I have created WCF Service with username/password & certificate authentication. It works fine from visual studio.
Now,I would like to host the WCF service on IIS(development server)
Server: Windows Server Standard without Hyper-V (Service pack 2)
IIS: 7
Can someone show me the way to create self signed certificate on server and assign it to IIS for the WCF service(Chain Trust Certificate). And how can I generate the key certificate for the clients to consume service.
Thank You
Bear with me if the procedure is quite long but this procedure helped me to create self-sign CA during our development.
Steps on how to create self-signed certificate:
Assumptions:
Visual Studio was already installed (2012/2013/2015).
You have already basic knowlegdge of digital certificate (x.509).
Steps:
Open Visual Studio Tools and choose Developer Command Prompt for
VS2013/VS2012 as an administrator. And navigate or cd to location
where you want to save your certificates.
We need to create first Root Authority as our CA for signing
certificate. To create Root Authority certificate, we used
makecert.exe tool that comes from visual studio. For more detail
regarding makecert.exe please refer here.
Command: makecert –n “CN=DevRootCA” –r –sv DevRootCA.pvk DevRootCA.cer
Explanation: The command above will generate a root authority
certificate for signing certificate.
Create self-signed certificate using our Root Authority certificate came from Step 2.
Command: makecert –pe –n “CN= localhost” –ss my –sky exchange –sk DevCert –iv DevRootCA.pvk –ic DevRootCA.cer –sr localmachine DevCert.cer
Explanation: The command above will create and store certificate named “DevCert.cer” and it will be stored in Local Computer. To view certificates stored in your local computer Use Microsoft Management Console (mmc.exe). Please refer here
In able for the server and client to trust each certificate named
“DevCert.cer” you need to install Root Authority certificate in
client and server.
Open Microsoft Management Console and follow here.
Navigate to Certificate (Local Computer)
Trusted Root Certification Authority
Certificates
At right side of panel right click at empty space All Task
Import certificate then locate your Root Authority certificate.
Export self-signed certificate named “DevCert.cer” with private key
for your client.
Use MMC again for this step and navigate to
Certificate (Local Computer)
Trusted Root Certification Authority
Certificates
At the right side of panel right click the certificate that you want to export
All tasks
Export (Press Next)
Choose option Yes
Export the private key
Leave default option (Press Next)
Enter password (Press Next). Note : The password must much to the previouse password you enter upon creation.
Browse where you want to save
Next and Finish
Use exported certificate and install to your client machine.
How to install self-sign certificate in IIS:
Assumptions:
You have already the certificate installed in your client machine or server.
How to install self-sign certificate using MMC.
Steps :
Open IIS manager and click local host that correspond to your machine
right after start page.
Click Default Web Site.
At the right side of the Actions Pane click Bindings.
Click Add and choose Type: https and OK button. (if https already
exists just change the certificate )
And choose SSL Certificate that correspond to you certificate. Then,
Click OK and close.
To verify if your website is already using the certificate you setup.
Go to your browse and navigate to your site and see if it prompt you
about the certificate or if the site has padlock beside the URL.
Click the padlock and see if it is your certificate.
Important: This procedure is for development cycle only and not for production. For production you need to acquire SSL certificate from Certificate Authority.
Related
I am performing Always encryption in my web application, Which insert data by a WCF service which is hosted by a window service. I am getting following error while insertion of data into encrypted column.
Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '64-56-87-3B-EC-2E-11-9D-2A-B5'.
Certificate with thumbprint 'A0D10777759BBD947EEA6F3F5D1A7989514C45F0' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store.
Parameter name: masterKeyPath
Solution to This issue is
Run (MMC)
Select certificate in snap console.
Locate your always encrypted certificate, either My user, or Machine Account
Right click-> All tasks-> Manage private key.
Add the windows user which is making SQL connection.
User could be the process user, it can be either IIS or any windows Logon user.
It solved my issues.
Ok, I found out the problem. The case was exactly this: I set always encrypted for a column using SQL Server Management Studio which started with my own account. Because i run SSMS process with my own Windows Account, it placed the certificate inside Current User / MY directory of my account. However IIS application pool is running with a different account, so it couldn' t find the certificate under my account' s CurrentUser/My directory.
I restarted the IIS application pool with the same account who started SSMS and created the certificate, and the problem gone.
Thanks
This can happen when you start using the database with Visual Studio or a web server on a different machine then where the Always Encrypted DB is stored.
Part of your message will be: Certificate with thumbprint '............BAE90' not found in certificate store 'My' in certificate location 'CurrentUser'.
Go to the computer where the database resides.
Open the Certificate Manager.
Right click on 'Certificates - Current User' and do a find on the last few digits (in the example BAE90).
User look in Field : SHA1 Hash.
Once you find the Cert then right click on it and export to file.
Open the Certificate Manager on the new Visual Studio machine and do an import of the certificate and you should be good to go.
