Tuesday, February 3, 2009

SSL Woes with WebSite Pro

I run a web site that uses a site certificate that we buy from VeriSign. That certificate came up for renewal last month so I went through the usual process to buy a new certificate: Put in a purchase request, wait for approval, generate a certificate request, upload the certificate request to VeriSign, enter the credit card info, and wait for the new certificate to arrive in my inbox.

Every year previously it was as simple as that. But this year VeriSign rejected my certificate request on the grounds that it was a 512 bit request and that the minimum it would accept was a 1024 bit request. So, I went to my server and opened up the WebSite Pro server management tool to find the option for generating a 1024 bit request. It didn't exist. Apparently, with WebSite Pro, you can have as many bits as you want as long as it's 512.

Without any way to get WebSite Pro to make a 1024 bit certificate request I went back to VeriSign to find the option to upload a 512 bit request. It didn't exist. So, I clicked the button to request a chat with tech support and got someone to chat with me after a few minutes. I explained my situation and his first suggestion was to RTFM and find out how to generate a 1024 bit certificate request. Okay, I humored him and perused the help file for a few minutes after which I reported back that such instructions were absent from TFM.

Next, I asked him how to get VeriSign to accept a 512 bit request. He reported back that VeriSign has adopted "best practices" requiring a minimum of 1024 bits. I asked if this was a new best practice since one year ago 512 bits was not a problem. Indeed, yes, sometime during 2008 it became a requirement. Looks like their best practices did not include informing the WebSite Pro administrators that their servers would no longer be supported by VeriSign.

I told my tech support chat buddy that I was, therefore, not able to plunk down $2500 for a three year certificate. "What's your telephone number? When is a good time to have someone contact you?" Best practice does include keeping a $2500 sale alive.

A short while later I received a call from the saleswoman who had been calling me every week for the past 2 months to remind me that my certificate was expiring and offering help to get it renewed. I explained my situation again and she was eager to transfer me to tech support where I was on hold for way too long. Lunch hour came around while the hold music was playing and the cafeteria seemed more promising than the hollow hope of VeriSign tech support so I hung up with a little over one week to go until my site certificate expired.

In 2001, ownership of WebSite Pro changed from O'Reilly to Deerfield and in early 2004, Deerfield dropped sales and support for WebSite Pro all together. It's now five years later and we're still running this dinosaur. This little VeriSign issue is a good reason (amongst others) to move from WebSite Pro to web server that is still supported.

The decision was made to replace WebSite Pro with IIS. When I say that I am the administer of this server what I mean is that I am an administer with some (not all) rights. I did not set it up and I have no control over the security lock-down policies imposed on the machine. I spent four days trying to get IIS installed and working. The day before the VeriSign certificate was to expire I was able to achieve marginal success. IIS would serve static pages but asp was broken and I could not get ColdFusion (an essential part of the server) installed and working. I could, however, generate 1024 bit certificate requests and so I did.

Closing time was fast approaching so I emailed the certificate request to the credit card holder and visited her office to finally buy the new site certificate. I logged into VeriSign and uploaded the new certificate request but this time Verisign didn't like the fact that my certificate request abbreviated the state rather than spelling it out in full. So... I went back to the server, canceled the original certificate request, and generated another one with the state spelled out in full. I logged back into VeriSign and uploaded the certificate request and this time it was successful. We entered the credit card info and paid.

Now that I had completed that, I had to get back to the task of getting the server working with IIS. I tried various iterations of uninstalling and reinstalling IIS and uninstalling and reinstalling ColdFusion to no avail. Each uninstall or reinstall required a reboot which took a full 10 minutes just to reboot. It was getting late, now after hours, and my server was broken. My goal was now to forget IIS and put it back working with WebSite Pro which took another round of uninstalling and reinstalling ColdFusion. The server was finally working again so I called it a day but the clock was still ticking on the site certificate installed in WebSite Pro.

The morning of expiration day arrived and my boss called me while I was on my way to the office. It turned out that there were some ColdFusion configuration issues that I didn't catch the previous night and some of the users now couldn't get their job done. When I arrived I found the new site certificate from VeriSign in my inbox and I quickly fixed the configuration problem and had to wait until 2pm when most of the daily work would be done and the server wouldn't been needed again for a while. During that time I was able to install the new certificate in IIS and it occured to me that I could export the certificate from IIS and possibly import it into WebSite Pro.

Exporting the certificate as a .pfx file was no problem. But WebSite wants the certificate in .pem format. Using OpenSSL for Win32 I was able to convert the certificate with
>openssl pkcs12 -in cert.pfx -out cert.pem -nodes

and successfully imported it into WebSite Pro.

Now the server is running as before with a certificate that expires in three years and we still need to get rid of the old unsupported WebSite Pro.

No comments: