Avatar of bjegan
bjegan
 asked on

Makecert - problem

Hi Experts,

              This is all about calling webservices from a client thr SSL.
So i used makecert to create ROOT CA, server certificate, client certificate.

coomand for creating ssl certificates :

Root CA
---
makecert -r -n "CN=My Own Test CA" -sv root.key root.cer
---

Server certificate
---
 makecert -iv root.key -ic root.cer -eku 1.3.6.1.5.5.7.3.1 -n "CN=pcidl19543.company.com"
------

client cerficate
----
makecert -iv root.key -ic root.cer -eku 1.3.6.1.5.5.7.3.2 -n "CN=Myname"
--

 then i installed ROOT CA to trusted, configured server cerificate in IIS.

Then when i try to access my web service in my browser its throwing "page cannot be displayed"...

Am i missing out anything or i should use certificate service for creating cerficates(bcos makecert is only for testing purposes).

Can anyone guide me step-by-step to run my webservice in Secure channel.

Thnaks,
babu
ASP.NET

Avatar of undefined
Last Comment
Vivek Thangaswamy

8/22/2022 - Mon
Vivek Thangaswamy

Configure Your Web Server for SSL
Your XML Web Service will be running on Internet Information Server (IIS) and it will rely on IIS to provide SSL support. Because of this, you must first install an SSL server certificate on your server so that you can enable SSL support. 1. If you are purchasing a server certificate from a third-party certificate authority or if you have an enterprise certificate authority available to you, skip to the next step. Otherwise, install Certificate Services by starting the Add/Remove Programs tool, clicking Add/Remove Windows Components, and then click to select the Certificate Services check box.
2. Run the Web Server Certificate Wizard by starting Internet Services Manager, right-clicking on the virtual site that you want the certificate for, clicking Properties, clicking the Directory Security tab, and then clicking Server Certificate.
3. In the Web Server Certificate Wizard, click Create a new certificate, and then click Next.
4. Click Prepare the request now, but send it later, and then click Next.
5. Continue to fill out the information in the Wizard to fit your needs, but when you are prompted to provide the common name of the certificate, make sure that you specify the name of the host computer that you are running your XML Web service on.
6. When you complete the wizard, a certificate request is saved in a file that you specify. By default, this is c:\Certreq.txt.
7. If you are submitting your certificate to a different certificate authority, do that now by using their procedures and when you receive your certificate file, open it, and then skip to step 16. If you are using your own Certificate Services to get your certificate, browse to http://localhost/certsrv and choose the Request a Certificate option.
8. Under the Request Type page, specify that this is an Advanced Request, and then click Next.
9. Click Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file, and then click Next.
10. On the Submit a Saved Request page, click Browse for a file to insert, specify the file you created in step 6, click Read, and then Submit. Your request has been submitted, and now you must approve it.
11. On the Programs menu, under Administrative Tools, start the Certificate Authority management console.
12. Under your Certificate Authority's name, choose the Pending Request folder. Right-click the certificate request that you just submitted, point to All Tasks, and then click Issue. Close the Certificate Authority management console.
13. In your browser, go back to http://localhost/certsrv, click Check on Pending Requests, and then click Next.
14. Make sure that the request you just created is selected, and then click Next.
15. On the Certificate Issued page, choose either of the encoding schemes, and then click Download CA certificate. The Certificate property pages are displayed. Click the General tab, and then click Install Certificate.
16. The Certificate Import Wizard starts. Accept all of the defaults and click through the wizard until it has completed.
17. Go back to the Internet Services Manager, right-click the virtual site you created the certificate for, click Properties, click the Directory Security tab, and then click Server Certificate.
18. Click Assign an existing certificate to see a list with your certificate in it. Click your certificate, and then click Next. Complete the Web Server Certificate Wizard. Your SSL Server Certificate is now installed.


then.....


Install Certificate Authority's Certificate on Client
If you used your own certificate services, you must install your certificate authority's certificate on the client as a trusted root certificate authority. To do so: 1. Browse to http://my computer/certsrv where my computer is the host name where the certificate services are located that issued the server certificate.
2. Click Retrieve the CA certificate or the certificate revocation list, and then click Next.
3. Click the Install this CA certification path link. The certificate should be properly installed.
If you are planning to access your XML Web Service from an ASP page, you must add the Certificate Authority's certificate to the machine's trusted root store: 1. Repeat the preceding first 2 steps, click Download CA certificate, and then save it to a file on your local computer.
2. Start Mmc.exe.
3. Click Console, and then click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.  
5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
6. Click Computer Account, and then click Next.
7. Click Local Computer, and then click Finish.
8. The list of certificate categories for the local computer should appear in the snap-in window.
9. Click OK to return to the Console Root window.
10. In the tree view, open the list of trusted root certificate authorities.
11. To add the certificate authority certificate that issued your server certificate to the list, click Action, click All Tasks, and then click Import, or drag the certificate on to the list.


then....


Modify WSDL from HTTP to HTTPS
1. Edit the WSDL files for your service so that the address for your Web service begins with https instead of http. You must make sure that the copy of the WSDL that your client is using also indicates https.
2. For Microsoft Visual Studio .NET projects, when you add a Web Reference ,you can specify an https URL as the location of the XML Web service. If you did not do this, then you can edit the class that was created by Visual Studio .NET that wraps the Web service and modify the line of code that sets the URL. For a C# project, the line of code might look like this after you have modified it:
this.Url = "https://localhost/ServiceVivek.asmx";
3. Your XML Web Service will now be accessed over SSL.


then....


Verify That It Works
To determine if SSL is configured properly, try browsing to your server by using an https URL such as https://localhost/mytest.asmx.

You configuration should be alright if you can successfully browse to the location without any error messages being displayed by Internet Explorer. You are ready to try to access your web service programmatically.


then....


Enforcing SSL-Only Access
If you want to make sure that only SSL requests are accepted by your Web service, you can configure the virtual directory where your XML Web service resides to be SSL only in the Internet Services Manager: 1. Right-click the virtual directory where your XML Web service resides, and then click Properties.
2. Click the Directory Security tab, and then click Edit under Secure Communications.
3. Click require secure channel (SSL), and then click OK twice.


ref:::
"Setting Up SSL on Your Server" topic in the Internet Information Server documentation.
Vivek Thangaswamy

actually i tried this in
 Microsoft Windows 2000 Server, Microsoft Internet Information Services 5.0

For Java related application

ref this link
http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
bjegan

ASKER
help me in the context of makecert, b'cos i have to do in that way, i need detailed step-by-step for SSL communication, the above articles are already known to me...

babu
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Vivek Thangaswamy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Vivek Thangaswamy

Hi bjegan

Is my solution helped you?