I have a RESTFul API that I want to secure using SSL Certs. If I were to get some SSL certificates, would I need separate ones for each of my web clients that use my API or would the API be the only thing that needs the certificate?
The SSL certificate is installed on your web server hosting your REST API. The clients don't need to have a certificate to securely exchange data with your server.
Think about all the e-banking/e-shopping sites that you probably use. You don't specifically install any certificates on your computer to be able to use them. As long as you trust the certification authority that issued the certificates to those websites (handled by your computer transparently), your computer can connect to them over SSL.
So, as long as your own server's SSL certificate is valid and issued by a trusted certification authority, your clients will be able to connect securely over SSL without needing separate certificates.
SSL Certificates are for Web Server. You install them in your Web Server. Certificates are matched to your domain. They have nothing to do with the clients. Any client can access your server if you have a valid certificate.
I think you have multiple Resful API's.
Now you need not have separate Certificates for API's since Certificates are matched to your server's domain and not to the API's you host. You can have any number of API's and Clients connected to your server using a SSL Certifcate.
Related
We are building an IoT architecture consisting of a API gateway and other services deployed on the cloud. The server uses a letsencrypt SSL certificate, so it is possible to communicate over SSL with the server. There are a number of hardware devices which send data to the server. We want to use x.509 certificate based communication and authentication from the devices to the server. I have two questions in this regard,
Is it possible to use letsencrypt certificate to generate the x.509 based certificate which can be configured on the device. If yes, what are the steps to do so
Since a letsencrypt certificate expires after 90 days, does it mean that after every 90 days, we will have to renew the certificates on all the devices? If yes, is there any best practice to handle such situations
Unfortunately, Let's Encrypt does not support intermediate certificates, so you wouldn't be able to generate your "own" certificates for your devices.
Linked to my question about client certificate authentication done the right way I was wondering whether I have to take the step to link a certificate to a user (active directory or local user) in order to have clientcertificate authentication to work as expected?
And is it necessary to disable all other authentication schemes (anonymous, windows) for clientcerticate authentication to happen?
See this question on the IIS forum:
This is what I would like to achieve:
A SSL-certificate for the URL itself (https://example.company.com). To my understanding this certificate does not have any connection whatsoever to client certificates.
Client certificates issued from my local CA and shared to trusted clients.
Some way of specifying which client certificates are allowed to connect to a specific IIS web site.
3 seems... complicated, to say the least. If I just set everything up and connect with a client certificate I have issued it works. The CA and the web server are on the same domain (if that matters), and I have added the root certificate from the CA to the trusted CAs on the web server. However, at this stage I have not told the web server which client certificates to accept, so my first guess was that it accepts all client certificates [chained to] any CA it trusts.
See also this question, which links to this site, which is dead.
It comes down to creating a "Certificate Trust List", or to mapping certificates to user accounts.
You can however implement a custom certificate validator in your service, how to do so is explained here.
Was wondering what the best practice for deploying a custom WCF - Security Token Service (STS) in a load balancing environment that uses signs and encrypts the token?
We're using Cirtix NetScaler to handle the load balancing and SSL termination (i.e. certificate is only installed on the NetScaler server). The STS has been specified to sign and encrypt the token via the SigningCertificateName and EncryptionCertificateName app settings. However the current web server configuration does not have a local certificate installed within it's certification store.
So my questions are:-
Do we need to worry about signing and encrypting the token if it's transferred over SSL?
Should we install the certificate on every web server or can we use the load balancer?
Can we use the same certificate on each web server or do we need to buy a certificate for each web server?
An STS which does not sign its tokens is not much use: without a signature, no relying party will be able to distinguish between a valid token issued by the STS and a token spoofed by someone with evil intent.
The certificate you install to support SSL is generally different to the STS's signing certificate. The latter identifies the Service, not the web server. So, by all means carry on installing the SSL certificate just on the load balancer. But you will need another certificate, representing the identity of the Service, installed (with its private key) on each machine which hosts the service, for use as the SigningCertificate. It should be the same certificate on each server (it's the same Service).
However, you typically don't need to buy such a certificate: you can issue your own - you just need to make sure each potential Relying Party is configured to recognise the certificate as a trusted STS, and also trusts the root issuer of the certificate (which will be either the certificate itself, if it is a self-signed certificate, or your root certificate, if you used a certificate server to issue it).
I have a https apache server that needs client verification. But when somebody is browsing this site there is need to select proper cert from list of certificates installed in browsers. What can I do to become client cert default to my webpage (so clients do no need to select cert)
Is your certificate valid and signed by a 3rd party root authority like Thawte, Verisign... etc?
You can't control from the server which client certificate is presented - you can only indicate that you expect a clientside certificate (SSLVerifyClient). Most browsers allow the user to associate websites with individual client certs. There is no way to manipulate this from the serverside.
I was ask to use a different SSL certificate for my SSO web service and a different SSL certificate for my website.
Why would I need a different SSL certificate when both the website and webservice are under the same IIS?
Usually certificates are issued to a particular domain. If your website and webservice are on different sub domains then you would use a different certificate for each.
Alternatively you can obtain wildcarded certificates (ie. *.yourdomain.com) but these tend to be much more expensive.