Monthly Archives: March 2015

Moving the Offline Folder Cache in Windows 7, Windows 8 and Windows 8.1

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

I’m a big fan of Windows’ offline folder caching and have used it on my laptops for over a decade.  One thing I don’t like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  (By default, it’s found at \Windows\CSC).

WARNING:  If this isn’t a FRESH installation of Windows, make sure you have synchronized your offline files.  This procedure will ERASE ALL EXISTING OFFLINE FILES AND FOLDERS!!!

In order to move the cache, follow these steps:

1. Clear the content of your existing cache
Yeah, you have to do this.  And, it’s not a very obvious procedure.  You end up creating a registry key that resets the cache at startup and then deletes itself.  Here’s the command to create the registry key (you can do this at a command prompt):

REG ADD “HKLM\System\CurrentControlSet\Services\CSC\Parameters” /v FormatDatabase /t REG_DWORD /d 1 /f

Once you’ve done this, reboot.

2. Create the folder in the location where you’d like to have your cache
I always like to keep my data separate from my OS by storing it on a different drive (or, at the very least, a different partition).  For this example, I’m using the path X:\Data\Cache

3. Create a new registry value
Open Registry Editor and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSC\Parameters

This is the same key we modified before.  Notice how there’s no “FormatDatabase” value even though we added it prior to the last reboot.

Right-click on Parameters, hover on New and select String Value:

String Value Key Menu

Name the new string value “CacheLocation”:

CacheLocation

Double-click on CacheLocation and input the path to the new cache location and then click “OK”:

Edit String

Notice the “\??\” in the value.  This is an NT Object Path used by the OS to reference the local path.  (If it was “\??\UNC\, it would be referencing a network path.)  You must use this format.

You’ll see the value populated now in your registry editor:

CacheLocation Populated

4. Reboot
 Once the OS is back up, it should be using the new location.  You can test this by opening the new folder and you should see a folder in there called “v.2.0.6”.  You should get a permission error if you try to open that folder.

I hope you find this useful!  If you see anything wrong, please let me know.

Exporting an SSL Certificate in Windows

Sometimes it’s useful to be able to get a certificate being used on one server and move it to the other server without having to go through the whole enrollment process.  In Windows, SSL certificates can be exported to a file so that you can then import it somewhere else.  While there are a lot of considerations and restrictions on how you would use this exported certificate, I’m simply going to look at how to perform the export.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Server Certificates” pane, select the certificate you wish to export and click on “Export…” in the “Actions” pane

Select Cert and Export2

4. In the “Export Certificates” window, fill in the required information and click “OK”

Export Certificate

You must assign a password in order to export the certificate.  Make sure you record this somewhere because there is no way to recover the password if you lose it.

Exporting an SSL certificate from Windows is a pretty easy task.  I hope this has been useful information.  Please let me know what you think!

Installing an Intermediate CA Certificate in Windows

When downloading an SSL certificate from a Certificate Authority (CA) , the CA will generally include a separate Intermediate CA certificate which also needs to be installed on the server.

Installing the certificate is pretty straightforward, except that Windows does not include a Certificates console in the Administrative Tools folder.  So, you’ll have to create that one yourself.

1. Right-click on the Windows icon and select “Run”

    Start Menu

2. In the “Run” box, type “mmc” and hit <ENTER>

Run-MMC

3. When the MMC console is up, hit <CTRL>+M and the Add Snap-Ins window appears

Console1

4. In the left pane of the “Add or Remove Snap-ins” Window, select “Certificates”, and click on “Add”

Add or Remove Snap-ins 1

 

5. In the “Certificates Snap-In” window,  select “Computer Account” and then click “Next”

Select Computer Account

5. In the “Select Computer” window, accept the default “Local computer: (the computer this console is running on)” and click “Finish”.

Select Computer

6. Back in the “Add or Remove Snap-ins” window, click “OK”.

Add or Remove Snap-ins 2

7. Expand the “Certificates” node, right-lick on “Intermediate Certification Authorities” node, hover on “All Tasks” in the context menu and then select “Import…”

All Tasks and Import

 8. Click on “Next” on the welcome screen for the Certificate Import Wizard

Welcome Cert Imp Wiz

9. Browse to the file provided by your CA and click “Next”

File to Import10.  In the “Certificate Store” window, select “Place all certificates in the following store”, browse to the “Intermediate Certification Authorities” store and click “Next”

Certificate Store

11. The “Completing the Certificate Import Wizard” window appears giving you a summary of the operation

Completing the Cert Imp Wiz

12. You should see a window saying the import was successful

Import Successful

That’s it!  The certificate is now installed in your Windows server.  This is the procedure you follow for installing certificates in Windows, regardless of where you get them.

