-1

I am in a bit of a sticky situation. At my work we are using Windows 2003 IIS 6 to host a legacy but critical website and now I need to renew the SSL certificate with SHA2 which is basically incompatible with Windows 2003 IIS 6.

In an ideal world I would migrate to a Windows 2008 server but sadly this is not possible because it is a legacy system that runs other bespoke legacy software and I don't have the ability to upgrade the OS. Also I am a web developer for a company where the network/I.T. manager resigned.

Is there any way to get round this? I have had the idea that I would disable SSL on IIS 6 and install a simple NodeJs proxy server with SSL to locally target the IIS 6 site (IIS6 HTTP to NodeJs HTTPS). Does know if this would work or have any better idea?

Kind regards,

Robin

Joe
  • 41,484
  • 20
  • 104
  • 125
Robin Fuller
  • 153
  • 2
  • 9
  • You could use something like nginx as a fronting proxy, no need to use node. – Joe Jan 08 '15 at 02:09
  • Thanks Joe, I have just set up nginx on a test server as a reverse proxy. With the current certificate (SHA1) it works well. Now I just hope that nginx is directly decrypting the certificate rather than calling a windows library. – Robin Fuller Jan 09 '15 at 14:02

2 Answers2

0

I found the answer in this website:

https://stn28.wordpress.com/2014/09/24/sha-2-compatibility-with-windows-server-2003-and-iis6-0/

It shows that you need to download a fix that includes two components for SHA2 support in IIS 6.0

Joe
  • 1
0

please follow below steps.

1) Update the Two hot fixes in windows server 2003(KB938397 and KB968730.)

2)Install a OPENSSL which supports SHA256 algorithm

3)Raise a CSR through the OPENSSL commands (http://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/)

4)generate Private key while generating CSR,And this key will be saved in the form of .key and CSR will be in the form of .csr. 5)Copy paste this CSR to request SSL certificate.Place this certificate in the OPENSSL bin folder.

6) Once you get the SSL certificate with SHA256 algorithm ,Go to you OPENSSL->bin->here convert the .key file to .pfx file using OPENSSL commands.(Is it possible to convert an SSL certificate from a .key file to a .pfx?) 7)Go to MMC and import your certificate and .pfx file. 8)Now you can see your certificate along with your private key.

    -
Community
  • 1
  • 1
supriya
  • 16
  • 1