Clarification in creating client cerrtificates for a https web application - ssl

My webapplication has a https binding with an SSL certificate configured from Entrust. In the SSL settings of the web application, I set the Client certificate settings as required.This forces client to supply a valid certificate when requesting the content to the server, which is the requirement.
I have Entrust listed as a Trusted Root Certification Authority in both Client and server.
Now my query is how to generate the client certificates for all the clients which could be authenticated by server?

Related

Keystore with multiple keys for MTLS client authentication

I have a keystore with multiple keys where I use one of them for MTLS client authentication. The root CA used to sign this certificate is present in server truststore. But my client sends empty certificate always. This is my client side code
SSLContext sslContext = SSLContextBuilder.create().setKeyManagerFactoryAlgorithm("PKIX")
.loadKeyMaterial(keyStore,password).build();
httpClientBuilder.setSSLContext(sslContext);
Can someone please tell me why my client sends empty certificate when the root CA (issuer) is present in the server truststore? As I understand, the client should send the first certificate that meets the server requirements.

Handshake Failure (40) when IIS connects to SoapUi

I'm creating an app hosted by IIS and I want to have it communicate securely with SoapUi (so IIS is the client is this scenario). I'm using certificates at both ends because I want mutual authentication. When IIS connects to SoapUi, I can see in WireShark that:
The client hello is sent from IIS
Then SoapUi responds with the server hello and continues with the certificate and a certificate request
Then IIS terminats the connection with a TCP [FIN, ACK]
And finally SoapUi sends the Alert(Level: Fatal, Description: Handshake Failure)
In my application log I can see the error Could not establish secure channel for SSL/TLS with authority 'localhost:8443'.
From the logs in my app I can see that my app is apparently loading the certificate as expected. The certificate is loaded from the LocalMachine certificate store and the CA certificate is located in the Trusted Root Certification Authorities. In SoapUi I've added .pfx files for the SoapUi certificate/private key and for the CA certificate/private key. Both the IIS certificate and the SoapUi certificate is signed by the same CA.
Is there anything special I need to configure in IIS to allow an app to connect with mutual certificate authentication.
IIS does not necessarily have access to the private keys in the local machine certificate store. If you have installed the certificate with e.g. an administrator account you will have to give the app pool that runs your application access to the private key of the certificate.

Using SSL Certificate for WCF-BasicHttp Send Adapter in Biztalk

I have a business process which send messages to SAP via soap endpoint exposed by them.
I am using WCF-BasicHttp Send Adapter(In-Process).
As you can see below, earlier the url was http, now they have moved their system to cloud so now they have https endpoints.
I wanted to test this change from http->https, so I have modified the url to https, fill in the credentials for basic auth. it working fine in Test system without SSL Certificate, I need to make sure it wont cause any issue after moving to production system.
My Question is,
1/ Will it work in Production system too as its in TEST without SSL Certificate ?
2/ or Do I need to apply SSL for WCF-BasicHttp Adapter, if yes How can I do that ??
If you are moving to https URL, Certificate is must for SSL/TLS handshake. Many times, Certificate used by specific endpoint is signed by a third party Trusted Root CA e.g. Trustwave, DigiCert etc and these Root CA certs are already trusted on most of the systems. It’s possible in your test system, your endpoint certificate Root CA is already trusted and that’s why you did’t need to install the certificate. In order to check this, you can do following:
Browse your https service url in browser in chrome/IE
Look for Security/Lock sign to find it’s cert. Clicking the lock sign will open certificate.
Check the certificate root by going to Certification Path. You should see a chain of certificates in path. A cert can be by signed by just root CA Or by Intermediary CA first and then root CA. e.g.
—- Trustwave Root
—- Trustwave Intermediary
—- service cert
Or
—- Some Root
—- service cert
Check if Root CA is in your Trusted Root store of system. And Intermediary Cert (if applicable) is in Intermediary Cert Store. You can check this by opening certificate mmc snap-in using mmc command in Windows->Run and adding Certificates snap in of local computer.
If Root CA Cert and Intermediary Certs are not in your system store. SSL/TLS handshake will not complete successfully and BizTalk send port will not work.
If these are installed, you should be good. Otherwise install these certificates in local computer stores.
Another way to verify if endpoint certificate is trusted on a BizTalk system is to login with service account under which your send host is running and then browse the URL in IE. If you don’t get any Cert error, and URL opens such as wsdl URL, then you are good. If you get a cert error, this means end point certificate is not trusted and you need to install the certs as described above.
Some references:
View Certificate
Working with Certificates

Use client certificate in WCF service net tcp

I have a WCF application running as net tcp and installed a server certificate (xxx.domain.com) in server.
Enabled Transport with certificate security. IIS web site configured and its working fine with above certificate also its not installed in local machine as its found correct root ca and intermediate certificate .
Can i call the wcf service with out installing certificate if yes which one i should use Root CA or intermediate .
Please see the certificate chain below
Root CA
Intermediate
xxx.domain.com
Here is the code used in client
channel.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.CertificateAuthority,
X509FindType.FindByThumbprint,
"tried intermediate and root CA its not working ");
When a WCF service created by Nettcpbinding authenticates the client with a certificate, we need to specify a service certificate in the service credentials.
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "5ba5022f527e32ac02548fc5afc558de1d314cb6");
Then the service will work properly. Subsequently, the client should provide a client certificate when calling the service since the Clientcredentialtype property is Certificate on the server-side.
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
Client-side.
ServiceReference1.ServiceClient client = new ServiceClient();
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "f0969c5725b2f142b7f150515ec2bd12bc45250b");
var result = client.Test();
Console.WriteLine(result);
During this process, please note we should install the certificate each other in the Root CA so that the certificate trust relationship between the client-side and the server-side can be established.
Look back to your question, the cause might be the certificate trust relationship cannot be established between the client-side and the server-side. We have to ensure that the client-side has installed the service certificate in the Root CA and the server has installed the client certificate in the Root CA.
Feel free to let me know if there is anything I can help with.

SSL Mutual Authentication on Linux

It must be something really simple but right now I am not getting anywhere with this (I am not a network geek but a programmer).
We are trying to secure web services created between our server and a vendor. Our vendor is asking to send them the public key for an SSL certificate to secure requests and responses in our web services.
What I did
I forwarded the following to our hosting provider but they only provide SSL certificate for websites and didn't give any clear clue to what to do next.
Create a Certificate Signing Request (CSR) with any CN
Have CSR signed from CA
Merge the signed cert file with the CSR to create the actual
certificate
Extract the public and private certificates
What I need
All I need simple set of instructions to what I should do or where can I get/purchase this certificate.
Thanks,