As in the other answers, you also need to 'sync' the user in the app pool to the user where the cert has been added.
I have faced the same issue and tried many solutions, but actual solution is very simple which solved my issue.
To install the certificate on ii's server irrespective to your db server whether db is on another server or same server:
1 - Go to the certificate manager of ii's server: type certmgr.msc in "Run" and press Enter
2 - You will find personal folder --> certificate folder: Right click on it and import your certificate.
3 - Select your certificate from file then instead of installing it on personal select the auto detect path option radio button and finish up your installation.
4 - Remember this installed certificate will not be seen under your personal --> certificate folder but your application run after this as certificate will install automatically on right path.
This solution worked for me after doing 3 days R&D.
I encountered the same issue and just wanted to share how I fix it. My app is a .Net Core Web API hosted in IIS in Windows Server 2016. SQL server is also installed in Windows Server 2016.
I created the Certificate inside Windows Server.
Via RDP, perform the Always Encrypt steps.
Using SSMS, right click table then select Encrypt Column.
On column selection, select which table/fields to encrypt. Then choose Encryption type then click Next
On Master Key Configuration window, choose the following. Then click next.
Select generate column: Auto generate,
Select the key store provider: Windows certifidate store,
Select a master key source: Local Machine
On Run Settings window, choose Proceed to Finish Now then click finish.
On summary window click finish.
On Results window, make sure all the Tasks are completed successfully.
Verify that the Certificate was created for Local Machine. Open Certificates for Local Machine
Click windows, then start typing Certificates. You will see to matches. 1. Manage User Certificates, and 2. Manage Computer Certificates. Click on Manage Computer Certificates.
Certificates Manager window will open. You should see Always Encrypted Auto Certificate1 in this path: Certificates (Local Computer) > Personal > Certificates.
Add permissions to IIS_IUSRS.
On Certificates Manager, right click Always Encrypted Auto Certificate1, then select All Tasks > Manage Private Keys.
On permissions window, Click Add. On Select Users or Groups window search for IIS_IUSRS user then click Check Names. Then Click Ok. Give IIS_IUSRS Full Control.
Please note the IIS application pool Identity in my case is LocalService.
After all the steps, I was able to access the .Net core web api executing Stored Procedures for tables where Always Encrypt is enabled.
To query the tables from local machine, I downloaded the Certificates from Windows Server, then Imported it to my local machine. When you import in local machine, make sure it is also imported in Certificates - Local Computer > Personal > Certificates.
We are trying to setup multiple authentication using OWIN/Katana and the webapi will be hosted on IIS 10 with certificate authentication and windows authentication. I'm following this blog by Andras Nemes to setup my local client and server certificate authentication. Unfortunately, after setting up the Web API in IIS, when I try to access the website with the client certificate, I'm getting 403 Forbidden error which says that the certificate is not trusted or invalid. I'm not sure what is causing this issue.
I tried setting up my IIS by following other posts also, I've tried to add the website certificate to IIS and bind it with mylocalsite.local and tried with and without editing “system.webServer/security/authentication/iisClientCertificateMappingAuthentication”.
After searching a lot I found similar results but none of them worked. I'm not sure if it is because of the IIS 10 has a different workflow of configuring client server certificate authentication mechanism or is there a problem with my certificates.
Following are my self signed certificates, and I also have there pfx files.
RootCertificate:
RootCertificate.cer has been installed in Local Computer Trusted Root Certification Authorities as well as in Current User Trusted certificates.
localtestclientcert:
localtestclientcert.pfx has been installed in Current User under Personal certificates.
mylocalsite.local:
mylocalsite.local.pfx has been installed in Local Computer under personal certificates.
IIS Server certificates
website bindings
SSL settings of the website
EDIT 1: Modified "Trusted Certificates" to "Trusted Root Certification Authorities" for clarity
The solution is to add the root certificate to the trusted authorities using MMC (machine account) as indicated in this tutorial
https://learn.microsoft.com/en-gb/archive/blogs/asiatech/how-to-create-an-iis-website-that-requires-client-certificate-using-self-signed-certificates
If you import the certif to perosnal account using certmgr you'll get this error
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have a client who has a requirement to validate users logging into my web application against his active directory using LDAP. In trying to connect using the DirectoryEntry and DirectorySearcher .NET classes, I can connect to his AD Server but not access it.
The client's AD server has an SSL Certificate for which he has given me a public key file but I don't know how to use this public key file in my C# code.
When I issue the connect command through code, I see, via Wireshark, my application sending the connection request. I then see the server responding with "Server Hello, Certificate, Certificate Request, Server Hello Done". Then my application never responds after that.
In using another application, written by somebody else for which I do not have code, I see the same request from the server and then see the application respond with "Certificate, Client Key Exchange" and then the application connects and runs.
With that said, my question then becomes, how can I get my C# application to load and send the key file I got from the client?
