How to develop secure .NET applications using Server SSL Certificates and Client Certificates – PART 1

Posted by on Feb 19, 2009 in Coding, Technology | 0 comments

The following article is part 1 in a 4 part series of articles about developing .NET applications using SSL. These articles are based on my experience and I hope that they will help others develop secure applications as well.


Setting up a Development or Test SSL Server Certificate on a Website in IIS (5.0/6.0)

When developing an application that requires SSL you may want a test SSL certificate to develop against.  You can request test SSL certificates from companies such as Verisign however these only last 14 days (and you will be called up by Versign representatives asking you when you would like to buy the real deal).  A much simpler and more flexible solution is to issue your own test SSL and client certificates by setting up a Windows Server 2003 machine that has the Certification Services windows component installed.


First, create an SSL server certificate request:

  1. In IIS, right-click the Upload web site and select “Properties”.
  2. Under Properties, go to the “Directory Security” tab.
  3. Click the “Server Certificate” button and then click Next.
  4. Select the “Create a new certificate” option and click Next.
  5. Select the “Prepare the request now, but send it later” option and click Next.
  6. Go through the next few forms and fill in all required information.
  7. At the end of the wizard you will be asked to save the certificate request as a text file. Do this so you can send this request to a CA later.
  8. You will be shown a summary of your SSL certificate request. Check this thoroughly to make sure you have all the correct values.
  9. Click Next to finish the IIS Certificate Request Wizard.

Then, request a certificate from Certification Authority:
  1. Open IE (Firefox didn’t work so well for me…) and type in: http://<certauthservername>/certsrv/
  2. Click on the “Request a certificate” link.
  3. Click on the “advanced certificate request” link.
  4. Click on the “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file” link.
  5. Copy and paste the contents of the certificate request generated by IIS (certreq.txt) into the “Saved Request” text box.
  6. Click the “Submit” button to request the certificate

Issue the SSL certificate from your test Certification Authority:
  1. Log onto the Windows Server 2003 machine and open the Certification Authority dialog from Administrative Tools.
  2. Expand the root certification authority “Pending Requests” folder.
  3. The certificate you just requested should be in the “Pending Requests” folder. Right-click on this request and select All Tasks > Issue. The certificate request will be removed from the “Pending Requests” folder and appear in the “Issued Certificates”.

Retrieve the certificate and install it into your website:
  1. Go back to IE on your web server and type in http://<certauthservername>/certsrv/ again.
  2. Click on the “View the status of a pending certificate request” link.
  3. Click on the certificate request you want to view.
  4. Click on the “Download certificate” link. A “File Download” dialog will open. Click Save to save the new SSL certificate as a .cer file.
  5. Go back to the Web Site properties in IIS and from within the Directory Security tab, click on the Server Certificate button.
  6. Select “Process the pending request and install the certificate” and click Next.
  7. Browse to the certificate file saved to disk in step 4 above that contains the SSL certificate issued to this server by your test Certification Authority.
  8. Follow the wizard until the SSL certificate has been successfully installed.

Configure your website to use SSL in IIS:
  1. Once an SSL server certificate has been installed on the website, go back to IIS > > Properties > Directory Security tab > Secure Communications section and click on the “Edit” button.
  2. Check the “Require secure channel (SSL)” checkbox but leave the “Require 128-bit encryption” checkbox empty.
  3. Leave the “Client Certificates” section set to “Ignore client certificates” and the other two checkboxes unchecked for now.
  4. Close this window down and restart the website and/or reset IIS.
  5. Open up a browser and verify that you cannot reach the web site by using http only, instead you must use https.

Finally, you must “trust” the certificate:
  1. If the browser tells you that your certificate was issued by an untrusted CA when you navigate to your website, you will have to download the CA certificate from your test Certification Authority website and install it into the Trusted Root Authority store of the Local Computer.
  2. You may also find that the browser may tell you that the certificate is not valid because it was issued to a different name – that will happen if you are accessing your site using http://localhost/ rather than the server name. The certificate was most likely issued with the actual server name and the browser will think that your site is being spoofed if the domain name in the browser and the certificate don’t match. Use the server name instead.
Read More

Exercise? What exercise?

Posted by on Nov 14, 2008 in General, Mapping, Technology | 4 comments

Summer is pretty much here (well, in Brisbane summer actually never really wasn’t here), and the thought of being able to cruise on up to the beach with our new car (wooohooo!) has got me thinking about just how little exercise I get on a day to day basis.  I sometimes walk to work, but let’s face it – when you have a fairly regular train service, multiple buses, and now car at your disposal… you know where I’m going with this.

Read More

TravelStash is LIVE!

Posted by on Aug 18, 2008 in General, Mapping, Technology, Travel | 0 comments

About a week ago, Chris and I “launched” TravelStash.  By “launched” I mean we have now opened it up for general consumption.  Anyone can join TravelStash and use it just like Rheanna and Sanjay did on their recent South Africa trip, Margaret and Alan have on their trip around the South Island of New Zealand and of course, how Chris and I have consistently used it to keep our friends and family updated on all our travels over the past couple of years.

