The Curious Case of TCP/9808

Sometimes a mystery is so satisfying once you have solved it.  Check out this amazing story from co-worker and amazing guy Mitch Steiner.

Prologue

The Scene: A typical day in Ops
Ops engineer: Oh, I just got an alert that the default certificate on one of our enterprise pools is about to expire. Time to create a change request for the upcoming maintenance window and get it replaced.

Act 1 Scene 1

(Two days later , during the weekly maintenance window)
Our trusty ops engineer , having filed the proper change request and obtaining an approval, creates a CSR , submits it to his internal PKI and  generates  a new default certificate. He launches the deployment wizard,  imports his certificate ,  and assigns it to the proper usages ( server default , internal and external web services).
No errors were found, and all appears  working as expected.
Following his organization’s pre defined best practices (trust but verify!)  ,  our ops engineer now runs through his certificate replacement checklist.
He grabs his trusty DigiCert utility for windows , and proceeds to verify that the new certificate is being presented on the known ports  ( 5061, 443, 4443). To accomplish this, he launches the tool on the enterprise pool server , selects tools and  clicks “check install” in the  certificate installation checker section. He sets his server address  to localhost , sets  the SSL mode to  direct and checks each port , verifying the new “valid to”  date and serial number match the newly provisioned certificate  (Exhibit A is shown below)

Continue Reading

Leave a Reply

Your email address will not be published. Required fields are marked *