By the end of First project we already have a WebApi Self Hosted in Windows Service, but on HTTP. In this post i shall try to add a SSL layer over the top if it to provide additional transport layer security. Things are much easier with IIS, which provides default and simple settings and configurations for all settings like SSL or others.But moving things out of there can be a little tricky. Also, in this post, we shall not be using the developer certificate generated by the IIS, but an actual one issue by CA. For this we shall first register an CA Certificate and then SSL. So let’s roll.
The Tools
We shall be using the following tools provided by Microsoft that can be accessed from developer command line tools.
- makecert
- pvk2pfx
- netsh (provided by windows)
PS: If you can get a proper SSL Certificate from a commercial CA, you can directly move here.
Creating the CA
All the certificates are issue by Certifying Authority or a CA. So for creating an CA, fire up the “Visual Studio Command Line Tools” and run as administrator. I would recommend create a new folder and browse to that so that things dont mix up.
Type in the following command to generate a new CA certificate.
makecert -n "CN=VineetYadav.com" -r -pe -a sha512 -cy authority -sv VineetYadavPKey.pvk VineetYadav.comCA.cer
The complete documentation for the makecert can be accessed here. Some quick points below:
- -n “CN=SOME_NAME” : This is the name of your certifying authority. I used VineetYadav.com, you can use anything but identifiable.
- -r : Creates a self signed certificate
- -pe : allows the private key to be exportable
- -a sha512: Signature algorithm to be used
- -cy signature: registers as certifying authority
- -sv SOME_NAME.pvk : the private key for the certificate
- VineetYadav.comCA.cer : Name of the certificate file in the end.
Firing up this command shall pop up a windows asking for password for the certificate as below. Please enter and confirm. Then another pop will come confirming this. Enter again the same.
You should now have your certificates in the running folder path.
Generate PFX
A PFX file is a quick and easy format containing a single file with both certificate and private key that can be easily transmitted/shared. Form the same command line tools hit the following command to create the PFX from .cer and .pvk
pvk2pfx -pvk "VineetYadavPKey.pvk" -spc "VineetYadav.comCA.cer" -pfx "VineetYadav.comCA.pfx" -pi MY_PASSWORD
Please use the my_password with your password you entered in prev step. –pvk and –spc refers to the .pvk and .cer files respectively. –pfx is the new pfx that is to be created.
Importing the Certificate
Double clicking the certificate will open a dialog prompt. Keep on pressing next next next. Enter password and next next next :). This should import the certificate in your certificate store.
By default this goes to personal keystore and has to bemoved to Trusted KeyStore. For this, open certmgr.msc, from there, go to Personal -> Certificates. You should see your certificate as below. Drag the certificate to certificates under Truster Root Certification Authority. This shall make this certificate as valid and all the child certificates issued using this CA also valid.
Generate The SSL Certificate for our Application
For generating the SSL certificates to be used by our windows service, it needs a SSL certificate. For this browse to the same folder where your .cer and .pvk files are located. Then hit the following command in Command Line tools.
makecert -n "CN=localhost" -iv "VineetYadavPKey.pvk" -ic "VineetYadav.comCA.cer" -pe -a sha512 -len 4096 -b 01/01/2015 -e 01/01/2017 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sv SelfHostPKey.pvk SelfHost.cer
Some quick tips for switches used here:
- -n is the same as above. Except here it refers to the domain name on which the application would run. I used localhost here.
- -ic “VineetYadav.comCA.cer” : This refers to the certificate to be used for issuing CA
- -iv “VineetYadavPKey.pvk” : it is the private key for the issuing CA certificate.
- -pe, -a : as before
- -b and -e: these are then begin and expiry date for the certificate
- -sky exchange: This is used to mention that this certificate is to be used for exchanging keys.
- -sv : refers to the private key file
- and lastly the name of the .cer file.
This would trigger again the password prompts. First two for the certificate. There is also an additional prompt for the issuing authority password which is the password for your CA Certificate.
We again use the pvk2pfx tool to create the pfx file.
pvk2pfx -pvk "SelfHostPKey.pvk" -spc "SelfHost.cer" -pfx "SelfHost.pfx" -pi YOUR_PASSWORD
Please use the password you created for the certificate.
Import the certificate the same way as before except, this time dont move it to truested Root CA.
