I have been having this issue for about 2 weeks. I have done a lot of research and tried different ways but no joy. I have a development website on my computer (Windows 7 Pro) with sql server 2008 r2 and using IIS 7.5. There is an actual development server running the database and Webserver but because of my location I cannot use the main development site. I issued a self signed Trusted Root Certificate:
makecert -r -pe -n "CN=ROOT AUTHORITY" -ss my -sr CurrentUser -a sha1 -sky signature -cy authority -sv ca.pvk ca.cer
Then I install that into the trusted root on the local computer. After that I created a certificate for IIS to use.
makecert -pe -n "CN=example.website.name.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic ca.cer -iv ca.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv server.pvk server.cer
Then I create the .pfx file for IIS
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
After I do the above. I import the certificate into IIS and then I bind the website to the SSL certificate (server.pfx)
After all that is done, I go on the website https://example.website.name.com and I get 403.7 forbidden.
Can somebody please help me out with this issue?
take a look at some of these pitfalls...
Server Issue #1 - The client cert passed in has 1 or more certification paths that do NOT exist on the server. Open the cert go to certification path (tab) and make sure each of the root authorities are in the SERVERS trusted root certificate authorities. Note, you DO NOT need to install the cert on the server just the root authorities public keys under Certificates (Local Computer) \ Trusted Root Certification Authorities.
Server Issues #2 (previously mentioned solution) - In IIS, for the site, make sure the SSL Settings are set to Accept OR Require (never ignore). The benefit of using Require is that the IIS logs will show you are 403 7 error where as Accept will just get your the IsPresent == false but with a 200 http code.
Client Issue #1 - Same as server issue #1, got to trust those authorities!
Client Issue #2 - You have the trusted root authorites but NOT the private key for the cert itself. Make sure you install the pfx (private key) into the cert store not the public key (.cer). You can also see if you have the private key by double clicking the cert in the cert store and on the general tab you should see a message saying as much.
Client Issue #3 - You put the cert in the wrong place. Probably best to place your cert in Certificates (Local Computer) \ Personal \ Certificates, rather than (current user). This will make the cert available to process accounts that are running your code and actually need access to it.
Client Issue #4 - Right mouse click the cert (in the store not a .cer file) --> All Tasks --> Manage Private Keys... and make sure the process account running your code has "Read" permission. A quick test of this (but not recommended for production use) is to add "Everyone" as read to see if this is your issue
Related
I wish to bind a self signed certificate to a port for developing my self hosted wcf application, but I always fail.
Steps I've done:
created the root certificate:
makecert.exe -a SHA256 -n "CN=DemoCA" -r -sv TempDemoCA.pvk TempDemoCA.cer
created the client cert:
makecert.exe -a SHA256 -sk Demo -iv TempDemoCA.pvk -n "CN=DemoTempCert" -ic TempDemoCA.cer DemoTemp.cer -sr currentuser -ss My -sky exchange
imported the root cert with mmc.exe(as Administrator) into local computer certificates
imported the client cert with mmc.exe into local computer certificates
added the private key to the client cert, because it didn't have the key icon:
certutil -repairstore my "MyKeyHash"
Added a firewall entry:
netsh http add urlacl url=https://+:9003/ user=domain\user listen=yes
tried to bind the certificate to the port(as admin):
netsh http add sslcert ipport=0.0.0.0:9003 certhash=MyCertHash appid={NewGuid} clientcertnegotiation=enable
But step 7 failed with error 1312.
SSL Certificate add failed, Error 1312
A specified logon session does not exist. It may already have been terminated.
All I found out by googling, doesn't solve my problem, e.g.:
- import via mmc and not certmgr.msc
- create a new certificate
- KB Hotfix
Interesting fact: binding the existing "localhost" client certificate to a port works fine.
What am I doing wrong?
Thanks in advance.
The solution was that the common name has to be the same as the used domain of the service. In my case localhost did the trick.
I am trying to obtain the root certificate of various websites for my project, but I am not sure the certificates that I am getting back with this command, contains root certificate or not?
openssl s_client -showcerts -connect google.com:443
I was searching for an answer when I came across a post where wget was used to get the root certificate from the certificate repository of godaddy
wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.nixcraft.net/gd.pem
how do i find the repository for every website?
The server must include the certification chain during TLS connection (https). The chain may include the CA root certificate, but it is optional, So you have no guarantee that it will be available. The TLS protocol expects the client to have the certificate in their truststore to verify the trust
You can download the server certificate of every site programmatically, but it is needed to look for the root CA certificate. As you can see, godaddy publish them in its website. In many cases the certificate itself includes a reference to download the root certificate
I'm getting the error mentioned in this question:
The X.509 certificate CN=Farm chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust.
What I don't understand why I'm getting this error as the certificate I use for my request to the WCF service is added as shown below:
client.ClientCredentials.Peer.PeerAuthentication.CertificateValidationMode =
X509CertificateValidationMode.ChainTrust;
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySerialNumber,
"MyCertificatesSerialNumber" );
The certificate itself is a self-signed certificate in the store shown above. When I click on it to show the certification path, no errors are shown (the root certificate is also a self-signed certificate). The root certificate was manually imported into the trusted root certification authorities.
