Change Http to Https for c# web application - ssl

I have a quick question on opting the SSL Certificate for the Web Application. In the Web Application, am using Kestrel as WebServer and application is not configured in IIS.
For Customers, I install the Application as a Service in Server Machine and its used by the employees only in intranet. Now the address of my application is http://machineName:port but I would like to have https://machineName:port.
Question 1) Is this possible for the Intranet sites?
Question 2) Will SSL be really needed in this case?
Qeustion 3) SSL works, only if I configure Web Application with IIS?

Yes it is possible. As long as the certificate is trusted by the clients. You can create a self signed certificate and have client machines add it to trusted root certificate authorities in windows. Or if the intranet is using a windows domain, you can have a Certificate Authority trusted by domain computers issue the certificate.
SSL is always better even in intranet and localhost scenarios. It ensures site identity, encrypts traffic, etc. Whether it is needed depends on the site. Some browser functionality such as using the camera/mic won't work unless the website is using SSL.
Kestrel allows using SSL. Checkout docs here.

Related

Add SSL Cert to Net Core application in Windows VPS

So,
I currently have a net core web api running in a windows VPS (amongst other things). When I make requests to this api, I would like to do so using https. It seems I need to have an SSL Cert on this VPS (which does not have a domain, just an IP).
The https API is on xxx.xxx.xxx.xxx:443
The net core application is published into a self-contained package and run as an .exe (i think using IIS express)
Ideally I would like to use a free SSL cert from something like zerossl.com or any viable alternative you may suggest
How can I go about making it so that if I access xxx.xxx.xxx.xxx:443/api/values, I get a secured icon in my browser?
Thanks
It seems I need to have an SSL Cert on this VPS (which does not have a domain, just an IP)
It is impossible to bind SSL Certificate to IP address.It must bind to domain.

How to Enable SSL Certificate for my website?

I am new here.
My website is LifelineFoundations and I haven't enabled SSL for this website.
Would someone please help me out and tell me the information regarding how to enable SSL certificate for my website, and in case if I won't enable it what would be the penalties I have to face?
An SSL certificate works to create an encrypted connection between your visitor’s browser and the server.
To enable SSL Certificate for your Website follow below steps :
Host with a dedicated IP address
Buy a certificate
Activate the certificate
Install the certificate
Update your site to use HTTPS
If you have hosted you site with some Domain Providers like GoDaddy, they provide a detailed list of instructions for installing SSL.
However if you have your own dedicated host with a web server installed, you need to generate CSR depending upon the operating system and have to make entry in the web servers. The instructions for the various web servers and operating system is mentioned here by DigiCert.
Regarding the impact if we don't go for SSL Certificate :
Mostly all the web browsers mark your website as not secure which creates a bad impact when a visitor is browsing your website
All the password and credentials would not be secure if entered through a non HTTPS Channel
All the form data and sensitive information would be critical and vulnerable if you are not using TLS( connection used when SSL certificate is installed ).

How to keep the SSL server certificate for verification in Cloud Foundry/Heroku?

I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.

Can we use AD-based client certificate authentication with IIS when the client computer is not a member of the domain?

Scenario: We have a server located in a Windows Active Directory domain which implements a web service API, implemented with WCF and exposed via IIS 8 over HTTPS. The clients making requests to the web service are not located in the domain. However, they should be mapped to AD users via SSL client certificates. I.e., when making a HTTP request, they include a client certificate, and I want that certificate to be mapped to the corresponding AD user.
I know that IIS supports two ways of client certificate authentication, IIS Client Certificate Authentication and Client Certificate Authentication using Active Directory. I'd really like to use the AD approach in our scenario, as it makes the management of client certificates easier (we can map certificates to users in the AD rather than in the IIS configuration).
However, the docs linked above say that,
[Client Certificate Authentication using Active Directory] requires that the IIS 7 server and the client computer are members of an Active Directory domain [...]
This indicates that we cannot use this approach, since our client computers are not part of the AD domain. However, this doesn't really make sense to me. How would the server even know whether the client making an HTTPS request is in the same domain?
So, here's the question: Can we use Client Certificate Authentication using Active Directory with clients outside the AD domain or not?
We've now had the chance to implement and test our solution with a machine outside of the AD domain. Indeed, it works - the client computer does not have to be part of the domain, the documentation seems to be wrong here.

How to setup private/public keys and certificates for HTTPS server?

I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/