When I try to run mi compiled application Windows advertises that the APP don't have any signature and asks if I really want to run my app.
I don't know the reason wich causes that but I think to avoid this I need a digital signature, so from the web I followed this steps:
I've created my own cert with the makecert tool from Windows SDK's, following a example with this code:
makecert -r -pe -a sha1 -n "CN=name, E=name#Hotmail.com, C=US" -b 01/01/2013 -e 01/01/2050 -ss My
Then I can see my own certificate in the "Personal" Folder:
Now I've exported the certificate with this command:
certutil -exportPFX -p "Password" my 586a7358ebdce8854def26875f0f38ab "C:\Test.pfx"
But when I opened the signing tab in my project setings and choosed "Select from file...", VS says this:
The selected certificate is not valid for code-signing. Choose another certificate file.
I did bad something? I don't know how to correctly code-sign my project,
maybe I need a ".cer" certificate instead a ".pfx" certificate?
then how I can generate a valid CER certificate?
Related
I met this error IDX21323 OpenIdConnectProtocolValidationContext.Nonce was nul and per my searching, it required to use https instead of http.
We can follow this document to create a self-host webapi use OWIN, but the base url is http.
So requirement is enable https for the url. Then how to do it?
I had my way below, but I also want to know a normal way for enabling https...
Thanks for any other advice!
Follow this document, I can use makecert.exe to create a self-signed certificate but I don't know why after I followed the doc to add certificate to Trusted Root Certification Authorities, the certificate didn't appear in the list.(Maybe it require a reboot?)
makecert.exe -n "CN=Development CA" -r -sv TempCA.pvk TempCA.cer
makecert.exe -pe -ss My -sr CurrentUser -a sha1 -sky exchange -n "CN=name"
-eku 1.3.6.1.5.5.7.3.2 -sk SignedByCA -ic TempCA.cer -iv TempCA.pvk
But it made me find there's a certificate issued localhost in the list.
I remembered it is generated by Visual Studio. When we use IIS Express to run the web application via Visual Studio, it will generate it for us. So I want to use it for my Owin api. Then I found this answer. It informed me that I don't need to do any changes in my code, I only need to run a netsh command to bind the certificate to the port.
Then this is the document about how to use command to bind the port with certificate.
And this is the command I used. Getting thrumbprint from certificate and generate guid from an online tool.
netsh http add sslcert ipport=0.0.0.0:8099 certhash=5c50eaxxxxxxz29daea9 appid={ad9f5133-25cd-412a-974c-059bbde7cb3e}
I'm new in ASP.NET.
Environment:
Ubuntu 18.04
Visual Studio Code
.NET SDK 2.2.105
I'm in trouble with some command running.
I was reading tutorial at
https://learn.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code
and ran this command:
dotnet dev-certs https --trust
I expect https://localhost should be trusted.
but I found the error message;
$ Specify --help for a list of available options and commands.
It seems that the command "dotnet dev-certs https" has no --trust options.
How to resolve this problem?
On Ubuntu the standard mechanism would be:
dotnet dev-certs https -v to generate a self-signed cert
convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verify if it's trusted using openssl verify localhost.crt
Unfortunately this does not work:
dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed
due to that it's impossible to have a dotnet client trust the certificate
Workaround: (tested on Openssl 1.1.1c)
manually generate self-signed cert
trust this cert
force your application to use this cert
In detail:
manually generate self-signed cert:
create localhost.conf file with the following content:
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = #alt_names
[v3_ca]
subjectAltName = #alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
(optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
as it's not trusted yet using openssl verify localhost.crt should fail with
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
trust this cert:
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt
localhost.crt: OK
force your application to use this cert
update your appsettings.json with the following settings:
"Kestrel": {
"Certificates": {
"Default": {
"Path": "localhost.pfx",
"Password": ""
}
}
}
While the answer provided by #chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1 extension in the certificate.
After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.
Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
In adition to crisvdb answer, I've several information to add and is the continuation of the walktrough. I don't comment because is pretty complex comment this, but before this answer take a look to crisvdb answer first and then return to continue.
Take the "in detail" crisdb answer.
You can make your cert in any folder, can be or can't be in the same folder of the app.
Take openssl verify -CAfile localhost.crt localhost.crt as not optional step, mandatory. It will help.
