Windows: Only register primary IP Address in DNS

Hi,

if you want to change the IP Address (new Address is in the same subnet) a of Windows Server by a minimal downtime for the users?

In pure Active Directory domains this is not a problem because the server itself updates its A Record at the DNS server and the Active Directory replicates the entry immediately.
In large environments with a heterogeneous DNS structure the TTL of the DNS entry respectively of the DNS zone becomes very important, because the entry is cached for this time by the requesting server, so the time when the new DNS A record reaches  each DNS Server can take some time.
Continue reading Windows: Only register primary IP Address in DNS

OpenSSL: Command line examples

Hi,

here are some command line examples for openssl:

Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Add x509_v3 extensions from command line (>= V1.1.1)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -extension 'subjectAltName = DNS:myHost.myDOmain.org, DNS:myHost2.myDOmain.org' -extension 'certificatePolicies = 1.2.3.4.5'\

Get the certificate of a webserver

openssl s_client -connect michlstechblog.info:443

This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date

openssl s_client -connect michlstechblog.info:443| openssl x509 -text

Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text

Show details of a certificate file
openssl x509 -text -in server.crt -noout

Create pfx (pkcs12) file from key and certificate

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt

Create pfx (pkcs12) file from key, certificate and the root CA(s), If necessary copy the root and the intermediate certificates in to one CACert.crt file.

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt -certfile CACert.crt

Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key

And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt

Creating a self signed Certification Authority

To be continued….

See also this post. It describes how to setup a CA for OpenVPN from the scratch.

Generate a CA revokation list

openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem

Show details of certificate revocation list (crl)

openssl crl -in crl.pem -text

Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer

Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer

or copy CARootCertificate.cer and Intermediate.cer to one file

# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer

Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file

cat ca.pem intermediate.pem crl.pem > wholeChain.pem

and check

openssl verify -crl_check -CAfile wholeChain.pem myCert.pem

Create a signing request to renew an existing certificate

openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr

With some x509v3 extensions. File x509v3_extensions.ext

extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment


openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3

List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list

openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"

Michael

Windows: Howto terminate a RDP Session remotely by command line

Hi,

when a RDP sessions hangs there are multiple ways to destroy it. The command line way:

Identify the RDP Session ID. Use quser


C:\>quser /Server:YourWindowsServer
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 winuser               rdp-tcp#6           2  Active          3  24.09.2014 22:26

Continue reading Windows: Howto terminate a RDP Session remotely by command line

Windows: Automatic Update does not install updates

Hi,

a Customer calls me that his Windows Clients won’t install some Updates and the boxes does not submit their update states to the WSUS Server which runs at Windows Update Server 3 SP2.

At the clients I checked the Windows Update Logfile C:\Windows\WindowsUpdate.log and found many errors like these:

Continue reading Windows: Automatic Update does not install updates

Electronic: Replace a laser pickup of a Sony CD Player

Hi,

a friend of mine has an very oldschool CD Player, a Sony CDP 770 from 1988. With the time, the laser and the lense has degraded and hearing music without any interruption isn’t possible anymore.

I decided to look for a new laser pickup and found a spare part for the original RSS-150A, I shot a new RSS-210A by ebay for about 20€. Let them give it a shot!

Here are the steps to replace the pickup. You only need 2 skrewdrivers. Open the chassis by loosing the 4 skrews in the cover, 2 at each site.
Continue reading Electronic: Replace a laser pickup of a Sony CD Player

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…