Category Archives: Uncategorized

Warning: DNS: The DNS server should have scavenging enabled

Symptom: When running the Microsoft Best Practice Analyzer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, you receive the following recommendation/warning:

Severity: Warning
DNS: The DNS server should have scavenging enabled.
Server 2012 - BPA - The DNS server should have scavenging enabled

What is DNS scavenging?

Per Microsoft: Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

Solution: Complete the following steps below to enable scavenging of DNS records.

  1. Click Start (right click Start if in Server 2012), and select Run
    Server 2012 - Run
  2. Type dnsmgmt.msc and click OK
    Run - dnsmgmt-msc
  3. Right click on your server and select Properties
    DNS Manager - Properties
  4. Click on the Advanced tab and check Enable automatic scavenging of stale records
    DNS Manager - Properties - Advanced - Enable automatic scavenging of stale records
  5.  Click OK

Notes: The official KB article from Microsoft can be found here: http://technet.microsoft.com/en-us/library/ff807390(v=ws.10).aspx

Enabling SSL on Windows Server Update Services (WSUS)

Here are the steps to configure SSL on your servers running the Windows Server Update Services.  This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well.  This guide also assumes you have a working instance of WSUS installed and configured, using default ports.

  1. Login to your WSUS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager
    Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates
      Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click Create Domain Certificate on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate
      2. Fill in the requested information on the Distinguished Name Properties page and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Distinguished Name Properties
      3. Select your certificate authority and enter a friendly name (this can be anything), and then click Finish
      4. Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate - Online Certification Authority
    3. If you need to submit a certificate request to an external certificate authority like Goaddy, Verisgn, Comodo; follow these steps
      1. Click Create Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Certificate Request
      2. Fill out the Distinguished Name Properties and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Distinguished Name Properties
      3. Change the Bit length to 2048 and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Crytographic Service Provider Properties
      4. Select a location on where to place the CSR file that will be generated by the wizard and click Finish
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - File Name
      5. At this point, send the request to your certificate authority (like GoDaddy, Verisign, or your own internal certificate authority). You should receive back a .cer file once the claim has been fulfilled.
      6. Click on Complete Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Complete Certificate Request
      7. Select the .cer file that your public certificate authority provided you, type in a friendly name (this can be anything), select Web Hosting for the certificate store, and click OK
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Specify Certificate Authority Response
  5. Next, we need to bind the SSL certificate to your network adapter.
    1. Expand your server, expand Sites, and select WSUS Administration
      IIS - Sites - WSUS Administration
    2. Select Bindings... on the right side
      IIS - Bindings
    3. Select the https site and hit the Edit... button
      Site Bindings - Port 8531
    4. Select https for the type, select the SSL certificate you created above, and click OK
      IIS - Edit Site Binding - WSUS
    5. Click Close on the Site Bindings window
      IIS - Site Bindings - https
  6. Next, we need to enforce SSL encryption on the following virtual roots
    • ApiRemoting30
    • ClientWebService
    • DSSAuthWebService
    • ServerSyncWebService
    • SimpleAuthWebService

    1. Expand WSUS Administration and foreach of the directories above, complete the following steps
      1. Select the virtual site
        IIS - WSUS Administration
      2. Double click on SSL Settings
        IIS - WSUS Administration - SSL Settings
      3. Check Require SSL and leave client certificates to ignore
        IIS - WSUS Administration - SSL Settings - Require SSL
      4. Click Apply in the top right corner
        IIS - SSL Settings - Apply
  7. Next, we need to execute a command to tell WSUS to use ssl
    1. Open up an elevated command prompt
      Server 2012 - Administrative Command Prompt
    2. Navigate to your WSUS installation folder
      1. cd "c:\Program Files\Update Services\Tools"
        cmd - program files - update services - tools
    3. Execute the following command (replace your server with the correct FQDN)
      1. WSUSUtil.exe configuressl myserver.mydomain.local
        wsusutil configuressl
  8. Restart the WSUS server to make sure all changes take effect.  You should be able to bring up the WSUS management console if all went well.
  9. Configure your clients to connect via SSL to the WSUS server via Group Policy
    1. Login to your domain controller
    2. Open up Server Manager
      Server 2012 R2 - Server Manager
    3. Open up Group Policy Management
      Server Manager - Tools - Group Policy Management
    4. Right click on the policy you want to edit and select Edit
      Edit GPO
    5. Expand Computer Configuration -> Polices -> Administrative Templates -> Windows Components -> Windows Update
    6. Double click on Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    7. Change the intranet update service url to https and specify port 8531 and then click Apply.
      Specify intranet Microsoft update service location - options

