We are providing Rest API(ASP.NET on IIS7) and one of our customers asked for HTTPS. I do not have any experience with SSL and SSL certificates. Is it enough to buy SSL certificate and install it into IIS7 to get secure HTTPS connection? Do I need to make any modifications in Rest API(ASP.NET) code/config files?
please go through below links
http://support.microsoft.com/kb/299875
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/
Yes, we need first create a Certificate request and then we need to Submit that request to any of the Certificate Authority(CA). This may be your own server with Certificate Server 2.0 installed on it or an online CA such as VeriSign. Contact the certificate provider of your choice and determine the best level of certificate for your needs. After that you will get that certificate from that CA and then we need to install that in IIS.
Related
My payment gateway requires ssl certificate pinning for their payment gateway endpoint on my side.
Does Firebase support ssl pinning for cloud functions/hosting?
I can't find this information in the official documentation or anywhere else on the net.
Details published in the bank's technical requirements form:
Response URL and Port Number
Specify the Response URL and Port Number for us to send you payment notification.
SSL Certificate:
(To establish secure connection with your Response URL.)
The standard SSL certificate authority are Comodo or Versign.
Please upload the SSL Certificates for both environments that associate with the UAT and Production URL respectively.
SSL certificates can be in format of .cer or .crt or you may zip it in one zip file.
Note: Payment notification will fail to reach you if you provide incorrect SSL Certificate.
What is described here is a really strange requirement -- it sounds like they're telling you you have to provide them with the specific SSL certificate your site is running.
This is unrealistic for nearly all cases as SSL certificates expire after a year, and particularly unrealistic for Firebase Hosting where certificates only last for three months.
You should be able to download the certificate for your Firebase Hosting site (see e.g. this ServerFault question) and upload it to your bank, but the certificate is going to change approximately every two months.
I'd reach out to your bank and ask them more about this requirement, as it seems bizarre and unduly burdensome. Perhaps they are merely trying to ask for the root certificate in the trust chain? If that's the case, you can provide the Let's Encrypt root certificate and it should be fine for the time being (note: Firebase Hosting does not make a promise of keeping the same certificate authority indefinitely).
I develop a website with Symfony2 and I put it in HTTPS.
I have several questions:
The only way to don't have an error message on my browser when I go to my website is to have an SSL certificate?
How the installation of the SSL certificate on a website works?
Verisign offers SSL certificates from 450€/year ( http://www.symantec.com/fr/fr/page.jsp?id=compare-ssl-certificates ). It's quite expensive. Is there other good solutions to have a cheaper certificate?
If your site is not shop or something commercial, you can get free cert at startssl.com
See awesome tutorail
(Installing certificate in nginx is almost the same with apache)
UPD
Now use letsencrypt :)
Certificates tell the client you can be trusted. Web browsers come loaded with trusted keys from third parties. Your browser checks the key of the cert coming in and if it is in the list it allows SSL connection (if the IP address in the cert etc is correct). This is why it costs as no doubt the cert providers have their own expenses to be added to browsers and to turn a profit etc.
You can of course produce you own certificate but they won't be recognised by your clients machine. The user then has to explicitly accept the cert - some browsers like chrome make this hard as it is a security risk.
Google should help you find the best cert deals from trusted providers.
Your hosting provider should be able to help you set up your cert. If your self hosting that should be its own question as it could have different answers depending on your set up.
I want to use same SSL certificate in multiple servers, which type of SSL certificate should I use? Unified SSL certificate? or Wildcard SSL certificate?
Thanks
Any certificate can be installed on multiple servers but your question requires more information on how you want to be advised.
A wildcard SSL certificate will secure any subdomain that the Wildcard character is on. So if you have a certificate for *.domain.com then you can secure
secure.domain.com
bob.domain.com
charlie.domain.com
and the list can go on, however it won't work for sub.secure.domain.com as the wildcard only does the single level.
A unified certificate, depending on the provider would only give you 3 subdomains.
mail, owa and autodiscover.domain.com
Also a standard certificate you can generally add SAN's too which will allow you to add subdomains under extra costs, but if you are only looking to secure 2 subdomains then a certificate with 1 SAN would be cheaper in most cases than a wildcard.
Give us an example of what you are trying to do and people can probably advise you better.
Securing Multiple Servers With One SSL Certificate
To move your certificate between servers you will need to install the certificate on the same web server that you generated the CSR from. You can then export the SSL certificate and its private key to a PKCS#12 file, or if it is an non-Windows based server you will be able to copy the key and certificate files.
Click HERE for more details:
Wildcard SSL Certificates allow you to secure multiple sub domains on the same domain name, thereby saving you time and money, and of course you do not need to manage multiple SSL Certificates on the same server.
I have asp.net site on my local machine.
IIS configuration:
binding: https binding with self-signed certificate,
ssl settings: Require SSL and Require client certificates
I have installed next certificates on my machine:
CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store.
Client certificate issued by 'CA Center' in Personal store
I go to site and accept server certificate. But next i get error:
HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
That means browser (IE) doesn't send applicable client certificates to server.
What's wrong? Should I configure something else?
I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:
certutil -addstore -v -enterprise root CertificateAuthority.cer
It sounds like the browser never prompted you to select a client certificate to send which means something is incorrect with the SSL Handshake. Try testing this with OpenSSL.
Additionally, a very common problem is having too many certificates in the Trusted Root CA folder. When the server sends the list of CAs, there is a limit to how large the list can be so if it exceeds the limit, it will truncate the remaining CA certificates. Make sure the Trusted Root CA folder doesn't have too many certificates. One way to check this is temporarily modifying the SCHANNEL in the registry editor to not send the CA List, and then re-try.
Start > Run > 'regedit' > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL >
right-click > New > DWORD > 'SendTrustedIssuerList' > Value:0
Re-install the certificates and check their effective dates. From Microsoft Support:
Download the root server certificate in a browser on the server
computer. Run the Iisca.exe command line utility that is located in
the Inetsrv directory.
Check the effective date on the client certificate and make sure that
the date and time has arrived.
Check the expiration date and make sure that the certificate has not
expired. Contact your certificate authority to see if your
certificate has expired.
I am trying to use SSL and certificates with a web service (IIS 7, Windows 2008, .NET framework 3.5 SP1). I followed the basic instructions (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/) and was able to get the site running soon. However, I can only connect to it from a client if the client has the web server's certificate in its Trusted Root Certification Authorities/Certificates store. If I don't add the certificate on the client site, I get the error "Could not establish trust relationship for the SSL/TLS secure channel with authority" on trying to connect to the service from client.
That's the correct behavior if you're just using self-signed test certificates. In a public/production environment, your server's certificate would be issued by a common CA like GoDaddy or VeriSign, which you have to pay to obtain.
Most (client) machines already have a large list of updated CA in their trusted root such as GoDaddy, and so a server certificate signed by them for your site will validate as a valid certificate on most* machines (without you needing to provide your cert as a trusted root).
*Most, meaning that there are browsers & operating systems which may be missing (or need updates) on common certificate authorities in their trusted root store.
Where did you get this certificate? If it's not a child of one of the certificates in the root authority already I sure hope you didn't pay money for it. If you're generating them yourself this isn't surprising because nobody trusts your CA server.