Do not recompile or touch the code meanwhile you are doing this, in order to get first scenario clean.
If you run sudo update-ca-certificates that will answer you in wich folder the certified should be copied.
In some distributions, as Raspbian for Raspberry Pi, CA certificates are located in /etc/ssl/certs as well as /usr/share/ca-certificates/ and in some cases /usr/local/share/certificates.
Do not copy the cert manually to trusted certs, run sudo update-ca-certificates after you copy the cert in the right folder. If it doesn't work (doesn't update or add any certificate) copy it to every folder possible.
If you use a password while making the certificate, you should use it in the appsettings.json
If you get this error:
Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO
routines:BIO_new_file:system lib
Take in consideration that error means "access denied". It can be because you don't have permissions or related.
7b) Could be also that the file is not found, I use the entire path in the config:
"Path": "/home/user/www/myfolder1/myapp/localhost.pfx",
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[ssl:error] [remote ::1:yourport] AH01961: SSL Proxy requested for
yoursite.com:443 but not enabled [Hint: SSLProxyEngine] [proxy:error]
AH00961: HTTPS: failed to enable ssl support for [::1]:yourport
(localhost)
you must set in the VirtualHost the following configuration after SSLEngine On and before your ProxyPass
SSLProxyEngine on
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[proxy:error] [client x.x.x.x:port] AH00898: Error during SSL
Handshake with remote server returned by /
[proxy_http:error] [client x.x.x.x:port] AH01097: pass request body failed to [::1]:port
(localhost) from x.x.x.x()
you must set in the VirtualHost the following configuration after SSLProxyEngine on and before your ProxyPass
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
UPDATE
If you are renovating this, and using the same names, take in consideration that you should remove your pem file from etc/ssl/certs
UPDATE 2
If it returns:
Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
Check that your pfx file is on 755 permissions.
If appsettings.json seems to be don't load (on port 5000 by default or SQL or any configuration doesn't load or can't be read), take in consideration that the dotnet must be executed on the same directory where is appsettings.json
Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.
It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.
For Chrome:
Click "Not Secure" in address bar.
Click Certificate.
Click Details.
Click Export.
Run: certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n {FILE_NAME} -i {FILE_NAME}
Restart Chrome.
It looks like the following could help to trust the dotnet dev certs:
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu/
Then you will see also in the browser that certificate is OK and valid for the next yeat.
Give it a try...
Good luck!
I have a VSTO project which combines C# and Excel. My employer requires me to sign this using a certificate for which I do not have a pfx file, I only have the certificate on a chip card.
I have read most manuals and questions asked here on signing VSTO, but all somehow assume I have the pfx file. My setup in Visual Studio is the following:
„Sign the ClickOnceManifest“ is checked, using „Select from Store„ the certificate from a chipCard is selected
„Sign the Assemly“ is checked. I do not have the pfx file, so I hit „New“ and created a certificate called assemblySigningCertificate.pfx (this might be a completely bogus step, but that's the only pfx I get)
after publishing the project, I run a script that updates the signatures using mage.exe such as
set AppPublishPath=publish
set AppPublishVersionPath=publish\Application Files\diagramUnifier_1_0_0_0
copy bin\Debug\*.dll "%AppPublishVersionPath%"
copy bin\Debug\*.dll.config "%AppPublishVersionPath%"
copy bin\Debug\*.exe "%AppPublishVersionPath%"
mage.exe -update "%AppPublishVersionPath%\diagramUnifier.dll.manifest" -ch "… certificate hash from certmgs.msc "
mage.exe -update "%AppPublishVersionPath%\diagramUnifier.vsto" -appmanifest "%AppPublishVersionPath%\diagramUnifier.dll.manifest" -ch "… certificate hash from certmgs.msc "
mage.exe -update "%AppPublishPath%\diagramUnifier.vsto" -appmanifest "%AppPublishVersionPath%\diagramUnifier.dll.manifest" -ch "… certificate hash from certmgs.msc "
Once all this is done, I install the VSTO and run the xlsm file. I receive a "SignatureDescription could not be created from the signature algorithm supplied" error pointing to the VSTO file. Details of the error provide only a stackTrace, nothing else.
My questions are:
is it even possible to sign a VSTO project without a certificate for which I have a pfx file?
if I don’t have the pfx file, is it the right thing to create a new certificate in the “Sign the assembly” section of settings
am I doing something else entirely wrong?