That should do it!  Try doing a gpupdate /force on your local machine and the check for windows updates.  If windows successfully completes checking for updates, you should be good to go! 🙂

Notes: Official documentation from Microsoft in regards to using SSL and WSUS can be found here: http://technet.microsoft.com/en-us/library/hh852346.aspx#consswsus

Windows Update Services - Multiple Errors in Event Viewer - Event ID 12052,12042, 12022, 12032, 12012, 12002,13042

Symptom: When browsing through the event viewer logs on your Windows Update Services server, you notice the following Event IDs with a Level of Error in the following order: 12052, 12042, 12022, 12032, 12012, 12002, 13042.

Event Viewer - WSUS Errors

Log Name: Application
Source: Windows Server Update Services
Event ID: 12052
Task Category: 9
Level: Error
Description: The DSS Authentication Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12042
Task Category: 9
Level: Error
Description: The SimpleAuth Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12022
Task Category: 9
Level: Error
Description: The Client Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12032
Task Category: 9
Level: Error
Description: The Server Synchronization Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12012
Task Category: 9
Level: Error
Description: The API Remoting Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12002
Task Category: 9
Level: Error
Description: The Reporting Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 13042
Task Category: 6
Level: Error
Description: Self-update is not working.

Additionally, you can recreate these events by running the following command: wsusutil.exe checkhealth

Solution: Reconfigure the WSUS server via the wsusutil.exe command.

  1. Login to the WSUS server
  2. Open up a command prompt with Administrative rights
    cmd as Administrator
  3. Navigate to the Update Services\Tools directory.
    1. By default you can find it on your C drive by executing the following command
      1. cd "c:\Program Files\Update Services\Tools"
        cmd Update Services - Tools
  4. Execute one of the following commands
    1. If updates are configured for port 80 execute this command
      1. wsusutil.exe usecustomwebsite false
    2. If updates are configured for port 8530 execute this command
      1. wsusutil.exe usecustomwebsite true
    3. wsusutil usecustomwebsite
  5. Execute the following command to verify the WSUS service is running correctly
    1. wsusutil.exe checkhealth
      wsusutil checkhealth
  6. You should see Event ID 10000 in event viewer confirming all is wellWSUS is working correctly

Tutorial - How to setup a KMS server for a Windows Domain

Copied from Microsoft, here is what we can achieve by configuring a KMS server on our local network for a windows domain: http://technet.microsoft.com/en-us/library/ff793434.aspx

KMS activates computers on a local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client–server topology. KMS client computers can locate KMS host computers by using Domain Name System (DNS) or a static configuration. KMS clients contact the KMS host by using remote procedure call (RPC). KMS can be hosted on computers that are running the Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 operating systems.

  1. Go to the volume licensing center and grab a copy of the KMS key for your server OS
    1. Navigate to https://www.microsoft.com/Licensing/servicecenter/home.aspx
    2. Login
    3. Select Downloads and Keys
      Volume Licensing Service Center - Downloads and Keys
    4. Select Windows Server
      Volume Licensing Service Center - Windows Server
    5. Finder your server version and click Key
      Volume Licensing Service Center - Windows Server - Key
    6. Copy the KMS type key
  2. Login to the server you want to setup as the KMS server.
  3. Open up a command prompt as an administrator.
  4. Ensure you are in the system32 folder of Windows
    1. cd c:\Windows\System32
      windows - System 32
  5. Execute the following command to setup your license key
    1. cscript slmgr.vbs /ipk WINDOWS-KMS-LICENSE-KEY-HERE
      cscript slmgr ipk
  6. Execute the following command to activate the host
    1. cscript slmgr.vbs /ato
      Activating Windows
  7. Execute the following command to verify the host has the Key Management Service enabled
    1. cscript slmgr.vbs /dlv
      cscript slmgr dlv
  8. Next, we need to open the firewall for the server to accept activation requests
    1. Open up Windows Firewall with Advanced Security
      Windows 8 - Windows Firewall with Advanced Security
    2. Right click on Inbound Rules and select New Rule...
      Windows Firewall with Advanced Security - New Rule
    3. Select Port and click Next >
      New Inboud Rule Wizard - Port
    4. Check TCP, check Specific Local Ports and enter port 1688, click Next >
      New Inboud Rule Wizard - Specific local ports
    5. Check Allow the connection and click Next >
      New Inboud Rule Wizard - Allow the connection
    6. Check Domain and click Next >
      New Inboud Rule Wizard - Domain
    7. Enter a name for the rule and click Finish
      New Inboud Rule Wizard - Rule Name

Congrats!  Your KMS server should now be ready to accept activation requests!