I hope this has helped someone out there!  As always, your feedback is welcome.

 

 

Installing an SSL Certificate in Windows

SSL is the protocol used to secure connections to web servers by encrypting the session so prying eyes can’t see what’s going on between the client and the server.  I need to install an SSL certificate for a web site on one of my servers, so I’m going to document the process here in case someone else could use the information.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure:

1. Generate a certificate request from the device on which you wish to use SSL
2. Submit the request to a Certificate Authority
3. Retrieve the completed certificate from the CA
4. Install the certificate on the device along with CA certificates
5. Configure the device to use the certificate for SSL

I will be doing this on a Windows Server 2012 R2 server using the Default Web Site as an example.


Generating the Certificate Request:

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Create Certificate Request…” link

Server Certificates

4. In the “Distinguished Name Properties” window, fill in the required information and click “Next”.

Distinguished Name Properties

The fields here need to be filled out accordingly:

Common name: This is the fully-qualified domain name (FQDN) for the website.  For example, if your website is testcert.yourdomain.com, this is what you put in this field.  Do not include the “http://&#8221; or “https://&#8221; prefixes in your common name.

Organization: This is the legally registered name of your organization.  The organaztion must be the legal registrant of the domain name in the certificate request. If you’re a sole proprietor, put your name in this field.

Organizational Unit: This is the internal department within the organization that is responsible for the maintenance of the certificate and/or site.   If you’re a sole proprietor, enter your DBA (doing business as) name in this field.

City/Locality: This is the city in which your organization is located.  This needs to be spelled out; do not abbreviate.

State/Province: This is the state/province/region/territory in which your organization is registered.  This needs to be spelled out; do not abbreviate.

Country Code: This the country in which your organization is registered.  Unlike the City/Locality and State/Province fields, you will abbreviate the country using the two-letter International Organization for Standardization (ISO) format country code.

5. In the “Cryptographic Service Provider Properties” window, select the appropriate bit length and select “Next”

Cryptographic Service Provider Properties

The bit length requirement is set by the Certificate Authority from who you are requesting the certificate.  For most providers, the required length is 2,048 bits.

6. In the “File Name” window, browse to where you’d like to store the request file and give it a name.  Click “Finish”.

File Name

The file you save here is what you’ll submit to the CA when you submit your request.


Submitting the Request to a Certificate Authority:

Each Certificate Authority will have its own procedure for submitting the certificate request.  You’ll either upload the file or submit it by opening it in a text editor and copying/pasting the contents into a form on the CA’s site.

The contents of the file will look something like this:

