- IIS Crypto — a free tool that easily allows to enable\disable SSL\TLS versions, protocols, hashes, key-exchanges, cipher suites which are configured in the Windows registry otherwise. With this tool everything can be done in a simple UI or via command prompt instead of configuring Windows registry manually.
The tool also contain several templates like “Best practices”, “FIPS” so that you can just set one of those templates instead of configuring all the settings one by one. It has few other features too. I mostly use this tool when I want to configure TLS to a certain version and also when I need to make sure the server uses only FIPS compliant algorithms.
2. Open SSL — a free and open-source command line tool used to generate CSRs, self-signed certificates, etc.
I use this tool whenever I need to have a self-signed SSL-certificate for my development works.
Example: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout mysite.com.key -out mysite.com.crt -subj “/CN=mysite.com” -addext “subjectAltName=DNS:mysite.com,DNS:*.mysite.com,IP:10.0.0.1”
3. SSL Scan — is a free tool that queries SSL/TLS services and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use.
I use this tool when I want to troubleshoot TLS protocol and SSL-certificate related issues on the server.
Example: sslscan.exe — tls12 — verbose localhost:443
4. CertUtil — is a command-line program, installed as part of Certificate Services. You can use certutil.exe to display certification authority (CA) configuration information, configures Certificate Services, backup and restore CA components.
I use this tool when I need to convert a private key and certificate files from Open SSL to a .pfx format.
Example: certutil -mergepfx mysite.crt mysite.pfx
5. Netsh — is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running.
I use this tool to bind a certain port of my application to a certain SSL-certificate (by its thumbprint).
Example: netsh http showsslcert
The command above will show the SSL certificate bindings on an IP address and port. This is useful when determining what binding to update the certificate or remove the certificate on.
Thanks for reading.