Notes: Here is a full listing of the commands/switches you can execute using the Software Licensing Management Tool.

C:\Windows\System32>cscript slmgr.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Invalid combination of command parameters.

Windows Software Licensing Management Tool
Usage: slmgr.vbs [MachineName [User Password]] [<Option>]
MachineName: Name of remote machine (default is local machine)
User: Account with required privilege on remote machine
Password: password for the previous account

Global Options:
/ipk <Product Key>
Install product key (replaces existing key)
/ato [Activation ID]
Activate Windows
/dli [Activation ID | All]
Display license information (default: current license)
/dlv [Activation ID | All]
Display detailed license information (default: current license)
/xpr [Activation ID]
Expiration date for current license state

Advanced Options:
/cpky
Clear product key from the registry (prevents disclosure attacks)
/ilc <License file>
Install license
/rilc
Re-install system license files
/rearm
Reset the licensing status of the machine
/upk [Activation ID]
Uninstall product key

/dti [Activation ID]
Display Installation ID for offline activation
/atp <Confirmation ID> [Activation ID]
Activate product with user-provided Confirmation ID

Volume Licensing: Key Management Service (KMS) Client Options:
/skms <Name[:Port] | : port> [Activation ID]
Set the name and/or the port for the KMS computer this machine will use. IPv6 address must be specified in the format [hostname]:port
/ckms [Activation ID]
Clear name of KMS computer used (sets the port to the default)
/skms-domain <FQDN> [Activation ID]
Set the specific DNS domain in which all KMS SRV records can be found. This setting has no effect if the specific single KMS host is set via /skms option.
/ckms-domain [Activation ID]
Clear the specific DNS domain in which all KMS SRV records can be found. The specific KMS host will be used if set via /skms. Otherwise default KMS auto-discovery will be used.
/skhc
Enable KMS host caching
/ckhc
Disable KMS host caching

Volume Licensing: Token-based Activation Options:
/lil
List installed Token-based Activation Issuance Licenses
/ril <ILID> <ILvID>
Remove installed Token-based Activation Issuance License
/ltc
List Token-based Activation Certificates
/fta <Certificate Thumbprint> [<PIN>]
Force Token-based Activation

Volume Licensing: Key Management Service (KMS) Options:
/sprt <Port>
Set TCP port KMS will use to communicate with clients
/sai <Activation Interval>
Set interval (minutes) for unactivated clients to attempt KMS connection. The activation interval must be between 15 minutes (min) and 30 days (max) although the default (2 hours) is recommended.
/sri <Renewal Interval>
Set renewal interval (minutes) for activated clients to attempt KMS connection. The renewal interval must be between 15 minutes (min) and 30 days (max) although the default (7 days) is recommended.
/sdns
Enable DNS publishing by KMS (default)
/cdns
Disable DNS publishing by KMS
/spri
Set KMS priority to normal (default)
/cpri
Set KMS priority to low
/act-type [Activation-Type] [Activation ID]
Set activation type to 1 (for AD) or 2 (for KMS) or 3 (for Token) or 0 (for all).

Volume Licensing: Active Directory (AD) Activation Options:
/ad-activation-online <Product Key> [Activation Object name]
Activate AD (Active Directory) forest with user-provided product key
/ad-activation-get-iid <Product Key>
Display Installation ID for AD (Active Directory) forest
/ad-activation-apply-cid <Product Key> <Confirmation ID> [Activation Object name]
Activate AD (Active Directory) forest with user-provided product key and Confirmation ID
/ao-list
Display Activation Objects in AD (Active Directory)
/del-ao <Activation Object DN | Activation Object RDN>
Delete Activation Objects in AD (Active Directory) for user-provided Activation Object

Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength

So strangely enough, I always thought submitting a 2048bit CSR to my CA and receiving a 256-bit SSL cert would automatically force connections to use a 256-bit cipher strength over the established SSL connection, however it turns out that most connections will stay at 128-bit unless you tell your server to utilize TLS 1.2.  In this tutorial, we will go over how to enable TLS v1.2 for IIS to increase the cipher strength to 256-bits.

