MANAGEMENT TIPS
Review SSL certificates for compliance with upcoming
rules
Summary:
SSL certificates need to be reviewed for compliance with upcoming changes and hardening by browsers.
Servers need to be reviewed to see if they are PCI DSS compliant as well as patched for BEAST, FREAK and
POODLE vulnerabilities.
SSL cipher testing:
First review your Internet facing servers for compliance with PCI DSS as well as protection from BEAST
vulnerabilities in SSL.
You can use the SSL test from Qualys to test your compliance.
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
1
For example – I ran the test on a blog server I personally run. https://www.ssllabs.com/ssltest/
Figure 1 - before adjustment the server flunks
As you can see this server flunked. It is not tweaked to disable SSL v2 and v3.
A free tool from https://www.nartac.com/Products/IISCrypto/ can be used to tweak your IIS settings on the
server to specifically disable crypto ciphers that should no longer be allowed.
First download the version of the tool needed for your version of the server.


IIS Crypto GUI version 1.6 (.Net 2.0, 83 KB)
IIS Crypto GUI version 1.6 (.Net 4.0, 98 KB)
For server 2012 and 2012 r2, download IIS Crypto GUI 1.6 .NET 4.0 (Essentials 2012 and 2012 r2 needs this
one as well)
For Server 2008 R2 and prior install IIS Crypto GUI 1.6, .NET 2.0
For SBS 2011 the tool will launch and show the following defaults:
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
2
Figure 2 - IIS crypto tool
Figure 3 - Default ciphers
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
3
Figure 4 - Part two - default ciphers
Figure 5 - Part three - default ciphers
From this screen you can use the templates noted on the right hand side.
Figure 6 - Choose best practices template
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
4
Figure 7 - Tool will disable out of date protocols
Choose the best practice template and apply. Now reboot the server and retest.
If you choose the best practice template it will set the cipher order as follows:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
5
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
The default cipher order is (in case you need to reset the server for any reason):
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
6
We have not found any side effects with the best practice template on SBS 2011/2008 or any Essentials
servers.
After rebooting scan again with the Qualys SSL test
Figure 8 - Rescanned server
The server should now come back with a much better scan test.
SSL certificate:
Due to the increasing computing power available to decrypt SSL certificates, the Certificate Authority Browser
(CAB) Forum (the entity that establishes SSL industry standards) requires that all SSL certificates issued after
Jan. 1, 2014, use at least 2048-bit keys. SSL certificates that use 1024-bit keys are no longer secure. If you are
still running the original home server platform there is a KB to install a patch to ensure that you can obtain a
2048 bit key for your SSL certificate. https://support.microsoft.com/en-us/kb/2892162 is the KB you need to
follow.
To rekey the certificate or any other godaddy certificate the process is easy and documented here:
https://support.godaddy.com/help/article/4976/rekey-certificate
Internal names on external certificates.
For many years the default domain name set by SBS and Essentials servers is a .local domain. While there is a
way to adjust this to any domain name you like, a non .com internal domain name or a internal.domain.com
as a domain name is actually a wise setup for a small business network. If you call your small server
domain.com (inserting the real domain name) you may find that you are unable to provide your client with
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
7
an external web site location. The default SSL cert wizard inside of SBS 2011 does not add the internal .local
domain name to the SSL certificate. Thus no SBS or Essentials server will be affected by the November
change to SAN certs.
“All Certificate Authorities (CAs) that are connected to the overall CA/Browser Forum
have accepted worldwide renewed and improved guidelines for the issuance of a SAN
SSL Certificate. Domain validated certificates may therefore no longer be issued on an
invalid Fully-Qualified Domain Name (eg .local).
The reason that is given for the change is that the internal server names are not unique and therefore easy to
falsify. With common names like server01 or webmail, the end user is never sure if it is actually dealing with
the right party or with a malicious.
The changing legislation for SSL Certificates shall start on 1 November 2015. This means, from that date, the
invalid Fully-Qualified Domain Names (hereafter called FQDN) will no longer be accepted at the standard of
the CA/Browser Forum and after that date such certificates may no longer be issued. All certificates issued
after 1 November 2015 and meet this qualification will be revoked upon discovery.
Users who are requesting a certificate on an invalid FQDN with an expiration date after 1 November 2015
should remember that their certificates will be revoked after 1 November 2015. After this date, no SAN SSL
Certificate with a reserved IP address or internal server name will be issued either.”
This document is intended for customers of Third Tier. If you are not yet a customer please to go
www.thirdtier.net and then https://helpdesk.thirdtier.net to create an account.
We exist to assist IT firms be better
8