From the error message I would have expected that there was an error in the certification chain with one of my certificates, but there isn't. Any ideas?
Update
I'm using Internet Explorer 9 as my browser to access the webservice. Programmatically I'm using a C# console application.
I had exactly the same problem - my own trusted root CA which signed another certificate. No errors were shown in the certificate store.
It turned out that having a trusted root CA and a certificate is not sufficient! You also need a certificate revocation list! Take a look at this MSDN Link.
So simply create such a .crl and add it also to the trusted root certificate authorities and everything works fine!
makecert -crl -n "CN=CARoot" -r -sv CARoot.pvk CARoot.crl
or simply turn of the revocation list check:
...RevocationMode = X509RevocationMode.NoCheck;
I had this problem - this is what I'd suggest:
On the server, make sure that the root cert is located on the "local computer" side of the computer, not "Current User". The other thing is that the SSL cert needs to be derived from the root cert. I eventually got it all to work using a script that included these lines:
rem creates root authority file and cert in localmachine\root and gives it the right to sign certs
makecert.exe -a sha1 -n CN=RootCert RootCertName -sr LocalMachine -ss Root -sky signature -pe -r -sk MyNewKey -cy authority
rem creates ssl cert, puts it in the currentuser\Personal store, signing it based on the root cert
makecert.exe -n cn=HostURL SSLCertName -is root -ic RootCertName -sky exchange -pe -sv SSLCertPrivateKeyName -eku 1.3.6.1.5.5.7.3.1
It's complicated, tedious stuff. You just have to keep at it.
I faced a similar issue while trying to connect to a self hosted WCF service using net.tcp binding. I already had the self signed root CA certificate installed in the CurrentUser certificate store, client was using a certificate signed by the root CA cert.
Installing the root CA certificate in LocalComputer certificate store fixed the error "A certificate chain could not be built to a trusted root authority". My WCF Server process runs using current user account hence this step was not obvious.
The next error was "The revocation function was unable to check revocation for the certificate"
To fix this, I created an empty Certificate Revocation List for the root CA cert and then installed the CRL in the LocalComputer certificate store. (Please check this link for details : https://msdn.microsoft.com/en-us/library/ff648732.aspx)
I also set the revocation check mode to Offline for both server and client certificates.
defaultCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.Offline;
defaultCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.ChainTrust;
Now I don't have to turn off certificate validation or use different validation mode for development (In my case production code will also use self signed certificates for the time being)
Background: I need to test an https endpoint for a WebRole on Windows Azure. For that I need to upload a self-signed certificate, add the certificate's thumbprint to the WebRole's configuration and finally associate the endpoint with that configured certificate.
I created a self-signed certificate using makecert.exe, which is available through the Visual Studio Command Prompt. I used the following command:
makecert.exe -r -pe -n "CN=test.cloudapp.net" -sky exchange -ss my -len 2048 test.pfx
The command succeeds and I can upload the certificate file to the Windows Azure hosted service. But deployment of the WebRole fails with the following error:
Certificate with thumbprint 6AB... associated with HTTPS input
endpoint Endpoint2 does not contain private key.
I have to export the certificate from the my store, and choose to include the private key and provide a password. If I upload this exported certificate file and use its thumbprint, then deployment succeeds.
I want to create a certificate file that includes the private key, without first saving the certificate to any store and exporting it from the store. Is that possible using makecert.exe?
To create a certificate without saving it to any store you'll need to use pvk2pfx.exe (available through the Visual Studio Command Prompt).
It works like this:
makecert.exe -sv CertKey.pvk -n "CN=My Azure Certificate" CertKey.cer
pvk2pfx.exe -pvk CertKey.pvk -spc CertKey.cer -pfx MyPFX.pfx -po yourPasswordHere
Running makecert.exe will aks you for a password for the private key. You'll need to enter that password for the -po argument of the pvk2pfx.exe command.
Finally you'll have a pfx file (containing private key) named MyPFX.pfx
I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.
Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?
Generate Certs for WCF
Generate a Certificate Authority Cert
makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer
-r Create a self signed
-pe Mark generated private key as exportable
-ss Subjects certificate store names that stores the output certificate
-sr Subjects certificate store location
The file pops up in the personal certs store of the machine you generate the cert from.
This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)
Generate Server Cert
You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx
Install this cert into the Personal Store of the server machine and use it to host the service.
Create Client Cert
Create server certificate from CA machine. This will generate a cert file with the private key embedded:
makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer
Take this cer file and install it on the client machine in the Trusted People store
Recap
Create a CA cert (or use the one you already have if you purchased one)
From the CA export a .pfx file that is password protected (Private Cert)
Create a Public Cert from the CA cert (Public Cert)
Then
Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server
Install the Private.pfx file into the Personal store of the server
Install the Public.cer into the trusted people store of the client
Ready to go.