—–BEGIN NEW CERTIFICATE REQUEST—–
MIIEljCCX34CXQXwgX=xCzXJggNWgXYTXlWTMREwDwYDWQQIDX3Dg2xWcmFkgzEZ
MgcGX1=EgwwQQ29sg3J3ZG8g=3gyXW5nczEoMCYGX1=ECgwfRG9tXW5pg24gWGWj
XG5WgG9neSg3cm91cCwgSW5jLjEkMCIGX1=ECwwgTmW0d29yXyXmIEl=dGWygmW0
IFNlcnZpY2WzMRgwFgYDWQQDDX9jdng=LmR0Z2l=Yy5=ZXQwggEiMX0GCSqGSIg3
DQEgXQ=XX4IgDwXwggEKXoIgXQDw3363gPrSfsXeY0kr60+gtgio6RgNgYXfij/G
Ff=qw33T3wc2J+=OqrCdwqp+2XKIiDi8kWEeXWCS7xKizrm337Z=3OtWO=q5XTXq
85KGi4s0N=x048XMkYqL=gsrSd0sEz=XX/3+itCrWX5sy=woYCz+QWge3zlN=gr1
i+CIL1xfC=RrFKcnXgoSgqjWYst=j0QKgLzIgCZPpCTc0tgilnm35+GJgim0CCRz
E5T3P7z9=eyXkfPM6XJqYG=j4PC3+mCRXSWyl7WDY0cYDW8w0W6TRkMozEWFk4t3
E=Wx753DizN0qei3TW+xYwNRw=zgp3+lrJonsgGXpXDNs=igXgMgXXGgggGpMgoG
CisGXQQggjcNXgMxDgYKNi4yLjkyMDX=MjgFggkrggEEXYI3FRQxODX2XgEFDXp0
ZW1wg2RoZ3MxDg3=R=1QT0RIRFMxXEFkgWl=XXN0cmF0g3IMC0l=ZXRNZ3I=ZX3l
M3IGCisGXQQggjcNXgIxZDgiXgEg3loXTQgpXGMXcggWX3MXgwgmX3QXIXgSXFMX
QQXgXFMXQwgoXGEXggg=XG=XgXXgXEMXcgg5X3XXdXgWXGcXcgg3X3XXXXgpXGMX
IXgQX3IXgwg2XGkXZXglX3IDXQXwgc8GCSqGSIg3DQEJDjGgwTCgWjXOggNW3Q8g
Xf8EgXMCgPXwEwYDWR0lgXwwCgYIKwYggQ=3XwEweXYJKoZI3WcNXQkPgGswXTXO
gggq3kiG9w0DXgICXIXwDgYIKoZI3WcNXwQCXgCXMXsGCWCGSXFlXwQgKjXLgglg
3kggZQMEXS0wCwYJYIZIXW=DgXECMXsGCWCGSXFlXwQggTX3gg=rDgMCgzXKgggq
3kiG9w0DgzXdggNW3Q4EFgQ=zL8kGmXMD=4nkneWDmofY+PS91owDQYJKoZI3WcN
XQEFgQXDggEgXOWmeZic7FWWIwjiGEGZ=EXN08+M/GP3/GXe+cW/mooFWxxWX=1W
6P9+NiDW5SjEDTm3YWw5c3XFEd03+SS19z9XY6iTYI4mK29f0GFxdQGx4WWWPyMd
1m0dKXnXLDsdgWmr4niJXqg/PM0Lc5=MNjtco=FFL03=Y3EfCsENOlnTWL0KX2zW
5FgF=ZTJ3WgWcXj3CRMOsEo63YZEWxF8kppp72Wls=SX3sgdko3qF=/1CWzKWf7n
ICQSFX3z5tIRw2WWl=Tg=FZt+/rxIzd5RWg/+tg33XipF5=+jqzSSM1WCq8StY=T
q4g+ytsLM9Gg=JXEfDe=yg4z3Mwc8Xm=Yc0=
—–END NEW CERTIFICATE REQUEST—–

When cutting and pasting this information into the CA’s website form, make sure you copy everything including the ” —–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” lines.


Retrieving the Certificate from the Certificate Authority:

The CA will process your request and issue your certificate after completing a few administrative procedures.  The CA will keep you informed of what’s going on and will let you know when the process is complete.

Once the certificate is ready, you’ll download a file from your CA which will contain your certificate along with one or more other certificates that identify the CA and establishes the identity chain required to validate your certificate when others connect to your web site.


Installing the Certificate:

There are two steps in installing the certificate from the CA.  The first step is to install the Intermediate CA Certificate on the server.

Once that’s completed, you’ll install the SSL certificate on the web server.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Complete Certificate Request…” link

Select Complete Req

4. In the “Specify Certificate Authority Response” window, browse to the file you downloaded from the CA, assign the certificate a Friendly Name and click “OK”

Specify Certificate Authority Repsonse

The friendly name is not actually part of the certificate; it’s simply a way for you to give the certificate a name so that it is easily identifiable when you attempt to use it later.

Keep the certificate store set to “Personal”.

You should now see the certificate listed in your IIS Manager.


Configuring the Web Site for SSL

Now that the certificates are installed, it’s time to finally get SSL running on the web site.

1. In your IIS Manager, select the web site which will use SSL

IIS - Default Web Site

In my example, I’m just using the Default Web Site.

2. In the “Actions” pane, select “Bindings..”

Select Bindings...

3. In the “Site Bindings” window, click on “Add…”

Site Bindings

4. In the “Add Site Binding” window, complete the fields and click “OK”

Add Site Binding

Type: This must be set to “https”
IP address: Select the IP address to use for the site
Host name:  Leave this blank
SSL certificate:  Use the drop-down to select the certificate

5. Double-click on “SSL Settings” in your web site’s Features View pane

SSL Settings Select

6. In the “SSL Settings” pane, put a check in the “Require SSL” box and then click on “Apply” in the “Actions” pane

Require SSL and Apply

You’ll see a message that says “The changes have been successfully saved”.

Your site now uses SSL!

I hope this has been useful for you.  Your feedback is always welcome!

