I made simple API for which is running on my "server" inside local network. When I want to call api from another PC internet browser inside my intranet over https://xxx.xxx.xxx.xxx:9100/ShowList i get warning from my browser that my connection is not private NET:ERR_CERT_AUTHORITY_INVALID. I can proceed as unsafe but i would like to avoid that. The question is what I have to do to have save connection inside my intranet? I'm totally new in that so i'm aware of thing I have to do.
You just need to add a ssl certificate to the hosting IIS server (assuming you are using IIS as the server). You can create a Self-Signed Certificate, buy from the vendors or use free services. Take a look at
https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
Related
I have developed Asp.net Core 6 Web Api and want to host it on my Windows server on a specific port that has SSL installed. Here is what I have done so far -
I have an SSL certificate which I added in the Personal store using certificate manager.
I installed this SSL certificate on Port 10001 and it got added successfully.
I created a subdomain and pointed it to this web server.
I want to run this API as an EXE hosted with Kestrel. I tried -
app.run("https://api.xxxxxx.com:10001")
I get an error that SSL Certificate could not be located.
Please help me with how to do this.
It would be useful if you provided the commands used for adding the port reservation and how you added the certificate to Windows, but anyways, my personal experience dealing with self-hosted apps and SSL is the following:
Add the certificate used for https to the Windows Certificates Store -> Local Computer (this is important, don't use the Current User store) -> Personal store
If NOT using localhost as the server address, as in your case, a Url mapping must be done with netsh.exe (with an elevated command window):
netsh.exe http add urlacl url=https://+:10001/ user=Users (*)
Next, make a port reservation using also netsh.exe:
netsh.exe http add sslcert ipport=0.0.0.0:10001 certhash=[your cert hash here] appid={your app id here}
(*) If your Windows language is other than English, use the name of the translated Users group. For instance, in spanish it would be "Usuarios".
If all these procedures are done correctly, you should be able to launch a server that binds to the specified port with https enabled.
Good luck
currently I am working on PWA (progressive web app) that needs fully functional offline capabilities. Currently the client is hosted on Heroku and is fully functional offline, besides one key feature. The PWA is not able to connect to the local server I am running from a separate computer. I made a self-signed cert so the localhost server computer is able to connect to it's running server via HTTPS; but I am unable to connect a different computer on the LAN to the same server. I'm fairly new to certificates and how they work, and I can't seem to figure this one out.
Just needed to make a server endpoint where I could accept the certificate. This was weird initially because the application is a SPA. So currently the user would have to differ for the initial setup.
On my staging server I am connecting to self-signed https api backend. And by default requests can't be made, because browser treat backend as danger.
I have to open backend url in browser
https://my-api-backend.elasticbeanstalk.com
my-api-backend.elasticbeanstalk.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name my-api-backend.elasticbeanstalk.com. Error code: SEC_ERROR_UNKNOWN_ISSUER
After manually confirm that is secure it works. It is fine for me to do this, but not for managers etc. Another thing I was thinking about blocking backend access from outside and allow access only from frontend.
Is there any solution to this problem other than buying domain a sign it properly?
If it is a staging environment it should reflect a production environment so you should use a real domain signed correctly.
Certificates are free through AWS ACM or LetsEncrypt.
Why not use a sub domain like staging.domain.com, it would be free as well. Otherwise domains are cheap and it shouldn't be worth the hassle.
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.