I'm using SharePoint 2010 and I'm configuring a web part using ChannelFactory and Certificate to access a WCF service.
But I'm getting this error message:
Error occured: Could not establish secure channel for SSL/TLS with authority 'my FQDN'.
How could I configure my SharePoint web application to have access to read this installed certificate?
(I'm sure the certificate is installed correctly on the server where sharepoint is installed and all the WCF configurations are correct)
Many thanks in advance,
Are you talking about a client certificate that SharePoint would use to authenticate itself when connecting out to some service? If that is the case, then you would need to install a certificate along with a private key. Otherwise, if you are just talking about a root certificate to validate some server certificate on a remote service, you do not need the private key.
Assuming that you mean a client certificate with private key (I don't know how SharePoint uses certificates), then you would have to install the certificate along with a private key, and then, make sure SharePoint has access to the private key.
It's not enough just to install with the private key -- you have to either install logged in as the Windows account that the code using the private key will be running under, or, if you install the certificate into the Local Machine "Personal" store, for example, you have to set an ACL on the certificate to give another Windows account access to the private key. To do that, you can use the WinHttpCertCfg tool. Cf. here for the general idea, and here to download the tool. Or from the MMC Certificate snap-in, select the certificate in the Local Machine, Personal store, right-click, select All Tasks, Manage Private Keys, and grant access from there.
Have you tried uploading it to the Manage trusts area?
http://centraladmin/_admin/ManageTrust.aspx
Rebooted the server?
Installed on all servers in the farm? Into the machine store (not service or personal)?
Related
I am using Bouncy Castle (C#) to generate self-signed X.509 certificates for a WCF web-service.
I have a use case where certificates are created by an installer running in a user account (eg. System Administrator Account). The installer will also create the Windows user account for the service (eg. My Service Account) which will then use those certificates.
I would not like to make the certificate available to all users on the machine/domain, but only to the authorized Service Account (My Service Account).
In such a case it seems neither StoreLocation.CurrentUser nor StoreLocation.LocalMachine will be able to achieve this?
What would be a reasonable way to solve this use case?
The only way you'll be able to access the certificate from any account is to create them in the LocalMachine store; not if you put them in a specific user store.
Notice that certificates don't have ACLs, per-se. Private keys, however, do.
So the most common way to do this is to store the certificate itself on the LocalMachine store, and then secure the private keys with the right ACLs, granting permissions only to those accounts that actually should have access to the private key (which can certainly be a virtual service account such as NT Service\<ServiceName>).
In modern versions of Windows, you should be able to adjust the permissions on the private key directly from the certificate management MMC snap-in, by using the All Tasks -> Manage Private Keys option on the context menu for the certificate.
I have two client certificates that I have installed for my API project in the Azure portal. I have set the config option to enable them and can verify that they can both be found in the CurrentUser 'My' store. My problem is now that one of them is failing validation. On my local machine I have this cert installed in the Trusted People store of LocalMachine. Is there anything I can with Azure to make this work?
Is the location of the cert the issue or is it possibly something with the certificate itself?
**Note that this is an app service, not a cloud service
There are few things you can check, In Azure check in the app settings whether you have added your certificate. Its in the SSL section of you Azure app.
Another workaround would be where you are configuring your Token Authentication, you could set this settings.
For e.g. In my case, I was getting X509 Certificate error.
I added this code in my project.
System.IdentityModel.Configuration.IdentityConfiguration config = new System.IdentityModel.Configuration.IdentityConfiguration();
config.CertificateValidator = X509CertificateValidator.None;
config.CertificateValidationMode = X509CertificateValidationMode.None;
Basically turn off your validation. Most of the times, what happens is your local machine as all the certificates installed by an IT Operation person, but Those certificates are not on Azure.
You can check here for some reference as well. Microsoft Certificate Reference
I am trying to wrap my head around certificates and any help is appreciated. So far this is what I understand, please correct me if I am wrong.
When using the browser when I navigate to the https site the browser downloads the certificate(without the private key) and then continues to send the data over https?
I have come across some sites (especially when developing) that require you to install the certificate on the local machine before making a service call. What is the purpose here and how does it work?
I have also seen some scenarios where you need to install the certificate on the client machine for authentication purposes for example if you are using an email client, how does this work?
When using the browser when I navigate to the https site the browser downloads the certificate(without the private key) and then continues to send the data over https?
No, the browser and the server stablish a SSL/TLS secure channel with a symmetric encryption key. During the handshake process the server presents the https certificate and digitally signs some data with the private key as a proof of authenticity.
I have come across some sites (especially when developing) that require you to install the certificate on the local machine before making a service call. What is the purpose here and how does it work?
The client must trust the server certificate. Usually it has a list with the Certification Authorities for which certificates are accepted. For other certificates is needed to add them to the trust list. If not, the communication will be rejected
I have also seen some scenarios where you need to install the certificate on the client machine for authentication purposes for example if you are using an email client, how does this work?
Probably the same case as the previous one. Also the public part of the certificate of a user can be used to encrypt a message for him
I'm trying to create a https endpoint on my azure application, but I've run into a problem.
I have a CNAME record (in our local ISP's Name Server), like MyApp.MyDomain.com, which maps to MyApp.cloudapp.net.
Microsoft documentation tells me that I need to get a Certificate Signing Request (CSR) for MyApp.MyDomain.com. However, the only place this exists is in the local ISP's name server, and they tell me that they can't create this CSR since they don't host that domain. This doesn't make sense to me, since nobody "hosts" that domain, it's just a CNAME.
So I don't know who can create that CSR. Is it something I can do locally (i.e. on an IIS that is unrelated to that domain), or does it need to be done on Azure's / local ISP's server?
You can do this locally and you'll send it to the company you buy the certificate from (let's say Comodo). Once they're done, they'll send the response and you'll need to upload it in IIS (under Server Certificates, Complete Certificate Request).
The result will be that you'll have a PFX file (a file with public and private key). Once you have this file you'll need to upload it in the Windows Azure Portal, and in your WebRole you'll need to fill in the thumbprint of that certificate.
Once you've done all this and you deployed the application, you'll be able to access the website through HTTPS and you'll see that the certificate will be used correctly.
My use case is very simple : I have a GUI application, and inside this application I host a service however clients of this services must be able to authenticate with UserName safely (The only thing I want is to encrypt messages to be sure that nobody can sniff to retrieve password of clients, I don't care about more security).
So, I want to ship a certificate with my GUI application and that my host (which is inside the GUI application... I know it's a little dirty) use the certificate to encrypt messages.
So my question is : Does my requirements oblige me to install the certificate inside the store on the host machine ?
Am I obliged to generate a new certificate with makecert for every host ?
What is the easiest way to deploy my application ?
(I control the client application so the validation of the certificate is not a problem)
First of all you should not use makecert to generate production certificates.
You could store the certificate in code and not in the machine but keep in mind that the security of the whole encryption is as good as the security of the certificate's private key. If the machine where the application will be run is secure you could use the certificate "incode" but if you cannot guarantee the security of the host machie you should install the certificate in Windows Store. Make sure the user running the application has permissions to read the certificate's private key.
If using WSE or WCF make sure you test the default message or transport encryption methods provided to see if they are good enough for your use.
Here is some references for installing certificate with private key (.pfx file) programmaticly.