Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have a client who has a requirement to validate users logging into my web application against his active directory using LDAP. In trying to connect using the DirectoryEntry and DirectorySearcher .NET classes, I can connect to his AD Server but not access it.
The client's AD server has an SSL Certificate for which he has given me a public key file but I don't know how to use this public key file in my C# code.
When I issue the connect command through code, I see, via Wireshark, my application sending the connection request. I then see the server responding with "Server Hello, Certificate, Certificate Request, Server Hello Done". Then my application never responds after that.
In using another application, written by somebody else for which I do not have code, I see the same request from the server and then see the application respond with "Certificate, Client Key Exchange" and then the application connects and runs.
With that said, my question then becomes, how can I get my C# application to load and send the key file I got from the client?
The keyfile needs to be installed into the users machine / user account.
Take a look at the following to understand how to install the digital certificate...
See step 3...
http://msdn.microsoft.com/en-us/library/ff649247.aspx
Step 3. Request and Install a Client Certificate
This procedure installs a client-side certificate. You can use a certificate from any certificate authority, or you can generate your own certificate using Microsoft Certificate Services as described in the following sections.
This procedure assumes that Microsoft Certificate Services is configured for pending requests, which require an administrator to explicitly issue the certificate. It can also be configured to automatically issue certificates in response to certificate requests.
To check the certificate request status setting
On the Microsoft Certificate Services computer, select Certification Authority from the Administrative Tools programs group.
Expand Certification Authority (Local), right-click the certification authority and click Properties.
Click the Policy Module tab, and then click Configure.
Check the default action.
The following procedure assumes that Set the certificate request status to pending. Administrator must explicitly issue the certificate is selected.
To request a client-side certificate
Start Internet Explorer and navigate to http:// hostname/certsrv, where hostname is the name of the computer on which Microsoft Certificate Services is installed.
Click Request a certificate, and then click Next.
On the Choose Request Type page, click User Certificate, and then click Next.
Click Submit to complete the request.
Close Internet Explorer.
To issue the client-side certificate
From the Administrative Tools program group, start the Certification Authority tool.
Expand your certificate authority, and then select the Pending Requests folder.
Select the certificate request you just submitted, point to All Tasks on the Action menu, and then click Issue.
Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate.
Close the properties window for the certificate.
Close the Certification Authority tool.
To install the client-side certificate
To view the certificate, start Windows Explorer, navigate to the .cer file saved in the previous procedure, and then double-click it.
Click Install Certificate, and then click Next on the first page of the Certificate Import Wizard.
Select Automatically select the certificate store based on the type of certificate, and then click Next.
Click Finish to complete the wizard. Dismiss the confirmation message box, and then click OK to close the certificate.
Step 4. Verify Client Certificate Operation
This procedure verifies that you can access the SecureApp application using a client certificate.
To verify client certificate operation
Start Internet Explorer and navigate to http s://localhost/secureapp/webform1.aspx.
Confirm that the Web page displays successfully.
How do I export or import a PKCS#12 certificate?
PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx.
To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.
create a file containing key and self-signed certificate
openssl req \
-x509 -nodes -days 365 \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export \
-out mycert.pfx -in mycert.pem \
-name "My Certificate"
If someone sends you a PKCS#12 and any passwords needed to work with it, you can export it into standard PEM format.
export certificate and passphrase-less key
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
same as above, but you’ll be prompted for a passphrase for
the private key
openssl pkcs12 -in mycert.pfx -out mycert.pem
Related
I have created WCF Service with username/password & certificate authentication. It works fine from visual studio.
Now,I would like to host the WCF service on IIS(development server)
Server: Windows Server Standard without Hyper-V (Service pack 2)
IIS: 7
Can someone show me the way to create self signed certificate on server and assign it to IIS for the WCF service(Chain Trust Certificate). And how can I generate the key certificate for the clients to consume service.
Thank You
Bear with me if the procedure is quite long but this procedure helped me to create self-sign CA during our development.
Steps on how to create self-signed certificate:
Assumptions:
Visual Studio was already installed (2012/2013/2015).
You have already basic knowlegdge of digital certificate (x.509).
Steps:
Open Visual Studio Tools and choose Developer Command Prompt for
VS2013/VS2012 as an administrator. And navigate or cd to location
where you want to save your certificates.
We need to create first Root Authority as our CA for signing
certificate. To create Root Authority certificate, we used
makecert.exe tool that comes from visual studio. For more detail
regarding makecert.exe please refer here.
Command: makecert –n “CN=DevRootCA” –r –sv DevRootCA.pvk DevRootCA.cer
Explanation: The command above will generate a root authority
certificate for signing certificate.
Create self-signed certificate using our Root Authority certificate came from Step 2.
Command: makecert –pe –n “CN= localhost” –ss my –sky exchange –sk DevCert –iv DevRootCA.pvk –ic DevRootCA.cer –sr localmachine DevCert.cer
Explanation: The command above will create and store certificate named “DevCert.cer” and it will be stored in Local Computer. To view certificates stored in your local computer Use Microsoft Management Console (mmc.exe). Please refer here
In able for the server and client to trust each certificate named
“DevCert.cer” you need to install Root Authority certificate in
client and server.
Open Microsoft Management Console and follow here.
Navigate to Certificate (Local Computer)
Trusted Root Certification Authority
Certificates
At right side of panel right click at empty space All Task
Import certificate then locate your Root Authority certificate.
Export self-signed certificate named “DevCert.cer” with private key
for your client.
