
https://www.ssllabs.com/ssltest/analyze.html

When Owin was released, I created WebGenius. A small exe you can drop in any folder, run it and everything is accesible as web pages.

I embedded the assemblies like this:

static Program()
 {
   AppDomain.CurrentDomain.AssemblyResolve += ResolveAssembly;
 }


static Assembly ResolveAssembly(object sender, ResolveEventArgs args)
 {
   var resourceName = "WebGenius." + new AssemblyName(args.Name).Name + ".dll";
   Console.WriteLine("Resolving: " + resourceName);
   using (var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
   {
      if (stream == null) return null;
      var assemblyData = new Byte[stream.Length];
      stream.Read(assemblyData, 0, assemblyData.Length);
      return Assembly.Load(assemblyData);
   }
 }

However I just found out about an amazing plugin for the Fody dll weaver:

• Include Costure.Fody nuget into your exe project and your done.

Some options for your FodyWeavers.xml

<Costura CreateTemporaryAssemblies='false' />
 <Costura IncludeDebugSymbols='false' />
 <Costura DisableCompression='false' />
 <Costura ExcludeAssemblies='Foo|Bar' />-->
 <Costura IncludeAssemblies='Foo|Bar' />-->
 <Costura Unmanaged32Assemblies='Foo32|Bar32' Unmanaged64Assemblies='Foo64|Bar64' />
<Costura PreloadOrder='Foo|Bar' />

Some options for you project file:

<Target Name="CleanReferenceCopyLocalPaths" AfterTargets="AfterBuild;NonWinFodyTarget" >
   <Delete Files="@(ReferenceCopyLocalPaths->'$(OutDir)%(DestinationSubDirectory)%(Filename)%(Extension)')" />
 </Target>

Just easier to remember when you need to map them to your internal virtual network or have to spoof them for whatever reason...

• 0xBADB00BFEED1
• 0xCAFEC0FFEE00
• 0xDEADBEEFFEED
• 0xDEFACEDBABE1

or make up your own: add, babe, bad, bed, beef, cafe, dead, deaf, decaf, deed, defaced, facade, face, fade, feed.

using (var con = new SqlConnection("Data Source=.; Integrated Security=True;"))
 {
 con.Open();
 var databases = con.GetSchema("Databases");
 foreach (DataRow row in databases.Rows)
 {
 var databaseName = (String)row["database_name"];
 if (databaseName.Contains(MockPrefix))
 {
 var command = String.Format("ALTER DATABASE [{0}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE; DROP DATABASE [{0}]", databaseName);
 new SqlCommand(command, con).ExecuteNonQuery();
 Debug.WriteLine(String.Format("Removed : {0}", databaseName));
 }
 }
 }

netdom renamecomputer WIN-05CX1975EF04 /Newname MyServer