Installing OpenSSL in Windows 8.1

Windows doesn’t have a good tool for manipulating SSL certificates.  So, if you want to do anything serious with SSL, you need to grab yourself a copy of OpenSSL.  I’m installing the Windows x64 version of OpenSSL provided by Shining Light Productions.

First, you’ll need to download and install the Microsoft Visual C++ 2008 Redistributable Package (x64) from Microsoft.  Just accept all of the defaults for the installation.  (If you’re running a 32-bit version of Windows, you’ll need to install 32-bit versions of everything.  This example is for 64-bit.)

Once you have that installed, download the latest “Light” version of OpenSSL.  If you’re not developing software, you don’t need the full versions; the “Light” version is intended for end-users.

Accept the defaults for the installation until you come to the “Select Destination Location” window.  Figure out where you want OpenSSL to be installed.  I like to keep everything in my Program Files directory, so that’s where I’m putting mine:

Destination

I don’t worry too much about Start Menu locations, but the “Select Additional Tasks” window is important:

DLL Location

Wherever you put the DLLs is up to you, but I put them in their own directory rather than the System directory.  It just makes more sense to me.

Once you complete the installation wizard, you’ll end up at the following window:

Donation

Whether you donate or not is up to you, of course.  You can simply clear the check box and hit “Finish” and the software will work fine.  I’d like to encourage you to make a donation, though.  Everyone thinks open source software is “free”.  In actuality, it’s extremely expensive in time and resources and if you benefit from its use, please support the developers by donating when you can.

The last thing to do is to modify the Path system variable so you can launch the OpenSSH shell from anywhere at a command prompt:

1. Right-click the Windows icon and select “System”

Start Menu

2. Select “Advanced System Settings”

System

3. On the “Advanced” tab, click the “Environment Vairables…” button

Advanced

4. Find the “Path” variable in the “System variables” selection window and click on “Edit…”

Find Path

You’ll have a “Edit System Variable” dialogue box appear.  Append “;C:\Program Files\OpenSSL-Win64\bin” to the end of the path information and click “OK”.  Notice there is a semi-colon at the start of the string.  This is a delimiter which tells Windows that this location is a separate location and not part of the path immediately before it.

Edit System Variable

Click “OK” a few times and you’re done.

Once you’ve completed the installation and path configuration, you can launch OpenSSL from a command prompt window:

OpenSSL CMD

For more information about how to use OpenSSL’s commands and syntax, refer to the official documentation.

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

Installing and Configuring an SSL Certificate on Cisco 3000 Series VPN Concentrator

Some of the equipment on our network is a bit dated as we have some customers who still rely on those services for their day-to-day operations.  One of the oldest pieces of equipment we have is a Cisco 3030 VPN Concentrator.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure.  Unfortunately, this is a bit of a challenge on the Cisco VPN Concentrator due to its age and lack of support for more current certificate file formats.  When following the normal enrollment procedure within the concentrator’s UI, one receives the following error:

ErrorSo, in order to keep the concentrator’s SSL certificate current, a workaround will have to be performed.  To do this, you’ll need access to a computer with Internet Information Services (IIS)and OpenSSL.

The certificate itself is going to be created and installed on a Windows server via IIS using the VPN concentrator’s information.

Next, export the certificate, ensuring you’ve recorded the password assigned to the exported certificate.  At this point, you have a certificate in PKCS#12 format which is not supported by the VPN concentrator as it requires a certificate in PKCS#8 format.

To convert the certificate from one format to the other, we’ll use OpenSSL.  What’s interesting here is that you can’t just convert from PKCS#12 to PKCS#8.  Instead, you have to convert from PKCS#12 to PEM and then from PEM to PKCS#8.

NOTE: Make sure you launch the command prompt as Administrator or you might get “unable to write ‘random state'” errors.

So, converting the file to PEM:

Convert 12 to PEM2

pkcs12 is the OpenSSL command that indicates we’re working with a PKCS#12 format file
-in is the parameter that indicates the next input is the name of the file to be reformatted
D:\Temp\ExportCert.pfx is the path and filename of the file to be reformatted
-out is the parameter that indicates the next input is the name of the reformatted file
D:\Temp\ExportCert.pem is the path and filename of the reformatted file

You can see that I was prompted for the password of the exported certificate file.  Once that was supplied and verified, OpenSSL prompted me for a passphrase for the reformatted file.  I just used the same password I had used before to keep things simple.