Use MMC again for this step and navigate to
Certificate (Local Computer)
Trusted Root Certification Authority
Certificates
At the right side of panel right click the certificate that you want to export
All tasks
Export (Press Next)
Choose option Yes
Export the private key
Leave default option (Press Next)
Enter password (Press Next). Note : The password must much to the previouse password you enter upon creation.
Browse where you want to save
Next and Finish
Use exported certificate and install to your client machine.
How to install self-sign certificate in IIS:
Assumptions:
You have already the certificate installed in your client machine or server.
How to install self-sign certificate using MMC.
Steps :
Open IIS manager and click local host that correspond to your machine
right after start page.
Click Default Web Site.
At the right side of the Actions Pane click Bindings.
Click Add and choose Type: https and OK button. (if https already
exists just change the certificate )
And choose SSL Certificate that correspond to you certificate. Then,
Click OK and close.
To verify if your website is already using the certificate you setup.
Go to your browse and navigate to your site and see if it prompt you
about the certificate or if the site has padlock beside the URL.
Click the padlock and see if it is your certificate.
Important: This procedure is for development cycle only and not for production. For production you need to acquire SSL certificate from Certificate Authority.
On a Certificate provider, StartSSL, when you register, you put in your email and a password. They generate a certificate (.pfx) which you need to download and install into your browser.
Which was pointed out in comments that it is a Client Certificate.
So when you click login, in Chrome for example, a window popups and asks you which certificate to use. I could have several client certificates and log into separate accounts based on what I select. They warn that if you loose the certificate then you can't log in to the site without them regenerating a new certificate.
I am would like to do this using C# - I would like to generate a client certificate and then use it later to log in as admin without typing in a password.
What are the mechanics of this? How can generate certificates and use them to log in to my site? I would like to do this on a MVC C# site. I don't mind if I need to generate self signed certificates, its only for my own use. At least it gets rid of password forms and brute force attacks.
This is fairly simple, the certificate requirement is an option of the SSL handshake.
First you need to go to SSL options on IIS and check the option to accept and require certificates. This is enough for browsers to automatically pop up the cert selection window and the communication is mutually secured by both server and client certificates.
https://technet.microsoft.com/pl-pl/library/cc753983%28v=ws.10%29.aspx
Then comes the request pipeline. You either need a httpmodule or you just provide a handler for the global application's AuthenticateRequest event. There, you refer to the Request.ClientCertificate
https://msdn.microsoft.com/en-us/library/ms524668%28v=vs.90%29.aspx
You read the certificate's unique properties, for example the thumbprint and you use your local database to find a user record that corresponds to the certificate and you set up the Principal for the request lifetime accordingly.
I want to implement the screenshoot functionality in silverlight 5. I purchased code signing certificate from go-daddy . We need to do following things to archive the goal.
Sign the xap file (configured on server)
Add the code signing certificate in Trusted Publishers container under user account using mmc.exe. (configured on server)
Add the an key (AllowElevatedTrustAppsInBrowser) in registry. (configured on end user using custom exe)
Import the certificate into the browser. (end user)
I need to manually import the certificate into the browser to achieve the goal.
But i want to it to be automated because i can't instruction to end user to import the certificate into your browser.
I am thinking certificate can automatically import into the browser during accessing the application. Please suggest that what i am missing.
I got the solution. It's very simple. Let me try to explain it.
If we add/delete the code signing certificate in Trusted Publishers container. It will effected in browser certificate and vice - versa.
I have already installed the ssl cert in user PC. And, I also imported the cert under Local computer of Trusted Root Certification Authorities. I am trying to consume the web servcie. In my code I attach the cert as below.
webservice.ClientCertificates.Add(X509Certificate.CreateFromCertFile(certPath));
But I got the following error.
Cannot find the certificate in either the LocalMachine store or the CurrentUser store
What could be the issue? I'm using .Net Framework 2.0. So, not able to use WCF. Thanks.
That means,
probably you have the wrong certificates installed.
you installed the certificates to the wrong place.
An easy way to tell if you have a client certificate installed properly is
launch IE.
Open Tools | Internet options.
In Content tab, click Certificates button.
Then you should see the cert in Personal (read cert path and see whether it contains errors), and will be able to use it in your WinForms application.
I experienced similar issue. In my case it was solved by using MMC and giving Full control rights of the certificate for user IIS_IUSRS. My Website is running under ApplicationPoolIdentity. This answer guided me to the right path: How to give ASP.NET access to a private key in a certificate in the certificate store?
I had the same error when trying to connect to a service that hadn't been set to use SSL. Once I change the configuration of the service to use SSL, the connection worked fine.
Also you may get that error if the account doesn't have access to the private key, which WinHttpCertCfg.exe from the Windows Resource Kit can solve.
I've got a self-signed certificate for testing in development. I've added it under the "Trusted Root Certification Authorities" folder in certificate manager, and when visiting the site under IE or Chrome it's accepted as valid (under Firefox it doesn't like the fact it is self-signed).
However, when my C# client tries to connect to call a webservice or to open an SSL socket, it get an exception saying "Could not establish trust relationship for the SSL/TLS secure channel with authority '[server address]'.". And even more annoyingly this doesn't happen when I debug via Visual Studio, it only happens when I try and run it from a test machine which has also had the certificate added to the trusted group.
What criteria is .NET using to validate my certificate?
Did you add the certificate as a trusted root authority under the Current User, a specific Service Account or under Local Machine? Most likely you only added the new root authority for the current user only, so any service that runs under a different account will not trust the certificate.