I created a self sign certificate using the following steps:
Create a Root certificate authority
makecert -pe -n "CN=RootCertificate" -ss root -sr LocalMachine -sky signature -r "RootCertificate.cer"
Create an SSL certificate
makecert -pe -n "CN=SSLCertificate" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.3 -in "RootCertificate" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 SSLCertificate.cer
Confirm RootCertifcate under Trusted Root Certificate, confirm SSLCertificate sits under Personal Certificates.
I exported SSLCertificate into SSLCertificate.pfx file using MMC GUI.
I import SSLCertificate.pfx into a server computer.
I bind this certificate to port 998 using the command:
netsh http add sslcert ipport=0.0.0.0:998 certhash=764f3bef8cf4d72c5cd077da5b0efbec1b3830a5 appid={3fc1e120-6d8d-477e-ad09-67d749e65d83}
I have an application that hosts its own HTTP Listner on port 998. I verified it works because I can browse to https://server_ip:998
My question is: This server is currently on its own, what if it is part of the domain, would my step 1 - 6 be enough? In my opinion i think it should be but then again I'm not very familiar with the network side and there is no domain for me to test this out.
I am not using IIS to host but rather it is a C# form application that hosts this HTTP Listener.
Related
I met this error IDX21323 OpenIdConnectProtocolValidationContext.Nonce was nul and per my searching, it required to use https instead of http.
We can follow this document to create a self-host webapi use OWIN, but the base url is http.
So requirement is enable https for the url. Then how to do it?
I had my way below, but I also want to know a normal way for enabling https...
Thanks for any other advice!
Follow this document, I can use makecert.exe to create a self-signed certificate but I don't know why after I followed the doc to add certificate to Trusted Root Certification Authorities, the certificate didn't appear in the list.(Maybe it require a reboot?)
makecert.exe -n "CN=Development CA" -r -sv TempCA.pvk TempCA.cer
makecert.exe -pe -ss My -sr CurrentUser -a sha1 -sky exchange -n "CN=name"
-eku 1.3.6.1.5.5.7.3.2 -sk SignedByCA -ic TempCA.cer -iv TempCA.pvk
But it made me find there's a certificate issued localhost in the list.
I remembered it is generated by Visual Studio. When we use IIS Express to run the web application via Visual Studio, it will generate it for us. So I want to use it for my Owin api. Then I found this answer. It informed me that I don't need to do any changes in my code, I only need to run a netsh command to bind the certificate to the port.
Then this is the document about how to use command to bind the port with certificate.
And this is the command I used. Getting thrumbprint from certificate and generate guid from an online tool.
netsh http add sslcert ipport=0.0.0.0:8099 certhash=5c50eaxxxxxxz29daea9 appid={ad9f5133-25cd-412a-974c-059bbde7cb3e}
I created a Self Signed Certificate for my internal development purpose using MakeCert.exe
Step #1:
I Created a Root CA using the following Command
makecert -n "CN=Bala root signing authority" -cy authority -r -sv root.pvk root.cer
Step #2:
Installed the Root CA Certificate which is created in Step #1 using the following Command
certutil -user -addstore Root root.cer
Step #3:
I Created a Client Certificate using the following Command
makecert -pe -n "CN=Bala Client" -a sha1 -cy end ^ -sky signature ^ -ic root.cer -iv root1.pvk ^ -sv Bala.pvk Bala.cer
Step #4:
I Created a .pfx file for the respective Client Certificate using the following command
pvk2pfx -pvk Bala.pvk -spc Bala.cer -pfx Bala.pfx
The Root CA namely "CN=Bala root signing authority" has all intended purpose and its installed in Trusted Root Certification Authorities
Snapshot of Root CA Certificate: "CN=Bala root signing authority"
Snapshot of Client Certificate: "CN=Bala Client"
The Client Certificate has a ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
Kindly look at the snapshot:
I'm having a Client in my IdentityServer3 and I used the Same thumbprint "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "83021C2C20096FFD8415A353E471FF1BD39ECA4E",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
}
The Client Console Application Code is
var cert = new X509Certificate2(#"Bala.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Response Object's Snapshot:
Once I execute the code I'm getting the response with an Error Status Code: response.Error ="Forbidden"
I followed all the per-requesite setup which is said in my previous question response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials
Kindly assist me how to Authenticate the application using Self Signed Certificate.
I found the solution for this issue (Self Signed Certificate) after a long struggle. There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate.
In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx) and in Client Application we are using the Certificate Client.pfx (by default). I researched the logic behind in this, I found the solution these two certificates has a common Issuer "DevRoot". The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden.
