How to enable my webservice to use https?

[Sinex]

Hi. I need to write a simulated web service to give to my clients'
development team. For the simulated service the client doesnt want any
authentication...but they want to use https anyways. How do I proceed? An
initial search tells me that I'll need a certificate. Guess I can make
myself a certificate using makecert. But then how do I give that certificate
to the client? Also, in the code do I need to make any checks to ensure that
https is being used?

regards,
Sinex

 

[Scott Holman]

SSL needs a self-signed certificate or a certificate issued by a CA that
contains a private key. Presumably in a test environment we don't have a
CA issued SSL certificate. The following will create a self-signed
certificate



makecert -sk "ssldemo" -pe -r -e "11/11/2006" -sky Exchange

-sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider"

-n "CN=localhost"

-ss MY -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ssldemo.cer





which generates a self-signed (-r) certificate with exportable (-pe) private
key.

Generates an AT_KEYEXCHANGE 1024 bit keypair in keycontainer "ssldemo".

The keypair uses the RSA SCHANNEL provider type (-sy 12) and associated
provider (-sp ..)

The SubjectName is assigned Common Name "localhost" for local web-test
purposes. Remote connections will require the actual website name used in
the url ( for example: http://MyMachine/MyService.svc would use
CN=MyMachine).

The certificate is generated in the current user MY store.

The ExtendedKeyUsages are specified:

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

The ssldemo.cer file is a x509 certificate and should be installed in the
Trusted Root Certification Authorities store in either LocalMachine (for all
users) or CurrentUser



Refer to
<http://groups.google.com/group/micr...88ee8a2fe3a/b8a30c64c832e2a8#b8a30c64c832e2a8>



If you intend to use this to setup a test web server then you will need to
export the certificate with private key to a *.pfx file. This can be done
with the Certificates MMC plug-in. The pfx file can then be imported into
IIS using the IIS MMC . After importing the pfx file you will need to 1)
add the certificate to Trusted Root CA and 2) set the file permissions on
the private key file to allow the AspNet user read access.





Setting file permissions on Private Keys

The private key is stored on the local machine and the only way to find it
is with FindPrivateKey.exe or with the WseCertificate3.exe tool in the
Microsoft WSE3.0 SDK.



FindPrivateKey.exe is a console tool that you can build from the WCFSamples.
It can be found in \TechnologySamples\Tools after installing the samples.
The samples can be downloaded from



http://www.microsoft.com/downloads/...6c-8f98-40d0-880d-c3339c5da01e&DisplayLang=en



The WSE3.0 tool is available

http://www.microsoft.com/downloads/...fd-3a74-43c5-8ec1-8d789091255d&DisplayLang=en



After you find the file, you can assign read rights to the ASPNet account.
Access rights can also be set via WinHttpCertCfg.exe console application.
This is the preferred tool to use with production servers.