How do I avoid "Not Secure" messages when developing locally with IIS and personal certificates?
I'm developing with ASP.NET and find it annoying that I constantly get "Not Secure" messages when accessing my local website through IIS just because I have a personal self-signed certificate.
I have seen long and what appear to be very complicated ways of creating your own certificate server, but I was wondering about just buying a certificate if they are cheap.
It appears you can get them for under $10? See here:
https://www.interssl.com/en/cart.php?gid=2
Is that a good option or is there a better alternative?
I have seen long and what appear to be very complicated ways of creating your own certificate server, but I was wondering about just buying a certificate if they are cheap.
It appears you can get them for under $10? See here:
https://www.interssl.com/en/cart.php?gid=2
Is that a good option or is there a better alternative?
Does your local iis server have a domain name associated with it that is publicly registered?
ASKER
No - I guess even a purchased certificate wouldn't work for that reason..
Using HTTPS requires you use a host/domain which resolves to a public IP.
The way I handle this for my hosting clients is to just setup something like https://dev.foo.com + then when they switch to https://foo.com use wp-cli to rewrite all internal links.
If you're using custom code, the easy way to handle site work is to craft links which are site independent.
So write /path-to-file, rather than https://foo.com/path-to-file, so you can run your site as any host/domain name + your site will work.
Then use https://LetsEncrypt.org for free SSL certs to wrap every host record in SSL.
The way I handle this for my hosting clients is to just setup something like https://dev.foo.com + then when they switch to https://foo.com use wp-cli to rewrite all internal links.
If you're using custom code, the easy way to handle site work is to craft links which are site independent.
So write /path-to-file, rather than https://foo.com/path-to-file, so you can run your site as any host/domain name + your site will work.
Then use https://LetsEncrypt.org for free SSL certs to wrap every host record in SSL.
The 'not secure" message is supposedly (in your case) saying (1) no trusted root CA (and its accompany intermediate CA bundle chain) available since it is using self signed SSL certificate. There is also another scenario in which the website (2) contains non-HTTPS content when the website is in the HTTPS mode.
For (1), getting a 3rd party issued SSL certificate will solve this since most browser will have supported it. LetEncrypt is alright as suggested by expert but note the expiry date of the free SSL cert is ninety-days so you need to renew the free certificate before expiry date of issuance - recommended every 60 days. Note also this is Domain Validated DV certificate and not the advocated Extended Validated EV certificate type. The latter is essential most for higher assurance (as a trusted website and not phished one) and getting more traction for compliance requirement.
Another option is CACert which also issue free SSL certificate. You can see more details here and so far does not have mention on the short expiry date though.
For (2), it is about having the website to adopt HSTS which it is another separate discussion. In short, it prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
Overall, do try test your website with online SSL test as it does a good check against the required secure SSL certificate needed and more on other "glaring" gaps in the web server.
For (1), getting a 3rd party issued SSL certificate will solve this since most browser will have supported it. LetEncrypt is alright as suggested by expert but note the expiry date of the free SSL cert is ninety-days so you need to renew the free certificate before expiry date of issuance - recommended every 60 days. Note also this is Domain Validated DV certificate and not the advocated Extended Validated EV certificate type. The latter is essential most for higher assurance (as a trusted website and not phished one) and getting more traction for compliance requirement.
Another option is CACert which also issue free SSL certificate. You can see more details here and so far does not have mention on the short expiry date though.
For (2), it is about having the website to adopt HSTS which it is another separate discussion. In short, it prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
Overall, do try test your website with online SSL test as it does a good check against the required secure SSL certificate needed and more on other "glaring" gaps in the web server.
ASKER
Just to be clear - I'm just a developer, developing on my Windows PC, and the site is just my own local IIS that I'm developing against, no one else uses it but me, accessing it locally.
I tried LetsEncrypt.org - it said to use Certbot but that only works for Unix - see https://certbot.eff.org/#nonunix-other
I tried cacert and got this.
I tried LetsEncrypt.org - it said to use Certbot but that only works for Unix - see https://certbot.eff.org/#nonunix-other
I tried cacert and got this.
For letsencrypt, see other client options.
For cacert, the below tells you how you can manually import the CAcert Root Certificate in you web browser
http://wiki.cacert.org/FAQ/BrowserClients?action=show&redirect=BrowserClients
Otherwise you can have procured certificate from Digicert too.
https://www.digicert.com
Another option is to use CDN for fronting https on behalf of your website. See this step through.
https://css-tricks.com/switching-site-https-shoestring-budget/
Windowshttps://letsencrypt.org/docs/client-options/
ACMESharp (.NET, PowerShell)
letsencrypt-win-simple (.NET)
Certify GUI (.NET, WinForms)
oocx/acme.net (.NET)
kelunik/acme-client (PHP)
ZeroSSL Windows.
For cacert, the below tells you how you can manually import the CAcert Root Certificate in you web browser
http://wiki.cacert.org/FAQ/BrowserClients?action=show&redirect=BrowserClients
Otherwise you can have procured certificate from Digicert too.
https://www.digicert.com
Another option is to use CDN for fronting https on behalf of your website. See this step through.
https://css-tricks.com/switching-site-https-shoestring-budget/
you could put your certificate in the trusted root provider store. Personally I'd just ignore the warnings as I know they are to be expected.. in production it would be a no-no
ASKER
I did add the certificate to the trusted root provider store - the actual error is
NET::ERR_CERT_COMMON_NAME_
This server could not prove that it is mylocalservername; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
NET::ERR_CERT_COMMON_NAME_
This server could not prove that it is mylocalservername; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.