Open the MMC console and add snap ins for Certificate. Add for Current User. Then again add a snap in for certificate and select Local Machine.
This would open the Certificate stores for both the user contexts. Move the certificates:
- Move CA Certificate from Trusted Root CA /Certificates (from current user ) to local Computer Trusted Root CA/Certificates.
- Do the same, and move the SSL Certificate from Personal Key Store/Certificates to Local Computer Personal/Certificates.
And here we rests with the installation of the SSL Certificate.
Configuring Netsh to bind certificate to Port
Since the application is hosted as an windows service, the ssl certificate is needed to binded to a port so that all the requests to the port may be handed over. This is done over machine level using netssh command. To continue with this, firstly, the thumbprint for the new certificate is needed.
To get the thumbprint, open the certificate, and click on Details Tab. In the field column select the last row “Thumbprint”. The details pane should reflect the values space seperated hex values.
Select all and copy and paste in notepad and remove the spaces to get a continuous string.
Now hit the following command to register the SSL with port.
netsh http add sslcert ipport=0.0.0.0:8099 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=c262318f5f1356f7f04961146efd1be743c0e9c0
PS: The appId is application identifier to refer to http and should remain same. Also, the ipport=0.0.0.0:8099 mean, listen on all IPs on 8099 port number.
The same can be verified using following command:
netsh http show sslcert
The same can also be deleted using following command.
netsh http delete sslcert ipport=0.0.0.0:8099
Save this and restart the windows service. Now try to open welcome page as in prev post but with https.
While using this configuration I got across a few prolems, which shall be discussed in next post.
Please leave any comment/suggestions below.
Hi Vineet,
Thanks for the self hosted web API with SSL article. I tried the same but i am always getting certficate error in IE and chrome. Any Idea.
Thanks in advance,
Subbiah K
Hi Subbiah,
You need to move certificate ca to trusted root ca. Have you moved it. Please check. If the issuer CA is not moved, it will not validate the certificate. Please drop a comment if you still face issues.
Yes I did. I can see the CA cert in Trusted Root Certificates and selfhost cert to personal certficates under local computer, but stil getting the same error.
Thanks,
Subbiah
[email protected]
Hi subbiah,
You need to move CA cert to Trusted Root Certification Authority (not Trusted Root Certificates). Can you please check this.
sry i moved to Trusted Root Certification Authority only but no results..
I have another certificate dedicated for different application which runs in 127.0.0.1:58001, i have uninstall that app and map this cert to my new app. its working for 127.0.0.1:8099 but if my add 0.0.0.0:8099 its throwing same cert error in browser. Any idea?
the most probable issue seems to be wildcard cert (on 0.0.0.0) you need to define a fix IP or hostname for this to work to which it is issued. the best case (i have seen 🙂 is the wildcard ssl *.something.com but that also needs a fix domain.
May be you can try to create another cert with private or public ip and try with it.
Atlast i created a certficate using the machine IP. ie issued to issued by is the machine IP. I have hosted the webapi in the same ip and its works fine in the same machine. But when i browse it in the network i ma getting cert error again any idea?
Thanks in advance,
Subbiah K
Never Mind about the previous question. Thanks for the answer and article.
Hello
How can I have the appId of my self hosted webapi?
Thank you
Hello Vineet,
Greetings for the day!!
I am Sangita Kumbharvadiya. I am working as a Software developer in IT company. I need your urgent help on your post – “Host WebApi2 in Windows Service with HTTPS/SSL (Part1)” on your site https://vineetyadav.com/.
Actually I developed one Webapi controller under wendows service project and host it in my local system. Now the scenario is that my webapi call via windows service on http site or direct ip based site, but its not working on https site.
Kindly, please help me into this in urgent bases.
Thank you in advance.
Hi Sangita,
Please check my following post on how to get https working with windows service.
https://vineetyadav.com/development/net/configure-self-hosted-webapi-in-windows-service-to-use-ssl.html
Thanks
Hi Yadav,
To me this post has been very helpful – thank you. I found a powershell script to generate the certificates. Perhaps you like it too. Have a look: https://spandothers.wordpress.com/2018/02/20/generating-a-root-ca-certificate-and-signed-certificates-for-dev-using-powershell/
kind regards,
Niels