How can we install the Fiddler root certificate in the machine root store using Fiddler Core ?
We can do it with certmgr, but it would be great to do it using FiddlerCore. It seems it has methods to test and install everything except for the machine root store :( !?
FiddlerCore Has the following methods:
Fiddler.CertMaker.rootCertExists() to "Determine if the self-signed root certificate exists "
if it returns false we can call Fiddler.CertMaker.createRootCert() to install the certificate.
Fiddler.CertMaker.rootCertIsTrusted() to test if Fiddler's root certificate is in the Root store.
if it returns false we can call Fiddler.CertMaker.trustRootCert() to trust the certificate.
Fiddler.CertMaker.rootCertIsMachineTrusted() checks "Is Fiddler's root certificate in the Machine Root store? "
if it returns false ??? what do we do to solve this ???
This topic is well-covered in the Fiddler book, which is a helpful reference to programming with FiddlerCore.
To machine-trust a root, your code must be running as Administrator and must use the .NET APIs:
private static bool setMachineTrust(X509Certificate2 oRootCert)
{
try
{
X509Store certStore = new X509Store(StoreName.Root,
StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadWrite);
try
{
certStore.Add(oRootCert);
}
finally
{
certStore.Close();
}
return true;
}
catch (Exception eX)
{
return false;
}
}
Related
I have an asp.net mvc website deployed to iis. A self signed SSL certificate is used in order to secure the traffic. I would like to access this self signed certificate from my asp.net, probably in the startup class or something, in order to get the validity of the self signed certificate (i need this metric for something else).
How could i do that?
I would gladly post some code, or what I've tried so far, but sadly i have no clue where to start from!
I would really appreciate any help.
Edit
To rephrase my question, lets say i have an asp.net web service deployed to IIS, how do i access the certificates in that IIS, and retrieve their validity period (from with in the web service using c# code)
You can do this by opening the cert store and finding certs based upon search criteria. If it's a self signed cert that you created you should know something about it.
object value = "AcmeOrganization";
X509FindType findType = X509FindType.FindByIssuerName;
StoreName storeName = StoreName.My;
StoreLocation storeLocation = StoreLocation.CurrentUser;
var store = new X509Store(storeName, storeLocation);
try
{
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(findType, value, true);
if (certs.Count > 0)
{
return certs[0];
}
}
finally
{
store.Close();
store = null;
}
This will get you the cert you're looking for then you can call Verify which does chain validation. Other properties along with expiration will be available with the X509Certificate2 object.
certs[0].Verify()
I am creating a self-hosted owin server inside a windows service. I have implemented an ACME client to get a certificate from Let's Encrypt (to a domain given by the service's config.). However, if the service is run on a server which already has a certificate I do not need to request a new one. How can I determine, in code, if there is a certificate installed which applies for the domain set in the service's config?
The closest thing to a solution I found was to ignore existing certificates (if any) and always request a new one. Then when a certificate is received from Let's Encrypt, I save that certificate's serial to a file. On startup I then use the saved file (if any) to look for the existing certificate from the store:
public async Task<bool> NeedNewCertificate()
{
string certSerial = await AsyncFileHandler.ReadFileAsync(CERT_SERIAL_FILENAME);
using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates.Find(X509FindType.FindBySerialNumber, certSerial, true);
foreach (var cert in certCollection)
{
if (cert.NotBefore <= DateTime.Now && cert.NotAfter > DateTime.Now.AddDays(30)) // Let's Encrypt certificates are valid 90 days. They recommend renewing certificates every 30 days.
return false;
}
}
return true;
}
That's a good enough way of doing it I think.
Alternatively you can do a search in the certificate store that matches the parameters that you specify: the domain that the certificate is applied to, expiry date, etc. If you find the one that is valid, then you can use it.
That is in fact most likely the definition for what you mean by "certificate is installed on the server".
The attribute you probably would like to check is "Subject", e.g. you wold like these that have "CN = mydomain.com". You can have wildcard certificates as well, so you will need to figure out what types of certificates can be installed.
