HTTPS instead of FTP – certificate question

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #53940
    AvatarHoerti
    Participant
    • Total Post: 12
    • Regular Joe
    • ★★

    Hi,

    I heard about CVE-2020-29491 and CVE-2020-29492 last week and so I try to secure my environment and configure https for my clients instead of FTP.

    I installed IIS on my fileserver and when I set up the 443 binding, I have to use a certificate. I´m not that good with all the IIS stuff – so here is my question:

    To access my fileserver, all my thin clients need to have this cert installed – is that right? If yes, how can I do that? With the FTP solution it was possible to place it in the cacerts folder but how can I do this using https?

    And do I need to change something in my Xen.ini / Wnos.ini?

    Thanks in advance!

    #53942
    ConfGenConfGen
    Keymaster
    • Total Post: 11287
    • Jedi Master
    • ★★★★★★★

    If you want to switch to https you will need a certificate, correct.
    The best way is to set up your own Certificate Authority and then use self-signed certificates. Another way would be to buy official certificates.
    In all ways, you would have to make sure that the root certificate (self-signed or official) is loaded on the client.
    You can do that via ftp (which you want to get rid of) or use a USB memory stick.

    No need to change anything in your INI files.

    CG

    #53946
    AvatarHoerti
    Participant
    • Total Post: 12
    • Regular Joe
    • ★★

    Hi,

    thanks – I got https working now.
    Some thoughts on the certificate thing now:
    – First I thought, I can use the certs that are already on my thin clients (domain and storefront cert) but as I saw, there is no possibility to bind them to IIS because they don´t have a private key. Is that true (only new self signed cert or a .pfx cert valid for IIS)?

    – When using a .pfx, is there a way I write the private key in my .ini files (secure, for sure)
    – I manage around 500 thin clients so the deployment method by usb stick is not a possibility. Using FTP is also not possible because DHCP Option Tag 161 is not “https://fqdn”. Any other possibilities?

    Thanks in advance!

    #53949
    ConfGenConfGen
    Keymaster
    • Total Post: 11287
    • Jedi Master
    • ★★★★★★★

    You only need the root certificate on the clients.
    The IIS itself needs the certificate including the private key (.pfx).

    CG

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.