IIS HTTPS configuration for Team development

This post a collection of information which I found all over the internet. I’m posting it as a reference for myself. I need to set up a development environment where a team of developers can develop multiple projects which use and test Web applications using HTTPS.

Step 1: Create a root cert. This will be used to share in the team.

Here is a cmd file which creates a root cert for a parameter

Using makecert and pvk2pfx:

set PATH="C:\Program Files (x86)\Windows Kits\8.1\bin\x64\"

makecert.exe -r -n "CN=%1" -pe -sv %1.pvk -a sha1 -len 2048 -b 01/01/2014 -e 01/21/2030 -cy authority %1.cer
pvk2pfx.exe -pvk %1.pvk -spc %1.cer -pfx %1.pfx

Or using openssl:

set PATH="C:\Program Files (x86)\Git\bin\"

openssl genrsa -des3 -out %1.key 4096
openssl req -new -x509 -days 365 -key %1.key -out %1.crt

This cmd can be used as follows:

createRootCert.cmd TeamDevelopmentRoot

Step 2: Create a project cert.
Now that the root cert is created, each project requires its own cert. It is very IMPORTANT that the cert name matches the project IIS URL!

Using makecert and pvk2pfx:

set PATH="C:\Program Files (x86)\Windows Kits\8.1\bin\x64\"

makecert.exe -iv %2.pvk -ic %2.cer -n "CN=%1" -pe -sv %1.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2020 -sky exchange %1.cer -eku 1.3.6.1.5.5.7.3.1
pvk2pfx.exe -pvk %1.pvk -spc %1.cer -pfx %1.pfx

Or using openssl:

set PATH="C:\Program Files (x86)\Git\bin\"

openssl genrsa -des3 -out %1.key 4096
openssl req -new -key %1.key -out %1.csr
openssl x509 -req -days 365 -in %1.csr -CA %2.crt -CAkey %2.key -set_serial 01 -out %1.crt
openssl pkcs12 -export -out %1.pfx -inkey %1.key -in %1.crt

This can be used like this:

createProjectCertFromRoot.cmd webprojectx TeamDevelopmentRoot

Step 3: Now add the certs to the operating system.

Open mmc and File/Add remove snap-ins, choose Certificates

settingUpHttpsForTeamDevelopment01

Choose Computer account

settingUpHttpsForTeamDevelopment02

In Trusted Root Certication Authorities/Certificates, right click and select All Tasks/ Import…

settingUpHttpsForTeamDevelopment03

Choose the TeamDevelopmentRoot.cer file and add

settingUpHttpsForTeamDevelopment04

Now select Personal/Certificates, right click and Import…

settingUpHttpsForTeamDevelopment05

This time select the webprojectx.pfx file. NOTE: It is important to choose the pfx file!!!

settingUpHttpsForTeamDevelopment06

Double click on this file and check that the certificate is OK.

settingUpHttpsForTeamDevelopment07

Step 4: Use the certs in IIS:

Open the IIS and create a Website. The Host name must match the cert.

settingUpHttpsForTeamDevelopment08

In the application pool, make certain your using an account with the proper rights, for example LocalService. Also check that the IIS_IUSR group have access to the file system.

Step 5: Map your host to 127.0.0.1 in the hosts file. (C:/Windows/System32/drivers/etc)
Add the following:
127.0.0.1 webprojectx

Now you can test it in the Browser:
And add it to your trusted sites:

settingUpHttpsForTeamDevelopment09

Now that it works, you can share the certs with your team and develop together using HTTPS. Every time you create a new project, you just require a single cert which inherits from the root cert to be added to the personal certs. This can be shared among the team as all have installed the root cert.

Next step: implement Authentication and Authorization .

Links:
http://pfelix.wordpress.com/2012/02/26/enabling-https-with-self-hosted-asp-net-web-api/

http://woloski.com/2012/08/04/securing-aspnet-webapi-with-clientcerts/

http://stackoverflow.com/questions/15205814/net-client-connecting-to-ssl-web-api

http://www.networknet.nl/apps/wp/archives/2272

http://technet.microsoft.com/en-us/library/cc732443.aspx

http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/

http://slproweb.com/products/Win32OpenSSL.html

http://www.openssl.org/

http://pages.cs.wisc.edu/~zmiller/ca-howto/

http://www.top20toolbar.com/misc/codesigncert.htm

http://www.websense.com/support/article/kbarticle/How-to-use-OpenSSL-and-Microsoft-Certification-Authority

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: