Enabling SSL Client Certificates on IISExpress - ssl

I'm trying to setup a development environment on my machine for an ASP.NET MVC project where client certificates are requested when trying to reach certain controllers.
I've enabled SSL on the project through project properties on VS Studio, I've also imported IISExpress self-signed certificate into trusted CAs in my browser and the client certificate into personal certificates in the browser.
Now, when I try to reach the controller where the certificate is requested, my browser opens a list to select the appropiate certificate, but the certificate matching the IISExpress one doesn't appears in the list, although it's on the certification store on the browser.
Any idea about what to do next?

Related

How to require a client certificate to a web application in IIS?

I have created an asp.net web application and deployed it in IIS10. The design of the application is to require a client certificate for each user which will be provided by us. For testing purposes I created a self-signed certificate using the makecert.exe and followed the instructions at https://blog.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/. I added the certificate in the MMC Personal Certificates.
I also configured the iisClientCertificateMappingAuthentication in the IIS Configuration Editor using the one-to-one mapping approach. When I tested it on the browser, at first it asked for a digital certificate (which is correct), but when I clicked the certificate I added on the bindings it returns an error "Your client certificate is either not trusted or is invalid."
What should be the problem here since the installed client certificate is already added in the IIS one to one mapping configuration? Do I need additional configuration in the IIS?

ssl with webapi published using IIS. chrome warning - connection not secure due to self signed

I am trying to use SSL with my webapi published using IIS.
I've enabled SSL in webapi project by setting SSL ENABLED to TRUE.
On the local pc I've created a self signed certificate, which gets issued to MyPcNameHere/MyCompanyDomainHere. (not sure if that matters)
now if I browse to webpage in chrome/mozilla I get a warning... your connection is not secure. Mozilla's error is THE CERTIFICATE IS NOT TRUSTED BECAUSE IT IS SELF SIGNED.
What are my options here for handling this? (when I get this warning is the connection truly not secure? Or is it purely a warning that the certificate is self signed?)
I don't mind getting a third party certificate, but when I tried it wanted me to verify I own domain. This myPc/myDomain is inside a company firewall so I don't see how I could obtain a certificate.
any suggestions?
You get that error (warning actually) because you're using a self signed certificate, which your browser doesn't recognize.
Your options are:
obtain a certificate issued by a trusted provider (the root certificate of the issuer will be present in the trusted root certificates store of your browser/system
make the browser trust your self signed certificate (here's a guide for Chrome, I didn't find any for Mozilla - you have to just add a permanent exception)
Now, if you're using this only for a test, you can get the browser to trust your self signed certificate.
If you're in a company network, and you have the resources, you might consider setting up a local CA, which you then may use to issue certificates for testing machines on the Intranet, or for you dev environment. You will of course deploy the root certificate on all machines' trusted certificate store.
If you're going live with this (production machine accessible over the Internet), you have to really consider a provider.

WCF : Could not establish trust relationship for the SSL/TLS secure channel with authority error

I have a client site that when a button is clicked it calls a wcf web service. The client site is http, while the url for the web service is https and requires a certificate. I have a valid signed private key certificate I am using.
Everything works fine on my localhost; however, after deploying to a windows 2003 server running iis 6, I get the below error when the web service is called:
Could not establish trust relationship for the SSL/TLS secure channel
with authority "host's url"
I added the cert to the store, using same web.config that works locally. I have validated that the web service call finds and sets the valid X509Certificate.
Not sure what I am missing, and I don't want to override the servicepiont manager to return true every time.
Any ideas or things I might looks into?
Found the problem.
The root certificate which the host of the web service uses was not trusted by my server. (not sure why it was on my local machine and not my server). I found this out by opening the host's url in a web browser from the server to view their wsdl and got the security warning.
Remedy: went to the issuer's site downloaded their root cert and added to my trusted root certifcation authorities.
Bam, it works now.
If it is a private cert it must be added to both the client and the server as no client can validate its root key.

How to setup private/public keys and certificates for HTTPS server?

I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/

Mismatched SSL certificate in Azure Compute Emulator

I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?