Any help is much appreciated,
Daniel
Problem: When a certificate is created by using selfcert.exe, it's private key cannot be exported. The export wizard of the Windows certificate console says "the associated private key is marked as not exportable".
Solution version 1: Use makecert.exe with the "-pe" option to create
and store the certificate with an exportable private key:
makecert -r -pe -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My
Then you can export the certificate from the Windows certificate store, including the private key.
Note: Old versions of makecert.exe do not support the "-pe" option. The .NET Framework SDK 2.0 and the October 2002 version of the Platform SDK (build 3718.1) contain a new version of makecert.exe (5.131) that supports the "-pe" option.
(The .NET Framework SDKs 1.0 and 1.1 both contain old versions of makecert.exe that do not support the "-pe" option).
Solution version 2: The following commands can be used to create a PFX
file (PKCS #12) that contains the a self-signed certificate together
with the associated private key:
makecert -r -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -sv selfcert.pvk selfcert.cer
cert2spc selfcert.cer selfcert.spc
pvkimprt -pfx selfcert.spc selfcert.pvk
The last command (pvkimprt -pfx) creates the file selfcert.pfx. This PFX file can then be imported into the Windows certificate store and used for code signing.
(makecert.exe and cert2spc.exe are part of several Microsoft SDKs, e.g. the Platform SDK or the DotNet SDKs, which can be downloaded from microsoft.com. pvkimprt.exe can be downloaded individually from Microsoft.)
Are you saying that you do not have the private key for the certificate? If that's the case then you definitely cannot sign the assembly/installer. The whole point of signing is to certify that the assembly comes from a trusted/certified source (ie. the certificate (private key) holder).
Who is your employer? Larger companies have processes in place to get installers and assemblies signed via their IT/Security department. I'd double check that is not the case where you work.
On another point... Do you have .NET4.5 installed? See here it might help...
This change is due to the fact that we stopped using legacy
certificates as default (SHA-1) in NetFX4.5 to sign manifest and
instead, use newer version (SHA-256), which is not recognized by
NetFx4.0 runtime. Therefore, while parsing the manifest, 4.0 runtime
complains of an invalid manifest. For legacy frameworks, when we try
to run a ClickOnce app on a box that does not have targeted runtime,
ClickOnce pops up a message to user saying “you need xxxx.xx runtime
to run this app”. But starting .NET 4.5, if a 4.5 ClickOnce app is run
on the box with only .NET 4.0 installed, the message complains about
an invalid manifest. In order to resolve the issue, you must install
.Net Framework 4.5 on the target system.
I’m trying to write a server application that uses SSL to communicate. After accepting a connection, I believe I have to call SslStream.AuthenticateAsServer. However, this expects a certificate and I do not understand how to create one.
I followed the advice given in the answer to this question:
I ran the following to create a server.pfx file:
makecert.exe -r -pe -n "CN=localhost" -sky exchange -sv server.pvk
server.cer pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
Then I loaded it in code with:
certificate = new X509Certificate2("server.pfx", "password");
However, I did that exactly, and I get a CryptographicException saying “The specified network password is not correct.”, which is patently false because I used the password x, which is very hard to mistype. What am I doing wrong?
How to: Create Your Own Test Certificate
I have copy the samples from msdn site:
http://msdn.microsoft.com/en-us/library/ms229744%28v=VS.90%29.aspx
http://msdn.microsoft.com/en-us/library/ms229943%28v=VS.90%29.aspx
I've created a certificate, but when i run the program i have this error in the Decrypt method: "Unable to retrieve the decryption key"
I've read somewhere that there is a bug in this sample because the Encrypt method don't save the decryption key.
The problem is that i don't understand how can i resolve the problem.
Can you help me please?
The crypted Xml obtained is:
![alt text][1]
I suppose the problem is that doesn't exists the keyName.
[1]: http://www.freeimagehosting.net/uploads/8c603c876e.png ""
I've generated the certificate as:
makecert -sk Abc -n "CN=Abc" -sr localmachine -e 06/22/2011 Abc.cer
ok, when i create the certificate i need to use this parameter:
makecert -r -pe -n "CN=XML_ENC_TEST_CERT" -b 01/01/2005 -e 01/01/2012 -sky exchange -ss my cert.cer