I've generated a self-signed certificate with Open SSL to use in a application that runs on IIS which authenticates users via Integrated Windows Authentication method.
However there is a limiting factor that is impacting the auth method that is the lack of DNS.
When there is no WAN the LAN lacks the ability to resolve hostnames and the clients cannot connect to the server without using direct IP or by registering the alias in the hosts file.
Chrome does not allow to use the Integrated Windows Auth method and shows a pop-up to authenticate the user. However not having the connection to the WAN makes the pop-up to keep being shown and never really authenticates the user.
Accessing the application in the own server allows the auth method to work when the domain is added to the hostname in the URL. However this only works for the server itself and not for the other computers in the network.
In the certificate I added the CN as the private IP of the server and also added it at the SAN, but it did not work. Chrome keeps showing the pop-up. Also added the certificate in client's machine in the Trusted Root Certificates.
In this scenario is it possible to make Chrome to recognize the certificate and allow this auth method to work or this won't work at all?
Related
I have a data collection / reporting web application hosted on an AWS Lightsail instance with Ubuntu 18.04 OS and Apache2. I use a 'Lets Encrypt' SSL certificate on the site. This all works fine.
I also have an embedded device which uploads data to the website via an API. The embedded device is currently not operating on SSL, but I need to change this. The embedded device can communicate on SSL but its not easily updateable in the field. My concern is that the CA certificate that is embedded into the device cannot be updated, and so using the same 'Lets Encrypt' certificate, means that a change in the Lets encrypt certificate will render the remote embedded device unable to connect to the server.
The common solution to this problem is a self signed certificate over which I have total control, and yes this would fix the problem, but it would create another problem. If I use a self signed certificate, then any user connecting to the site to view data from their PC would get an Untrusted Certificate warning on their browser, which is not acceptable.
So, to fix this ideally I would have my web app protected by 'Lets Encrypt', but the API protected by a separate self signed certificate. However, both web app and API need to be on the same domain. Also they should ideally also both be on the same standard 443 https port.
Is there a way to setup the web app and API to serve different SSL certificates?
Am i out of luck or is there an option to specify that only a single path/endpoint should require client certificate ?
The scenario:
IdentityServer4 gives our users the option to sign in multiple ways (Username/Password, Azure AD or ClientCertificate)
The first two are working as intended, but the certificate paths does not prompt the user for his/her certificate, i know its possible with IIS but we want to run this using Kestrel.
If i setup the projects kestrel setting to require cert all endpoints requires it, this ruins the user experience when signing in with username/password og azure ad.
Are there any options for setting only out localhost/certificate path to require certificate and then in turn prompt the user to provide their cert when being redirected to that paths endpoints if there is no cert present in the request?
Resolved it by setting up two hosts, and capturing the request in the certificate challange endpoint and checking the connection, if there's no certificate present AND the connection is using the non-requirecert connection i redirected the context to the right connection and was then prompted to supply the cert and login works as intended.
I have a desktop bridge app which uses a worker service to host a PWA and WebAPI with Kestrel over https
User runs the worker, and browses to the service from ff/chrome/edge
This works fine in development as the development machine has a trusted certificate installed
However, when I package it up and deploy to test machine, there is no cert and the app crashes
So, how what is the best way to do this?
Options
Bundle a cert with the app, install it in the containers local
store? How would this work with the browser, which wouldn't trust the
cert as its not installed in the browser users context
Buy a cert from a CA. How would I distribute it?
Magic UWP trusted certs I can add to kestrel?
So, it seems you can't
In 2015 certs can not be issued to IPv4 or IPv6 address and must be a FQDN with a public top level domain
TLS is not just about encryption, but also identification, private ips can't be publicly identified
And PWA's need https to work, so options..
Self-signed certificate, which won't be trusted and show the user a
nasty message
Publicly host the PWA and certify that domain, then
call back to the loopback address 127.0.0.1 over http to communicate
with the running worker, this is considered secure. I have done this
and it does work, but means my app can only communicate with the user
on the same machine
There are other options that need you to have control of the network dns - which I won't have
I have an intranet application that runs over https and it needs to access a websocket sever that needs to runs over wss because chrome mixed content security. Both applications use self-signed certificates but is not possible to access the websocket server because chrome doesn't trust in self-signed certificate unless user authorize. So, cause of that the connection fails. Is there a way to have a valid certificate to use in intranet application? Or is there another way to solve this problem?
You can generate a certificate for websocket.intranet.example.com with a public DNS that doesn't point to the real websocket server, and then copy that certificate in the real server.
Of course, your internal DNS resolver must point websocket.intranet.example.com to the real websocket server
I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/