Here is what a certificate's connection info looked like before the tutorial

SSL Cert Info - 128-bit

Here is what a certificate's connection info looks like after the tutorial

SSL Cert Info - 256-bit

  1. Execute the following commands via an elevated PowerShell command prompt to enable TLS v1.2:
    Elevated Powershell

    1. # Create keys in registry (not created by Windows out of the box)
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
      # Enable TLS 1.2 for client and server SCHANNEL communications
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      PowerShell TLS 1.2 Registry Edits
    2. Registry before powershell commands
      Registry - Before TLS v1.2
    3. Registry after powershell commands
      Registry - After TLS v1.2
  2. Next, we need to edit the server to default the use of the 256-bit ciphers
    1. Click Start->gpedit.msc
      Start -> gpedit.msc
    2. Expand Computer Configuration -> Administrative Templates -> Network and select SSL Configuration Settings
      Group Policy Editor - SSL Configuration Settings
    3. Double click SSL Cipher Suite Order and check Enabled
      SSL Cipher Suite Order 128-bit
    4. Copy the text from the SSL Cipher Suites and paste it into notepad.
      SSL Cipher Suite Order
    5. Move the following to the beginning of the text document: TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA (Note: here you could remove lower strength ciphers from the order to prevent the server from accepting those connections).
      TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA Cipher Suite order
    6. Paste the Cipher Suites back into the SSL Cipher Suites box in Group Policy and click OK
      SSL Cipher Suite Order 256-bit
    7. Restart the server for the changes to take effect

References:

Changing the order of the Cipher Strengths:
http://social.technet.microsoft.com/Forums/forefront/en-US/ec033ff6-091d-441d-8ad3-7ea411100009/ssl-with-256bit-strength

Original source I found for the quick powershell commands to enable TLS v1.2:
http://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

Code 80243004 - Windows Update encountered an unknown error.

When trying to install Windows Updates, you receive the following error:

Code 80243004 - Windows Update encountered an unknown error.

Code 80243004 - Windows Update encountered an unknown error

This used to be a documented issue by Microsoft prior to them replacing the page with a fixit installer.  The solution is a super weird workaround.  Please follow the steps below for updates to continue installing.

  1. Right click on the taskbar and select Properties.
    Code 80243004 - Properties
  2. Click the Customize... button on the Taskbar and Start Menu Properties window.
    Code 80243004 - Customize
  3. On the Notification Area Icons window, make sure Always show all icons and notifications on the taskbar is checked and click OK.
    Always show all icons and notifications on the taskbar
  4. At this point, try running Windows Update again and the updates should begin to install properly.

Not sure why this fixes the issue, but it worked for me on a couple of virtual machines running in a VMware environment.  An additional thing I noticed is you can see the tray has "null icons", where they are blanks of open applications; once you hover over them, they disappear/close.  Not sure if this is a bug with Windows and VMware VMs, but just thought it was a weird coincidence.  If you have had this same issue, could you please drop a comment below stating whether or not you received the same issue in a virtual environment?

Find listing of open ports on Windows

Want to see what ports are currently listening for connections on your machine?

To quickly find a list of open ports listening for connections, execute the following netstat command (this will show the Protocol, Local Address (source port), Foreign Address, State, and Process ID):

netstat -ano |find /i "listening"

To quickly ifnd a list of ports with established connections, enter the following command  (this will show the Protocol, Local Address, Foreign Address, State, and Process ID):

netstat -an |find /i "established"

 

Here is a complete listing all of the netstat switches

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e Displays Ethernet statistics. This may be combined with the -s option.
-f Displays Fully Qualified Domain Names (FQDN) for foreign addresses.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6,  TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
-t Displays the current connection offload state.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

Notes: Here is a great resource with more in-depth details on the command: http://www.petri.co.il/quickly_find_local_open_ports.htm

Reverse Sync from iPod (Restore backup from iPod to iTunes)

Recently, we had a drive in our main machine at home fail and of course we didn't backup anything.  As hardware on the drive itself failed, we were unable to run any recovery tools to revive anything off the drive.  Fortunately, much of what was on the machine was on a different drive, except for my iTunes library. Luckily, we had recently synchronized one of our iPod's to the machine and we were able to recover almost the entire iTunes library from the device (cheap backup device eh? :P).