Scenario #1:
Scenario #2:
I followed the same logic, I created a Root CA Certificate. Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (i.e., Parent). The Certificates should have the following purpose
Root CA Certificate => All Purpose or the combination of Server Authentication and Client Authentication
Server Certificate => Only Server Authentication Purpose
Client Certificate => Only Client
Note: For more information about Intended Purpose, refer
http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
The Server and Client Certificate should be in .pfx file format. Let us see how to create the said Certificates
Ensure the Prerequisite Tools is exist in your System before executing the following Command
Install the latest .Net Framework https://www.microsoft.com/net/download
Install the Latest Microsoft Windows SDK for Windows 7 and .NET
Framework 4 https://www.microsoft.com/en-us/download/details.aspx?id=8279
Step: #1
We need to Create a Certificates of CA, Service and Client along with Private Key
Certificate Authority
makecert -r -pe -n "CN=Token Root CA"
-sr LocalMachine -a sha1 -sky signature -cy authority -sv
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"
Server Certificate
makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"
Client Certificate
makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"
Step: #2
We need to Export the PFX's file of Service and Client certificate
Service Certificate (PFX Format)
pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer"
-pfx "D:\Certificate\IDServer.pfx"
Client Certificate (PFX Format)
pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer"
-pfx "D:\Certificate\IDClient.pfx"
Step: #3
We need to Import CA into Trusted Root Certification Authorities certificate store
Import Certificate Authority "CN=Token Root CA"
certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"
Note: Here I import the Certificate only for the current user "-user".
For more details refer
http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html
Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin". The said path should contain the MakeCert.exe file (Ensure it once)
The above said Commands will create all the required Certificates of Identity Server
Identity Server Project:
Kindly use the Server Certificate "IDServer.pfx" instead of "idsrv3test.pfx" and Change the same in Certificates.cs and Web.config.
Note: The Private key is not required for this Self signed
Certificate.
Finally the Client Console Application Code is
var cert = new X509Certificate2(#"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Finally I got the Access Token Successfully
When I try to run mi compiled application Windows advertises that the APP don't have any signature and asks if I really want to run my app.
I don't know the reason wich causes that but I think to avoid this I need a digital signature, so from the web I followed this steps:
I've created my own cert with the makecert tool from Windows SDK's, following a example with this code:
makecert -r -pe -a sha1 -n "CN=name, E=name#Hotmail.com, C=US" -b 01/01/2013 -e 01/01/2050 -ss My
Then I can see my own certificate in the "Personal" Folder:
Now I've exported the certificate with this command:
certutil -exportPFX -p "Password" my 586a7358ebdce8854def26875f0f38ab "C:\Test.pfx"
But when I opened the signing tab in my project setings and choosed "Select from file...", VS says this:
The selected certificate is not valid for code-signing. Choose another certificate file.
I did bad something? I don't know how to correctly code-sign my project,
maybe I need a ".cer" certificate instead a ".pfx" certificate?
then how I can generate a valid CER certificate?
I’m trying to write a server application that uses SSL to communicate. After accepting a connection, I believe I have to call SslStream.AuthenticateAsServer. However, this expects a certificate and I do not understand how to create one.
I followed the advice given in the answer to this question:
I ran the following to create a server.pfx file:
makecert.exe -r -pe -n "CN=localhost" -sky exchange -sv server.pvk
server.cer pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
Then I loaded it in code with:
certificate = new X509Certificate2("server.pfx", "password");
However, I did that exactly, and I get a CryptographicException saying “The specified network password is not correct.”, which is patently false because I used the password x, which is very hard to mistype. What am I doing wrong?
How to: Create Your Own Test Certificate
I have copy the samples from msdn site:
http://msdn.microsoft.com/en-us/library/ms229744%28v=VS.90%29.aspx
http://msdn.microsoft.com/en-us/library/ms229943%28v=VS.90%29.aspx
I've created a certificate, but when i run the program i have this error in the Decrypt method: "Unable to retrieve the decryption key"
I've read somewhere that there is a bug in this sample because the Encrypt method don't save the decryption key.
The problem is that i don't understand how can i resolve the problem.
Can you help me please?
The crypted Xml obtained is:
![alt text][1]
I suppose the problem is that doesn't exists the keyName.
[1]: http://www.freeimagehosting.net/uploads/8c603c876e.png ""
I've generated the certificate as:
makecert -sk Abc -n "CN=Abc" -sr localmachine -e 06/22/2011 Abc.cer
ok, when i create the certificate i need to use this parameter:
makecert -r -pe -n "CN=XML_ENC_TEST_CERT" -b 01/01/2005 -e 01/01/2012 -sky exchange -ss my cert.cer