Microsoft Azure App Service Managed Certificates: binding with and without "www" - azure-devops

I was able to create an App Service Managed Certificate for my Azure Web App with the domain www.mydomain.com, and binded it to www.mydomain.com, but of course it still shows mydomain.com as insecure so I go back to "Create App Service Managed Certificate" to create another for mydomain.com but it says "A certificate has already been issued to this domain" so how do I secure mydomain.com?

After some research, unless I'm missing something, it seems the App Service Managed Certificate cannot be bound to a naked domain, which makes no sense to me, why would anyone want a cert that protects www.mydomain.com but not mydomain.com?

Related

What is the best way to secure your backend code with SSL?

I am newbie here. Trying to set up an end to end service running.
Here is my scenario:
frontend is hosted in heroku.
backend is spring-boot and server is hosted in AWS.
My backend service has integrated the facebook Oauth2 login, for which I must provide a redirect URL which is https. To handle that I created a self signed certificate and secured my backend service with the same.
Everything is working fine till here except the security warning users will get in the browser as the certificate is self signed. AFAIK I must get a CA root certificate to avoid this. but to get the CA root certificate i need to provide the domain i will be protecting. For the backend server there is no domain, it will just be a static ip.
Can someone please guide me as to what is the correct approach here ?

Setting up clientCredentials Endpoint Behaviour on WCF-Custom Send Adapter

I am trying to wrap my head around how this should be set up correctly. I have two certificates, a client certificate and a service certificate. I've placed these in the MMC, on the service account for the host instance that handles the send port. So the client certificate is placed in the Personal folder and the service certificate is placed in the Trusted People folder.
I've tried using several "Find" methods to locate these certificates, such as thumbrprint and serial number, but I always get a "Certificate not found" exception back.
My current settings on the adapter.
Client certificate:
Service certificate:
My settings for Authentication:
SSL Certificate Authentication settings:
What is the correct way to add the certificates to the different stores, so that they can be located by Biztalk? I've found the MSDN documentation on the topic, but it doesn't really provide any answers: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/clientcertificate-of-clientcredentials-element
You have to be logged in as the BizTalk Service Account to manage Certificates. Run As doesn't typically work.
Other than that, the instructions should be correct.

SSL certificate for WebAPI

We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.

How to secure ClickOnce Deployment with Visual Studio using IIS7.5

In IIS7 I have a FTP site and Website for deployment. Everything works fine, the only thing I do not like is that theoretically every user can tamper with the application files on FTP because read/write access is configured for anonymous.
I fixed this by enabling and configuring "Basic Authentication" instead of "Anonymous Authentication" and now I have to provide my domain password during deployment.
Great! So what's the problem?
The problem is that the password is transferred unencrypted.
Question(s): How can I make sure that the password is encrypted (can I use sftp instead of ftp?)
Any thoughts about certificates? I already tried with a self signed certificate but didn't managed to get things running.
Are there other way to deploy software more secure? I tried over https but I don't have the Frontpage Extension which is necessary for this.

Facebook App: any way to run the app without SSL?

I am working on my first app for Facebook and facing (probably) with the SSL problem. If I am testing the app, so it's working well. But then I wanted to test the app by my friend - so I assigned him the role "Tester", he accepted it and I sent him the link to the app.
If he opened the app, he got the error The website is not available - Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error
I started google it and it looks that the cause is the missing SSL certificate on my hosting, where the app is stored.
BUT - how is possible, that the app is working me well without the SSL and to my friend doesn't? If the SSL is required for Facebook apps, why I didn't get the same error?
(I set Secure Canvas URL: to https://example.com/fb-app-directory/, however I don't have at this domain and hosting any SSL certificate).
I never used before SSL. I bought the domain name on Namecheap and hosting on Hostgator. So now, I should buy a SSL certificate from the offer (http://www.namecheap.com/ssl-certificates.aspx) of Namecheap, right?
Would be suitable for the Facebook app the cheapest one?
Look, this SSL problem can only be solved by purchasing a valid SSL certificate or looking for a server which can host your app and is SSL certified such as:
phpfog.com - Provides you with some limited space and database service.
heroku.com - Does not provide any storage space for saving dynamically generated data. To have that service, you have to buy the Amazon buckets service which, again, is a costly affair.
If you don't want to invest any money, I would recommend that you go with phpfog - it is easy and its documentation is pretty good.
You should buy an SSL cert in order for everyone to be able to access your app. Your friend probably has his settings set so that he browses Facebook securely, in this case he is hitting https://example.com/fb-app-directory/, not your actual URL.
The cheapest one isn't the best one, but it should work as long as it's valid. I would suggest using Heroku though, as that way you get everything you need - for free :)
Use a proxy in heroku.com and bring your page in secure domain as https://yourapplication.herokuapp.com/
"Starting October 1, 2011 Facebook will require a valid SSL Certificate for all pages and applications hosted outside of Facebook."
http://www.wpcode.net/fb-ssl.html/
Maybe you are visiting your application with http://apps.facebook.com/... and your friend is visiting with https://apps.facebook.com/....
Another possibility is that your friend has checked "Browse Facebook on a secure connection (https) whenever possible" under "Account Security".
Try ngrok. It exposes a local web server with just one command:
ngrok 80
After this you can access your localhost like this: xxxxxxxx.ngrok.com