So, how do I recover all of my music/media from my iPod?
Here is how using Windows 8:

  1. Close out of iTunes if you have it open
  2. Open up task manager and click on Services
  3. Stop the following services: Apple Mobile Device, Bonjour, iPod Service
    iPod Service
  4. Make sure your machine is setup to show hidden files
    1. Click on Windows Explorer and select the View Tab
    2. Click on the Options button and select Change folder and search options
      Folder Options
    3. Select the View Tab and check Show hidden files, folders, or drives
      Show Hidden Files
    4. Click OK
  5. Connect the iPod
  6. Select your iPod (Removable Disk) from Windows Explorer (the ipod should be visible if you disabled the services mentioned in the previous steps)
    Select iPod
  7. Navigate to iPod_Control and select Music
  8. Copy all of the files to your desktop
    Copy Files from iPod
  9. Open up iTunes (ignore the warning about the bonjour service not running if it pops up--that's ok)
  10. Click on the little icon in the top left corner and select Preferences from the menu
    iTunes Preferences
  11. Click on Advanced
  12. Check the box that says Keep iTunes Media folder organized
  13. Check the box that says Copy files to iTunes Media folder when adding to library
    Keep iTunes Media organized
  14. Click OK
  15. On your desktop, right click on the Music folder you copied from your iPod and select Properties
  16. Uncheck Hidden and select Apply changes to this folder, subfolders, and files when prompted.
    unhide files
  17. Click OK
  18. Open up the Music folder on your desktop and then drag the folders over to the Music part of iTunes
    Copy Files to iTunes

At this point your tunes should automatically be populating back into iTunes.  iTunes will automatically copy the files from your desktop over to iTunes and properly place them inside your My Music folder.  Just note that doing this process requires double the amount of space on your hard drive temporarily while iTunes copies the files from your desktop, but once all files have been copied, you can safely remove the folder on your desktop and resync your iPod to iTunes.

Ford Explorer Sport 2013 - Keyless Entry Code

Recently, I purchased a Ford Explorer and for whatever reason the keyless entry code was not bundled with the owner's manual nor is it listed when you type the VIN number into Ford's website and browse the vehicle's installed accessories.

Luckily, rather than bringing the vehicle back into the dealership, there is a way to lookup the default entry code.  On the fuse box, the car has a label with a 5 digit code (sometimes followed by a single letter).

Next question is, where is the fuse box?  Interestingly, there are two on the explorer.  The first one is under the hood, on the right side inside of a "black box".  The second one is in the typical spot underneath the steering wheel on the driver side (if anyone has an explorer in Europe and it has the steering wheel on the right side of the car, you should let me know if the fuse box is on the side with the steering wheel or still on the left side by what would be the passenger :P).  Oddly enough, at a quick glance I couldn't find the fuse box as it was hidden by a piece of plastic.  Luckily, if you can grab a flashlight and stick your head underneath the steering wheel far enough, you should be able to see the sticker, otherwise you will have the pull the hex screw off and remove the plastic guard.

For whatever reason, this isn't inside the owners manual, so hopefully this helps someone else with their explorer 🙂

Importing a SSL certificate into a Java Keystore via a PKCS12 file

Here are the instructions on how to import a SSL certificate into the Java Keystore from a PKCS12 (pfx or p12) file.

  1. Create a new keystore
    1. Navigate to C:\Program Files\Java\jdk_xxxx\bin\ via command prompt
  2. Execute: keytool -genkey -alias mycertificate -keyalg RSA -keysize 2048 -keystore mykeystore
    1. Use password of: Use the same password/passphrase as the PKCS12 file
    2. What is your first and last name?  (should be the dns you're going to use) [Unknown]:  server.mydomain.com
      What is the name of your organizational unit? [Unknown]: MyCompanysITDepartment
      What is the name of your organization?  [Unknown]:  MyCompany
      What is the name of your City or Locality?  [Unknown]:  CITY
      What is the name of your State or Province?  [Unknown]:  STATE
      What is the two-letter country code for this unit?  [Unknown]:  US
      Is CN=...................................... correct?  [no]:  yes
      Enter key password for <mycertificate>
      (RETURN if same as keystore password): Hit Return/Enter
  3. Empty the keystore
    1. Execute via command prompt: keytool -delete -alias mycertificate -keystore mykeystore
    2. Ensure nothing is in the keystore by executing: keytool -v -list -keystore mykeystore
  4. Import the PKCS12 File
    1. Execute via command prompt: keytool -v -importkeystore -srckeystore whateverthefileis.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
    2. Enter the PKCS12 password/passphrase for both the Source and Destination password.