As I understand if someone doesn't want to use a custom domain name and instead plans on using *.azurewebsite.net domain assigned to the website by Azure, then HTTPS is already enabled with a certificate from Microsoft(I know this is not as secure as using a custom domain name). How would be I able to load this certificate programmatically. Currently I use the following method to load a certificate from local machine or Azure :
public static X509Certificate2 LoadFromStore(string certificateThumbprint,bool hostedOnAzure)
{
var s = certificateThumbprint;
var thumbprint = Regex.Replace(s, #"[^\da-zA-z]", string.Empty).ToUpper();
var store = hostedOnAzure ? new X509Store(StoreName.My, StoreLocation.CurrentUser) : new X509Store(StoreName.Root, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
var signingCert = certCollection.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (signingCert.Count == 0)
{
throw new FileNotFoundException(string.Format("Cert with thumbprint: '{0}' not found in certificate store. Also number of certificates in the sotre was {1}", thumbprint, store.Certificates.Count));
}
return signingCert[0];
}
finally
{
store.Close();
}
}
I assume the culprit is the following line of code :
new X509Store(StoreName.My, StoreLocation.CurrentUser)
because when I get an exception it tells me there is no certificate in the store although I pass the correct certificate Thumbprint(I grab the thumbprint from Chrome manually).
You will not be able to access this certificate programmatically in your WebApp as this certificate is not really installed on the Azure WebApp. Azure WebApps have a front-end server which does a "kind of" SSL Offloading so the WebApp actually never has access to this particular certificate. Why exactly you want to read this certificate though ?
Typically if there is a need for certificates in WebApps, you would install client certificates and pass them to services for Authentication as mentioned in https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/ and those certificates you can access programmatically (code snippet mentioned in the same article)
But I am not sure what exactly you want to achieve by reading the server certificate
I have a task ( I tried with worker role and to upload a console app and run the .exe) that should run once a day and gather Azure Metrics of some of my VMs. This works flawlessly locally but on a cloud service I get this Error:
Unhandled Exception: Microsoft.WindowsAzure.CloudException: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and associated with this subscription. at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSucces ... etc.
The line where this happens is:
MetricDefinitionListResponse metricListResponse = metricsClient.MetricDefinitions.List(resourceId, null,
nspace);
This is part of my code:
string subscriptionId = "fc4xxxx5-835c-xxxx-xxx-xxxxxxx";
// The thumbprint of the certificate.
string thumbprint = "f5 b4 xxxxxxxx f7 c2";
// Get the certificate from the local store.
//X509Certificate2 cert = GetCertificate(StoreName.My, StoreLocation.LocalMachine, thumbprint);
//cert = GetCertificate(StoreName.My, StoreLocation.CurrentUser, thumbprint) ?? new X509Certificate2(("manageAzure.cer"));
var cert = new X509Certificate2(("manageAzure.cer"));
Console.WriteLine("Certificate is : " + cert);
// Create the metrics client.
var metricsClient = new MetricsClient(new CertificateCloudCredentials(subscriptionId, cert));
Console.WriteLine("metricsClient is : " + metricsClient);
// The cloud service name and deployment name, found in the dashboard of the management portal.
string cloudServiceName = "abms2-carlsberg";
string deploymentName = "abms2-carlsberg";
// Build the resource ID string.
string resourceId = ResourceIdBuilder.BuildVirtualMachineResourceId(cloudServiceName, deploymentName);
string nspace = "WindowsAzure.Availability";
// Get the metric definitions.
MetricDefinitionListResponse metricListResponse = metricsClient.MetricDefinitions.List(resourceId, null,
nspace);
I have placed the management certificate in my solution, and I load it from there (it is set to always copy) and is the same (and the same way) I use when I run it locally.
So what "certificate" is it complaining about "to authenticate"? I can't seem to see what the problem is. Any help would be greatly appreciated as I have used the whole afternoon on this!
PS: I am already running this in elevated mode!
For someone else that may have this issue, I have solved it as explained here in the bottom : (http://www.dinohy.com/post/2013/11/12/403-Forbidden-when-Use-Azure-Management-REST-API-on-Role-instance.aspx)
Download the publishsettings file from:https://manage.windowsazure.com/publishsettings/index?client=vs&schemaversion=2.0 (This is a XML file, you can open it with notepad)
Find ManagementCertificate property, copy the value to a string. That a Base64 encoded string, you can use this string create a certificate: string base64Cer="The value of ManagementCertificate "
Use this string create a certificate. var certificate = new X509Certificate2(base64Cer);
although this last step is not exactly like passing the string directly (as the string is too long and will cause an exception) but rather is as follows:
var cert = new X509Certificate2(Convert.FromBase64String(base64cer));
Hope this will help someone else in my position too.
