SSL TLS Certificate - IIS Apache server type

[CaseyR]

Hi,

To set the stage:

I have many clients who are departments in much larger organizations, part of much larger local area networks/domains. I have had a couple of cases where for audit/security standards or because browsers are complaining, they need encryption/domain certificates. The servers in question don't have inbound access from the public internet, so they can't use Let's Encrypt.  They have a service agreement that lets them request a certificate from a major issuer for 'myapp.largedomain.edu' (the domain works fine unencrypted).  The interface to the issuer lets them select IIS, Apache, Tomcat and maybe other server types.

The questions:

What server type should they select for the certificate request?  With the IIS type, they get the Unsupported protocol/ cipher mismatch error.  Or is the problem located somewhere else?

Any advice would be much appreciated.  Thanks.



 

[Jane]

First question - has this box ever worked for a secure NT server?
Can you successfully run the current (ships with NT) version of openssl.exe on the box?

If not, you may have the famous "Visual Studio runtime 2017 not installed" trick happening:  https://www.capesoft.com/docs/NetTalk11/NetTalk.htm#DeployingAtlsClientOrServer

The internal cert we use where I contract is several years old and I'd guess the IT guy wouldn't remember details of getting it.

For my own internal test NT servers using a commercial cert, I've used openssl to generate the key and certificate request and pasted the CSR into the CA vendor's website.  If that were not an option, I'd probably select Apache on their website.

Be sure that the private key file in the NT certificates folder is not password-protected.

Jane

[CaseyR]

Thanjks, Jane

No, the box has never had an NT server app before.

The Visual 2017 redistributable is included as a pre-requisite of the setup file so I never gave it much thought.  But maybe it was blocked on installation so I have asked a client to check it out.

[Bruce]

Hi Casey,

What Jane says (which is very possible.)
But to answer your question;

>> What server type should they select for the certificate request? 

It doesn't really matter, although I would suggest Apache (simply because IIS might be too clever for it's own good.)

Ultimately whatever type you choose they will send you a certificate in a format. (PEM or DER are popular). Ultimately though you need 2 things;

a) whatever they send you needs to be converted (if not already there) to a CRT and KEY file pair. This is the format NetTalk uses. (The KEY file should have the password removed.)

b) the 2 files need to be in the Certificates folder (whereever you have set that to) and MUST be named as domain.crt and domain.key (for your domain.) so for example;
myapp.largedomain.edu.crt
myapp.largedomain.edu.key

If you start the program with Debugview running you should see messages there if there is anything wrong with the certificates.

cheers
Bruce