TravelStash


Read More

Error message FAIL

Posted by on Aug 18, 2008 in Coding, Technology | 0 comments

The other day while on a bus in Brisbane, I witnessed a classic error message FAIL:

Modem FAILED


On a more serious note, error handling and the display of error messages in software development is an often discussed usability topic.  Errors occur for all sorts of reasons – user-generated, hardware failures, invalid data, and of course software bugs.  But how much do you let the end-user know that the software has failed?  Well, I believe it depends on the type of error, the impact of the error and who your audience is.

Read More

Brisbane .NET User Group – aka QMSDNUG

Posted by on Jun 24, 2008 in Technology | 0 comments

On Tuesday, Chris and I went along to our first .NET User Group (or Queensland MSDN User Group) meeting here in Brisbane. Having attended a few back in Wellington, I thought it would be nice to check out the Brisbane version.

The meetings are held in the Brisbane Microsoft offices, in a very very flash building down town. Like usual, the meeting started off with pizza and soft drinks which is always much appreciated by those attending. The crowd started off small but within a few minutes, there were a lot of people there – I’d say at least 40 or so showed up, not bad (of which only about 3 were girls but that’s to be expected!). The couple of .NET User Group meetings I went to in Wellington were probably about half this size but then again I guess Wellington is a much smaller city than Brisbane.

The topic for the evening’s talk was “Silverlight 2.0 and WPF – what’s the same, what’s different?”. The speaker, Joseph Cooney, was very well informed and well spoken. As the title would suggest, he compared Silverlight 2.0 and WPF but not to try and say that one was better than the other. Instead he wanted to try and inform the audience as to why you would want to choose one over the other, what situations suit which more.

What I took away from Joseph Cooney’s talk is that Silverlight is basically a lightweight version of WPF. It’s meant to be a 4~5mb download and you really can’t package up too many libraries in that. In order to keep that size down, Microsoft have removed mundane values such as all but the main HTML colors in the Color namespace. Really, who even knows what CornflowerBlue looks like??

There are some controls which are only available to WPF and like-wise, others which are only available to Silverlight. I guess this means you can’t really call Silverlight a subset of WPF.

I can’t wait to get to use WPF and/or Silverlight in a commercial manner and hope to start on a project at work or at home that’ll let me spend a bit of time investigating these new libraries and what they’re capable of!

And as for the Brisbane .NET User Group, it looks like a great place for networking and meeting other like minded .NET-geeks so I’m sure I’ll be turning up to future meetings.

Read More

Where is my SQL Server 2005 Management Studio?

Posted by on Jun 10, 2008 in Technology | 8 comments

I’ve just had the toughest time getting SQL Server 2005 WITH Management Studio installed, so I thought I would blog about my thoughts on the matter and my rather round about way of getting it going.

1 – Install SQL Server 2005 Developer Edition. Stick Disk 1 in. Everywhere says ‘click on the link to start the SQL Server Installation Wizard.’ Well guess what, there isn’t a link that says that! There are two links, one to install components and another to install SQL Native Client. Grr.

2 – I click on the components one and it seems to install everything I need to run SQL Server 2005, EXCEPT for Management Studio. Why? I don’t know. I do however wonder why it never asks me for Disk 2… hmm.

3 – Open up Control Panel, Add or Remove Programs. Look for “Microsoft SQL Server 2005”. Click on the “Change” button.

4 – Select the ‘SQL Server 2005 common components > Workstation Components’ option and hit Next. When you are finally given the option to ‘remove’ this component, do it. Just do it.

5 – Once this is all finished (takes forever!), repeat step 3. When you are shown the the same dialog box as in step 4, there won’t be a ‘SQL Server 2005 common components > Workstation Components’ option. Instead there will be some text telling you you should use the ‘To install a new component, click here’ link at the top of the dialog box. Click this link. This will open up a series of dialog boxes very similar to those encountered in step 2 – your basic installation. Select the last option (I think it was ‘Tools’?).

6 – It should tell you it’s going to install a bunch of stuff and then start installing it all… pretty quickly however, it will ask you to insert Disk 2. This is a good sign.

7 – Insert Disk 2.

8 – Wait for the installation of all the different components to complete.

9 – And like magic, you should now have a whole bunch more shortcuts in your start menu under Microsoft SQL Server 2005. Although this seems like all you did was install, uninstall and re-install, believe me, it’s the only way I managed to get it to work.

As I said above, I’m not sure if I’m the only person this has ever happened to but I have seen plenty of other blog articles on how to get Management Studio installed if it doesn’t appear to be there already so I believe I’m not alone. None of the other solutions I saw helped me either so hopefully this will help someone else in the same position as me!

Read More