The keyfile needs to be installed into the users machine / user account.
Take a look at the following to understand how to install the digital certificate...
See step 3...
http://msdn.microsoft.com/en-us/library/ff649247.aspx
Step 3. Request and Install a Client Certificate
This procedure installs a client-side certificate. You can use a certificate from any certificate authority, or you can generate your own certificate using Microsoft Certificate Services as described in the following sections.
This procedure assumes that Microsoft Certificate Services is configured for pending requests, which require an administrator to explicitly issue the certificate. It can also be configured to automatically issue certificates in response to certificate requests.
To check the certificate request status setting
On the Microsoft Certificate Services computer, select Certification Authority from the Administrative Tools programs group.
Expand Certification Authority (Local), right-click the certification authority and click Properties.
Click the Policy Module tab, and then click Configure.
Check the default action.
The following procedure assumes that Set the certificate request status to pending. Administrator must explicitly issue the certificate is selected.
To request a client-side certificate
Start Internet Explorer and navigate to http:// hostname/certsrv, where hostname is the name of the computer on which Microsoft Certificate Services is installed.
Click Request a certificate, and then click Next.
On the Choose Request Type page, click User Certificate, and then click Next.
Click Submit to complete the request.
Close Internet Explorer.
To issue the client-side certificate
From the Administrative Tools program group, start the Certification Authority tool.
Expand your certificate authority, and then select the Pending Requests folder.
Select the certificate request you just submitted, point to All Tasks on the Action menu, and then click Issue.
Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate.
Close the properties window for the certificate.
Close the Certification Authority tool.
To install the client-side certificate
To view the certificate, start Windows Explorer, navigate to the .cer file saved in the previous procedure, and then double-click it.
Click Install Certificate, and then click Next on the first page of the Certificate Import Wizard.
Select Automatically select the certificate store based on the type of certificate, and then click Next.
Click Finish to complete the wizard. Dismiss the confirmation message box, and then click OK to close the certificate.
Step 4. Verify Client Certificate Operation
This procedure verifies that you can access the SecureApp application using a client certificate.
To verify client certificate operation
Start Internet Explorer and navigate to http s://localhost/secureapp/webform1.aspx.
Confirm that the Web page displays successfully.
How do I export or import a PKCS#12 certificate?
PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx.
To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.
create a file containing key and self-signed certificate
openssl req \
-x509 -nodes -days 365 \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export \
-out mycert.pfx -in mycert.pem \
-name "My Certificate"
If someone sends you a PKCS#12 and any passwords needed to work with it, you can export it into standard PEM format.
export certificate and passphrase-less key
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
same as above, but you’ll be prompted for a passphrase for
the private key
openssl pkcs12 -in mycert.pfx -out mycert.pem
I have already installed the ssl cert in user PC. And, I also imported the cert under Local computer of Trusted Root Certification Authorities. I am trying to consume the web servcie. In my code I attach the cert as below.
webservice.ClientCertificates.Add(X509Certificate.CreateFromCertFile(certPath));
But I got the following error.
Cannot find the certificate in either the LocalMachine store or the CurrentUser store
What could be the issue? I'm using .Net Framework 2.0. So, not able to use WCF. Thanks.
That means,
probably you have the wrong certificates installed.
you installed the certificates to the wrong place.
An easy way to tell if you have a client certificate installed properly is
launch IE.
Open Tools | Internet options.
In Content tab, click Certificates button.
Then you should see the cert in Personal (read cert path and see whether it contains errors), and will be able to use it in your WinForms application.
I experienced similar issue. In my case it was solved by using MMC and giving Full control rights of the certificate for user IIS_IUSRS. My Website is running under ApplicationPoolIdentity. This answer guided me to the right path: How to give ASP.NET access to a private key in a certificate in the certificate store?
I had the same error when trying to connect to a service that hadn't been set to use SSL. Once I change the configuration of the service to use SSL, the connection worked fine.
Also you may get that error if the account doesn't have access to the private key, which WinHttpCertCfg.exe from the Windows Resource Kit can solve.
I've got a self-signed certificate for testing in development. I've added it under the "Trusted Root Certification Authorities" folder in certificate manager, and when visiting the site under IE or Chrome it's accepted as valid (under Firefox it doesn't like the fact it is self-signed).
However, when my C# client tries to connect to call a webservice or to open an SSL socket, it get an exception saying "Could not establish trust relationship for the SSL/TLS secure channel with authority '[server address]'.". And even more annoyingly this doesn't happen when I debug via Visual Studio, it only happens when I try and run it from a test machine which has also had the certificate added to the trusted group.
What criteria is .NET using to validate my certificate?
Did you add the certificate as a trusted root authority under the Current User, a specific Service Account or under Local Machine? Most likely you only added the new root authority for the current user only, so any service that runs under a different account will not trust the certificate.