A day with .Net

My day to day experince in .net

SSL in ASP.NET

Posted by vivekcek on July 23, 2009

SSL is the standard protocol to secure communications of web sites and applications. If you are developing your application using ASP.NET on a windows server, making the necessary configurations for SSL is not very difficult.

Unfortunately, while trying to accomplish this task at work, I discovered there isn’t one good source of information to get the whole job done.

In this series of (about) three posts I will try to get you up to speed on everything you need to do and how it’s done.

So, on to part one: “What is SSL and How Do We Create a Certificate?”. Let’s go.

A Short Intro on SSL

(Ugly oversimplification coming at you)

SSL is the standard protocol for (1)authenticating one or both parties and (2)encrypting communication between the parties.

Authentication is accomplished by a party presenting a valid certificate.

Encryption is accomplished in two steps:

Negotiating encryption key(s).
Encrypting communication using the negotiated key.

Setting up SSL for an ASP.NET App

The basic steps to do this are:

Obtaining a certificate for use by the server.
Configuring IIS.
(Optional) Enforcing the use of SSL by creating a redirection mechanism in IIS and ASP.NET.

Usually, it’s desired to create the setup at the development stage so you will be able to develop, debug and test your application in the same structure it will exist come production-time. So, in this post I will explain the whole setup for you developer station (referred to as localhost).

Obtaining a Server Certificate

What’s a certificate? A certificate is simply a character string that contains the public key of some entitiy (like your server) signed by a third party. Presenting a valid certificate guarantees to the person who wants to communicate with you that you are who you claim you are (think drivers license).

To have SSL working in the real world you need to buy a certificate from an Authorized Certification Authority (CA) like Verisign, for example. An authorized CA is an organization that is recognized (“trusted”) by client software (the web browser you’re using, for example). Continuing with the driver’s license metaphor, the CA in that case is the state government that issues the license.

A verified certificate costs money and is only valid for the specific machine it was issued to, so for development and testing purposes you can create your own “self-signed” certificate.

On a side note, the fellows over at Verisign are basically charging people 1,500 USD for a short string in a file. Talk about a sweet and sustainable business model – no advertising revenue required, thank you very much.

Introducing makecert.exe

Luckily, on a Windows mcahine you can use the makecert command-line utility to create a self-signed certificate.

It has a s**t-load of arguments, so here is the minimal command you need to run on the machine that hosts the application:

makecert -pe -n “CN=localhost” -ss my -sr localMachine -sky exchange

The interesting bits are:

-n “CN=localhost” : creates the certificate suitable for use by server “localhost”. Remember that every certificate is server-specific.
-ss my : places the certificate in the “personal” certificates folder.

Last argument deserves a word: to view all certificates installed on your machine – use the Certificates MMC snap-in. Choose “local computer” and you are presented with various “stores” which are basically folders of certificates. To consume a certificate in IIS you need it to reside in the “personal” store of local computer.

There are additional useful arguments to the makecert utility, but the basic ones I presented will get you up an running. If you can see a certificate named “localhost” in your personal certificates store you are doing fine so far.

Stay tuned for the next part, where I will cover configuring IIS for SSL support using the certifcate we created.

This is the second part in an article series about setting up SSL in an ASP.NET application.

You can read the first part here. Go ahead, read it now.

Okay.

Now, that we’ve created an SSL certificate for testing and development purposes, we are ready to make the required configuration in IIS.

Setting Up IIS to Work with SSL

First thing we have to do is configure the web site to use the certificate we created:

From the IIS MMC snap-in, select your web site, right-click “properties” and under “directory security” click “Server Certificate…”.
Click “Assign an existing certificate”. You should be able to see the self-signed certificate you created. Select it and finish the wizard.

At this state IIS is able to respond to SSL HTTP requests with this certificate.

To test that everything is okay, try to navigate to an existing URL in your application, with https in the beginning of the URL.

Forcing SSL for an application

If your application requires SSL encryption for all traffic you want to force the application to only handle SSL requests.

You can do this on the application level (so that other applications on the same web site in IIS will not require SSL) or on the web site level.

Here’s how:

In IIS MMC, right click the application virtual directory or the web site.
Select “Directory Security” tab and click “Edit…”.
Check “Require secure channel” and “Require 128-bit encryption”.

Now, any request to a URL that starts with http and not https – will receive a 403.4 error from the web server.

Supporting Debugging in Visual Studio

Now that you’ve setup the web server on your machine to require SSL traffic, you need to update the application URL in Visual Studio in order to be able to run the application from Visual Studio:

Right click the project in Solution Explorer and select “Properties”.
Under the “Web” tab change the value of “Project Url” to start with https.

Auto-Redirecting non-SSL Traffic

Perhaps some of your users will try to navigate to your application via a non SSL URL (most users assume a web page URL starts with http).

You can silently redirect your users to the correct SSL address using the following technique:

Users trying to reach a non-SSL URL will be automatically redirected by IIS to the standard 403.4 error page. First step is to change that page to your own page:

In your project, create a new web form called “NonSslRedirect.aspx”.
In IIS MMC, right click your application virtual directory, click the “Custom Errors” tab and select the 403;4 error.
Click “Edit Properties…”, select “URL” in “Message Type” and type the address of the page you added in step 1 (for example: /MyApp/NonSslRedirect.aspx).

Try again to navigate to a URL starting with http. You should be redirected by IIS to NonSslRedirect.aspx.

Now, in the code-behind file of NonSslRedirect.aspx, add code similar to the following to automatically redirect the users to the matching SSL URL:

protected void Page_Load(object sender, EventArgs e)

{

string originalUrl = Request.Url.ToString().Split(new char[1] { ';' })[1];

string urlWithHttps = "https" + originalUrl.Substring(4);

Response.Redirect(urlWithHttps);

}

This code will replace the http prefix in the requested URL with an https prefix and redirect the user to new URL.

Advertisements

One Response to “SSL in ASP.NET”

  1. Jackson said

    The topic regarding SSL was very useful and my program crashed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s