«
»

How to develop secure .NET applications using Server SSL Certificates and Client Certificates – PART 1

February 19, 2009 - 12:45 am No Comments

The following article is part 1 in a 4 part series of articles about developing .NET applications using SSL. These articles are based on my experience and I hope that they will help others develop secure applications as well.


Setting up a Development or Test SSL Server Certificate on a Website in IIS (5.0/6.0)

When developing an application that requires SSL you may want a test SSL certificate to develop against.  You can request test SSL certificates from companies such as Verisign however these only last 14 days (and you will be called up by Versign representatives asking you when you would like to buy the real deal).  A much simpler and more flexible solution is to issue your own test SSL and client certificates by setting up a Windows Server 2003 machine that has the Certification Services windows component installed.


First, create an SSL server certificate request:

  1. In IIS, right-click the Upload web site and select “Properties”.
  2. Under Properties, go to the “Directory Security” tab.
  3. Click the “Server Certificate” button and then click Next.
  4. Select the “Create a new certificate” option and click Next.
  5. Select the “Prepare the request now, but send it later” option and click Next.
  6. Go through the next few forms and fill in all required information.
  7. At the end of the wizard you will be asked to save the certificate request as a text file. Do this so you can send this request to a CA later.
  8. You will be shown a summary of your SSL certificate request. Check this thoroughly to make sure you have all the correct values.
  9. Click Next to finish the IIS Certificate Request Wizard.

Then, request a certificate from Certification Authority:
  1. Open IE (Firefox didn’t work so well for me…) and type in: http://<certauthservername>/certsrv/
  2. Click on the “Request a certificate” link.
  3. Click on the “advanced certificate request” link.
  4. Click on the “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file” link.
  5. Copy and paste the contents of the certificate request generated by IIS (certreq.txt) into the “Saved Request” text box.
  6. Click the “Submit” button to request the certificate

Issue the SSL certificate from your test Certification Authority:
  1. Log onto the Windows Server 2003 machine and open the Certification Authority dialog from Administrative Tools.
  2. Expand the root certification authority “Pending Requests” folder.
  3. The certificate you just requested should be in the “Pending Requests” folder. Right-click on this request and select All Tasks > Issue. The certificate request will be removed from the “Pending Requests” folder and appear in the “Issued Certificates”.

Retrieve the certificate and install it into your website:
  1. Go back to IE on your web server and type in http://<certauthservername>/certsrv/ again.
  2. Click on the “View the status of a pending certificate request” link.
  3. Click on the certificate request you want to view.
  4. Click on the “Download certificate” link. A “File Download” dialog will open. Click Save to save the new SSL certificate as a .cer file.
  5. Go back to the Web Site properties in IIS and from within the Directory Security tab, click on the Server Certificate button.
  6. Select “Process the pending request and install the certificate” and click Next.
  7. Browse to the certificate file saved to disk in step 4 above that contains the SSL certificate issued to this server by your test Certification Authority.
  8. Follow the wizard until the SSL certificate has been successfully installed.

Configure your website to use SSL in IIS:
  1. Once an SSL server certificate has been installed on the website, go back to IIS > > Properties > Directory Security tab > Secure Communications section and click on the “Edit” button.
  2. Check the “Require secure channel (SSL)” checkbox but leave the “Require 128-bit encryption” checkbox empty.
  3. Leave the “Client Certificates” section set to “Ignore client certificates” and the other two checkboxes unchecked for now.
  4. Close this window down and restart the website and/or reset IIS.
  5. Open up a browser and verify that you cannot reach the web site by using http only, instead you must use https.

Finally, you must “trust” the certificate:
  1. If the browser tells you that your certificate was issued by an untrusted CA when you navigate to your website, you will have to download the CA certificate from your test Certification Authority website and install it into the Trusted Root Authority store of the Local Computer.
  2. You may also find that the browser may tell you that the certificate is not valid because it was issued to a different name – that will happen if you are accessing your site using http://localhost/ rather than the server name. The certificate was most likely issued with the actual server name and the browser will think that your site is being spoofed if the domain name in the browser and the certificate don’t match. Use the server name instead.
  • Share/Bookmark

Tags: , ,   Posted Coding, Technology |

Leave a Reply