At a guess... You are loading the certificate you use to authenticate yourself from a .cer file. That doesn't have the private key so can't be used to authenticate you. I suspect that locally you probably have the private key stored in your private certificate store, assuming you generated the cert on your machine, which would probably make it work locally.
In short, try using a pfx file instead of a cer. The pfx for has the private key in it. If you generated the cert on your machine with makecert you will initially only have the .cer file. Use the local certificate manager to find the certificate in your personal store, then export it to a pfx file and include the private key.
This method helped me...
public static X509Certificate2 GetCertificate(string certificateString)
{
if (string.IsNullOrEmpty(certificateString))
return null;
var certificateAsBytes = Convert.FromBase64String(certificateString);
var certificate = new X509Certificate2(certificateAsBytes);
return certificate;
}
Also i came up with another scenario. Error occurs when your subscription id's mismatch.
Certificate:
<Subscription
ServiceManagementUrl="https://management.core.windows.net"
Id="00000000-0000-0000-0000-000000000000" /* -- Subscription Id -- */
Name="Visual Studio Premium with MSDN"
ManagementCertificate="" />
I'm trying to get credentials like this
Code:
string subscriptionId = "11111111-1111-1111-1111-111111111111"; // Subscription Id...
var credentials = new CertificateCloudCredentials(subscriptionId, x509Certificate2); // Will be varied here...
Where as my subscription id are mismatched. So, received this exception when i try to authenticate my request using "Certificates."
Hope this helps...
I want to use the Windows Azure Management API to scale my webservice programmatically. First I try to get my Management Certificate.
I created a new self signed cert using the makecert.exe. Its described here.
makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"
Then I uploaded my cert to my azure subscription (this way).
I really see my uploaded certificate in the new and in the previous admin portal.
Now I add the following code to my webservice
private X509Certificate2 GetX509Certificate2()
{
// The thumbprint value of the management certificate.
// You must replace the string with the thumbprint of a
// management certificate associated with your subscription.
string certThumbprint = "mythumprint...";
// Create a reference to the My certificate store.
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
// Try to open the store.
try
{
certStore.Open(OpenFlags.ReadOnly);
}
catch (Exception e)
{
if (e is CryptographicException)
{
Console.WriteLine("Error: The store is unreadable.");
debugTable.persist("Error: The store is unreadable.");
}
else if (e is SecurityException)
{
Console.WriteLine("Error: You don't have the required permission.");
debugTable.persist("Error: You don't have the required permission.");
}
else if (e is ArgumentException)
{
Console.WriteLine("Error: Invalid values in the store.");
debugTable.persist("Error: Invalid values in the store.");
}
else
{
debugTable.persist("Something got wrong with certificate");
return null;
}
}
// Find the certificate that matches the thumbprint.
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);
certStore.Close();
// Check to see if our certificate was added to the collection. If no, throw an error, if yes, create a certificate using it.
if (0 == certCollection.Count)
{
Console.WriteLine("Error: No certificate found containing thumbprint " + certThumbprint);
debugTable.persist("Error: No certificate found containing thumbprint " + certThumbprint);
return null;
}
debugTable.persist("found cert");
// Create an X509Certificate2 object using our matching certificate.
X509Certificate2 certificate = certCollection[0];
return certificate;
}
The debugtable.persists() method writes the debug message into a table storage.
At the end I only find these entries in my table:
"Error: No certificate found containing thumbprint " + certThumbprint
So whats wrong with my code?
So you uploaded your certificate in the portal. This means the certificate can be used to authenticate to the Service Management API.
Now if you want to use this certificate from within a WCF Service / Web Service which is hosted in a Web/Worker Role you'll also need to upload that certificate in the Cloud Service:
Then you'll need to open the settings of your Web/Worker Role and add a new certificate here by specifying the Location, the Store Name and the Thumbprint:
If you redeploy the appliction the certificate will be available and your WCF Service will be able to use it (if the service has sufficient permissions to access it).