I'm trying to add https to my local development environment in IIS express for a custom domain. I first created new certificate using the following command in a elevated developer command prompt
Makecert -r -pe -n CN="mycustomdomain.com" -a sha512 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
The problem now is that the mycustomdomain.com is now installed in the local certificate personal store and is telling me that this CA root certificate is not trusted and that I need to install this in the trusted root certification authorities store.
Would simply copying the certificate into the trusted root certification authorities store without the private key be enough? If not, what should I do?
Related
I'm trying to setup a development environment where TLS is enabled for RabbitMQ. So here is what I did:
Use tls-gen script to generate certificates with basic profile.
Configure rabbitmq to use ca-certificate.pem, server-certificate.pem, and server-key.pem.
As I'm using MacOS, I ran sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain testca/ca_certificate.pem to add the CA certificate to the trusted roots
Within a Go program, I load the client_certificate.pem, and client-key.pem into a tls.Config
Call amqp.DialTLS().
I got the following error message:
err: x509: certificate signed by unknown authority
which is unexpected. In step 4 above, if I add the ca-certificate.pem into the root CAs of the tls.Config, it works fine. So I'm suspecting that the addition of the root ca macOS is not right.
Can somebody review the above and point out my mistake?
I am having trouble finding a specific example for how I specify a self-signed certificate for IIS Express - Visual Studio 2015 - rather than the default generated 'localhost' certificate.
I'd like to use one from my personal self-signed certificates store to correspond with a specific domain I am using during development.
I cannot locate where to specify the certificate (or its footprint).
You can use makecert to do that, long time ago I wrote a document on how to do that and you can find the blog here:
http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx
the key call is:
makecert -r -pe -n "CN=HANSELMAN-W500" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
where you can choose the CNAME that you want there.
I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?
The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.
The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.
Use the following steps to:
Install the NSS utility (including certutil),
Create a new certificate database in directory <dir> with a password <password>, and
Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.
Install the NSS utility
sudo apt-get install libnss3-tools
cd to the directory that will contain your certificate database
cd <dir>
Create a password file to use with the certificate database:
echo "<password>" > pwdfile
Create the certificate database
certutil -N -d 'sql:./' -f pwdfile
Either:
Generate a self-signed certificate:
certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile
where <host> is the host ("common name") for which to generate a certificate, for example "localhost"
Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":
certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"
Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.
Copy the purchased certificate to a file named <host>.crt
Import the certificate to the database
certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"
If necessary to use an intermediate certificate, it can be imported as such:
certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.
Verify that the certificates exist in the database
certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"
To use this certificate and create an HTTPS server, do the following:
// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");
// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
.then((HttpServer httpServer) {
// Listen for incoming requests
httpServer.listen((HttpRequest httpRequest) {
// TODO: process request
});
})
.catchError((error) {
// TODO: handle error
});
Update
I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.
I want to import a pfx using cmd. I am using certutils for that. But I am getting a prompt asking to trust the certificate. I want to automatize import so I want to skip the warning prompt. How can I accomplish that?
I am using command
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx
The reason you got a prompt dialog is that you are trying to add a "CA certificate" into the "Trusted Root Certification Authorities" store. In fact, when you use "certutil -f -user -p PASSWORD -importpfx c:\cert.pfx" to import a PFX certificate, two actions happen:
Add a personal certificate(which includes the private key) into the "Personal" store.
Add a CA certificate into the "Trusted Root Certification Authorities" store.
It is the second action that cause the UAC to prompt a warning dialog, since you are trying to add one CA certificate into the "Trusted Root Certification Authorities" store and this means that any web host that holds this certicate will be trusted in the future, this is a very important action and should be treated very discreetly by the user, shouldn't it? So the UAC will warn the user to comfirm this action.
There is only one way to suppress the warning dialog, that is "you don't add the CA certificate into the "Trusted Root Certification Authorities" store by doing so:
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx NoRoot
Add personal certificate into "Personal" store will not prompt any warning dialog. However, by this way, the web host that holds the CA certificate will not be trusted any more and this can be very frustrating if you use HTTPS to access the web host.
I try to use MMC with SnapIn Certificates(Remote Computer) to import a p12 certificate into the Personal Certificate Store of a remote Windows 2008 Server Core computer.
Certificate Import Wizard tells me:
'Importing a .pfx or .p12 file to a remote certificate store is not supported'
Is there an alternative way to do this?
I found out that I can do everything with certutil and winhttpcertcfg like this:
1) add .p12 to Personal key store
certutil -p P#ssword -importpfx cert.p12
2) add .cer certificate as trusted publisher
certutil -addstore TrustedPublisher cert.cer
3) check which users have access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -l
3) grant access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -g -a user#domain.com