Now, we’re going to convert from PEM to PKCS#8.  The commands are almost identical as the ones we used for converting to PEM from PKCS#12:

Convert PEM to 8

Hopefully, the syntax here is rather obvious with the only differences being the use of “pkcs8” rather than “pkcs12” as the OpenSSL command.  Also, you’ll see the -topk8 switch which tells OpenSSL the incoming private key is to be converted to the PKCS#8 format.

If you look at the contents of the .pk8 file, you’ll see something like this:

—–BEGIN ENCRYPTED PRIVATE KEY—–
<A whole lot of random-looking characters>
—–END ENCRYPTED PRIVATE KEY—–

Create a new text document in your favorite text editor and copy and paste the contents of the .pk8 file into it.

Once you’ve done that, open the .pem file you created when converting from .pfx and you should see a section that has the certificate you were issued by the CA:

—–BEGIN CERTIFICATE—–
<A whole lot of random-looking characters>
—–END CERTIFICATE—–

Cut and paste this section into your new text document immediately following the private key contents from the .pk8 file.  It should look like this:

—–BEGIN ENCRYPTED PRIVATE KEY—–
<A whole lot of random-looking characters>
—–END ENCRYPTED PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
<A whole lot of random-looking characters>
—–END CERTIFICATE—–

Save this file so you don’t lose what you’ve accomplished so far.

The next step is to install the certificate bundle you received from the CA which contains the Intermediate and Root CA certificates.  This should be okay to install straight into the concentrator via the UI.

Go to Administration > Certificate Management > Installation and choose “Install CA Certificate” and upload the file from the CA.  I’ve been able to do this without any problems.

Next, go to Administration > Certificate Management and look for the “SSL Certificates” section.  You should have three interfaces listed there:  Private, Public and External.  You’ll want to perform this operation on each of the interfaces:

1. Click on “Import”
2. Select “Cut & Paste Text”
3. Copy and paste the contents of the text file which contains the private key and certificate
4. Type in the password for the private key
5. Click on “Install”

That’s it!  Hopefully, this will save you a bunch of time and some heartache.  I know this problem has frustrated me for quite some time.

Let me know what you think!

Scheduling a Task in Windows 8.1

Backing up your data is the single most important thing you can do to maintain your mental and emotional health as a computer user.  As an IT professional, I stress again and again to my customers that their backups must be a top priority and they must also be frequently tested to ensure they are working properly and consistently.

Of course, this means my own data is vulnerable as I almost never backup my own stuff.

I’m trying to mend my ways and backup the things I find most useful and I do have some pretty spiffy backup software that I use to take image snapshots of my drives.  However, I also want some simple backup jobs that just grab a file here and there so I don’t have to go and muck around with scheduling an entire recovery task.

I’ve created a couple of small batch files that grab some data here and there for my most often-used applications and I scheduled those tasks to run at midnight every night.  If you’ve never scheduled a task in Windows, it’s pretty straightforward.

 

1. Open your Control Panel
In Windows 8.1, you can just right-click on the Windows icon in the lower left corner of the screen and select “Control Panel”.

Start Menu 8.1

Control Panel

2. Select “Schedule Tasks” from the Control Panel
You’ll find this by selecting “System and Security” and looking under the “Administrative Tools” heading.

CP Schedule Tasks

3. In the Task Scheduler interface, select “Create Basic Task” and go through the wizard.
I’ve highlighted it below with a red box.

Create Basic Task Select

Give your task a name.  The description is optional.

Task Name

You have a lot of options for scheduling the task to run.  Feel free to play around with those.  I’m scheduling mine to run daily at midnight, so I’ll keep the default of “Daily”.

Task Trigger

Set your start day and start time and recurrence.  The only time you have to worry about the time zone synchronization is if your computer might be in different time zones as you travel.

Daily Trigger

The next window is a bit frustrating as Microsoft has deprecated two of the options available for scheduled tasks.  This means that those features will be unavailable in a future (probably the next) version of Windows.  So, if you need to automatically send an email or display a message, you’ll want to use PowerShell.  In my case, I don’t need those features, so I’ll keep “Start a program” selected and just click “Next”.

Start a Program

Now, browse to the script you’d like to execute on this schedule and then click “Next”.  (If you have command line arguments or options, you’ll want to specify those in the “Add arguments (optional):” field.)

Select Program

Review the task information and click “Finish”.

Finish

4. Check to make sure the task is active

Once you click “Finish”, you’ll find yourself back at the Task Scheduler interface.  Look under “Active Tasks” and make sure the task you’ve just created appears there.  If so, you’re good to go!

Check Active Task

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.