I moved my stack(nodejs based restapi, UI/UX asp.net mvc by another team) to production mode on AWS.
I have an issue with ssl certificate.
The ssl certificate i use on nodejs is self signed as a result i get "certificate not trusted" issue on the browser while trying to access the client.
When i was looking for IP based CA certificates, i realized it can be issued only for organization based IPs.
Since i am hosting the nodejs server on ec2 this ip doesnt belong to my organization. Please let me know what is the best way out of this
Related
We have developed an angular website and we have both personal server and a registered domain extension. We were able to host through public ip using iis but when the domain name was used in throws NET::ERR_CERT_AUTHORITY_INVALID. It also redirects to https by default.
We also tried using xampp too. We don't want to use any cloud servers as our custom domain extension can't be used.
kindly help us to host the website.
As you mentioned the error message: ERR_CERT_AUTHORITY_INVALID.
This issue is related to your certificate. If you do not currently have a certificate, you can choose to create a self-signed certificate, or apply for a certificate from the Authority.
If you already have a certificate and still have this issue, you can check to see if it is expired and try renewing the certificate.
i created a Node.js Rest API for a cordova application to help access the MySQL database. The API does not render web pages just sends JSON data to the application. The hosting service provides certificates if you want to buy and i have used them may tmes to make a website HTTPS. The problem is that the API although it uses the correct SSL certificates for the correct domain is seen as having self signed certificates. That is a huge problem because such traffic both HTTp and with self signed certificates is prohibited by android and the app is not working. What can i do? Thanks in advance for the help!
If you can't use https://letsencrypt.org/getting-started/ with your hosting provider, maybe you could use https://www.cloudflare.com/ssl/ to act as a proxy in front of your website and have a signed certificate.
For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145
I have website hosted on IIS. My main issue is that I want only users with a specific certificate installed to be able to access the site. I tried to follow some tutorials but I can't find anyone covering both server and client side, since I can't get it to work.
I have some questions to the main issue:
What kind of certificate should I use (domain/selfed signed in IIS 7.5)? I do have access to a Active Directory Certificate Services where I can create other types of certificates (CA), but the problem is when trying to import them to my IIS ("certificate cannot be used as an ssl server certificate")
I would like to use a CA certificate, but is that possible when using IIS? Or do I need to write all the code the check if the user has the right certificate?
When created a certificate for the website (e.g. though IIS)..How do I create user certificates that are trusted by the server certificate?
As you may noticed by now I'm not sure how to do all of this, and would really like some help..
Server should use SSL server certificate. This certificate has to have Server Authentication extension in Extended key usage. Server certificate should have SAN extension (Subject alternative name) with domain name of server as DNS name (i.e. somesite.com)
CA certificate has to be imported to Trusted root store (preferably Local Machine) on both server and client machines.
Client certificate should contain Client Authentication extension in Extended key usage.
All EndEntity (client and server) certificates should have CRL distribution point in them where there is URL to CRL that is issued by CA. CRL has to be accessible by both client and server and should be always valid.
You can use XCA for training purposes. It has a nice GUI and it has templates for CA, SSL server and SSL client certificates by default. Then you can mimic these certificates in your Active Directory Certificate Services. Documentation and some guides can be found here.
I have local server in my home, which runs website, which provides some service, thanks the use of PHP. Right now I'm using the HTTP protocol, which doesn't not provide security, due to the clear-text (the is a authentication service with username and password to access the protected page). I want to upgrade to HTTPS and of course I need to use the SSL. I know what is, so I know the differences between a self-certificate, and the one issued by a company. There are different kind of class. Because I don't want that my users/friends are alerted by the browser that the SSL certificate isn't trusted, I'm asking if there is some free trusted certificate for a non-domain web server (I use my static IP to let the user access the website). In case I bought a domain (it is very cheaper), can I have a free trusted certificate from someone ? Thank you.
Regarding SSL certificates for an IP address, see the linked SO thread: Is it possible to have SSL certificate for IP address, not domain name?
If you register a domain name for your site, then you can obtain a free SSL certificate from StartSSL (https://www.startssl.com/?app=1)