?
Solved

Testing https on localhost without buying another certificate

Posted on 2005-04-07
10
Medium Priority
?
475 Views
Last Modified: 2011-04-14
I'm working on a Web Application in ASP.NET and there are certain pages that are displayed over https because we deal with credit card numbers, usernames and passwords. In these pages, I make sure that they're being displayed over a secure connection and if they're not, I don't display anything. That way, if someone was to manually enter the URL or edit it, they wouldn't end up displaying the sensitive data on an insecure connection.

That's all working perfectly, I don't really need any help with that. The problem is that when I am running my development version of the application on http://localhost/website, the requests for https://localhost/website/pagename.aspx result in an error because I don't have a Secure Certificate on my own machine. I currently work round the problem by commenting out the lines of code in my application that normally check the connection is secure before returning content. That's not ideal, though, as I sometimes forget to uncomment the lines before deploying an update and it means I can't use certain hyperlinks in my application because they open pages in https.

Is there a way I can set up a test secure certificate on my machine purely for testing? How do other people handle this situation. Surely large companies don't buy a secure certificate for each developer in their team?
0
Comment
Question by:tacf
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 16

Expert Comment

by:alain34
ID: 13731995
I have installed in the past a test certificate from www.thawte.com. Below, you can see an extract of their current documentation:

Here is the solution that you selected:
Solution ID:  vs6057
Solution Title:  Download Thawte Test Certificate

Resolution:
 
To request a Thawte Test Certificate, go to the following link : http://www.thawte.com/ucgi/gothawte.cgi?a=w14100158267049000

These certificates are for testing and evaluation only. They will generate errors with browsers that have not manually inserted the required Test Root Certificate. Our Test Certificates are valid for 21 days only and this service comes with ABSOLUTELY NO WARRANTY!

To download the Thawte Test Root Certificate please go follow the instructions in solution : vs7965

Instructions on how to generate a csr for the most popular web servers can be found in the following page : http://www.thawte.com/support/keygen/index.html
 
0
 
LVL 18

Expert Comment

by:SquareHead
ID: 13733423
Another source for a test cert:

http://www.rapidssl.com/index_ssl.htm

0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 13733554
You can also issue your own certificate without the need for a third party certificate autority.  The IIS Administration kit has a command line utility to do this instantly.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 1

Author Comment

by:tacf
ID: 13736306
I'm interested in the option of issuing my own certificate as I'd like to avoid the hassle of getting a new free certificate every 3 or 4 weeks. My test environment runs on Win XP Professional. Is the command line utility in IIS available on XP? Where could I find more info about this?
0
 
LVL 16

Expert Comment

by:alain34
ID: 13736350
sorry to contradict you, but test certificate does not expire in time. The only difference with a real certificate is that your browser will let you know that the certificate is a test certificate the first time that you access a domain with a tesdt certificate!
0
 
LVL 1

Author Comment

by:tacf
ID: 13736550
When I looked at the links for http://www.thawte.com/ and http://www.rapidssl.com/freessl/freessl.html they said the test certificates were valid for 21 days and 30 days respectively. That's where I got the idea of expiry from. Don't all secure certificates have an expiry date?

I don't understand the distinction between a test certificate and a real one. What is the difference?

Ideally, I want a solution where I can install a certificate once on my own workstation and then never need to think about it again. Then I can devote my time to developing my web applications without having https problems.
0
 
LVL 16

Expert Comment

by:alain34
ID: 13736761
therefore, developed and test your application without using ssl at all.
than move your application to your https folder and worry about ssl at this point!
0
 
LVL 29

Accepted Solution

by:
rdivilbiss earned 1200 total points
ID: 13736927
tacf,

All SSL certificates expire.  I'm not sure what alain34 is referring to.  Expired does not mean unusable, however you will always get an annoying pop-up on an expired SSL certificate.

If you self issue, you can set the expiration date 5 years in the future.  The first time you browse to the development site you will get a pop-up saying the SSL cert is not trusted.  You can add it to your root certificates and you will no longer be bothered by pop-ups until it expires.

The IIS 6.0 Resource Kit version 1.0 was released 5/30/2003. It contains a utility called SelfSSL.exe for instantly creating and installing a self-signed testing certificate into IIS. The resource kit is freely downloadable from the Microsoft website. Although the tool is intended for IIS 6.0 (2003 server), it works just as well on IIS 5.1 (XP Pro). It is so simple to use that no instructions are required beyond the pointer to the download.  The default values create a one year certificate.  You can change that to a larger number of days if you want.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

http://www.visualwin.com/SelfSSL/
0
 
LVL 1

Author Comment

by:tacf
ID: 13737669
Alain34, as I mentioned before I can't display my secure pages over http because I explicitly programmed them to return no content if the request is not secure. To do what you're suggesting would require me to comment out parts of my code during testing and then uncomment them before going live. I've already been caught out before because I forgot to uncomment the line and deployed a version that would return the content even if the page wasn't secure.

Rdivilbiss, your solution was exactly what I needed! I now have a certificate on my machine with a 10 year expiry and I set the common name to "localhost" so it doesn't even pop up the warning about the name not matching the machine. Your links were tremendously helpful as well. It was very easy to set everything up. I'm going to up the points to 300 and award them to you because of speed and relevance of your answer!
0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 13737848
Thank you very much!

I'm glad I could help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
How do you create a user-centered user experience on your website? And what are some things you should consider in the process?
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question