SSL certificate for WebAPI - rest

We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.

Related

Remove certificate from old server and install on new server

We host a website in our company.
A certificate was issued to www.ourdomainname.com from the company IT department.
Now we want to move the website to azure and install the certificate there.
I already exported the certificate with private key exported set to true from the server.
1.) What will happen when the certificate is installed on azure when it is also installed on our company server?
2.) What will happen when the website on our server is stopped in the server and the certificate is then imported to the azure website?
3.) How can I guarantee a soft transition time without any break?
The aim is:
Website on the company server going to be deleted and the website on azure is used instead.
What will happen when the certificate is installed on azure when it is also installed on our company server?
web site will be available via SSL in Azure too.
What will happen when the website on our server is stopped in the server and the certificate is then imported to the azure website?
web site on your server will be inaccessble.
How can I guarantee a soft transition time without any break?
it is more about DNS management. There is no much work with SSL. You just install SSL on both internal and Azure servers, so clients can access both. Test if web site on Azure works the same way as on your internal server. Then point all clients (via DNS) to a web site on Azure. When all clients move and there are no references to internal server, you can safely shutdown it.
The SSL Certificate which was exported from the current server has to be imported in Azure. The format of the certificate has to be PFX.
Now, in the DNS Management , you need to edit the A record for the URL and point it to the IP address of Azure. This will make sure that any request made will be handled by Azure .

Swisscom Cloud SSL certificate

We're rolling out some simple static web sites onto the Swisscom CloudFoundry cloud, and want to enable SSL for the sites.
Our product manager is not happy with the scapp.io or applicationweb.io names, and we want to be able to add SSL certificates for our domain, e.g "www.swisscom.io".
How do achieve this, given the fact that we're users and not administrators and don't have access to the "Operations Manager" tool? This question is specifically about the Certificate: The setting up of the domain and DNS is clear.
SSL certificates from Let’s Encrypt are now available on the Swisscom Application Cloud: SSL Secure Routes
The cloud guys can probably help you out more here, but one option would be to use: https://www.cloudflare.com/
I was able to use the cloudflare SSL certificate to secure the traffic to and from my application without having to upload a certificate or use the "Operations Manager" tool.
Cheers,
Allan.
I'm currently using an existing VM on https://www.digitalocean.com to serve as a reverse proxy (see https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension#enabling-ssl-reverse-proxy-support, e.g.). It works, but it's not very elegant.

Certificates being renewed yearly - how to reliably find them in the cert store?

I've been tasked to add security by means of certificates to an external web service we call from our ASP.NET 4.0 Webforms application.
I've been able to play around with the certificate and get the code to work properly, but there are still a lot of questions unanswered when it comes to deployment of that solution. I'm pretty new to actually using (and dealing with) certificates - I understand the basic theory behind them, just never used them much myself.
The service is an external REST webservice provided by a company which also issues the certificates - and those will expire on a yearly basis and need to be renewed yearly. So "baking" them into the ASP.NET app as an internal resource doesn't seem like a good idea.
I'm leaning towards putting them into the certificate store on the Windows 2008 Server. That works fine, but what I'm not sure about: how do I FIND the appropriate certificate from code? I know about the X509Certificate2 and X509Store classes - but what criteria should I search for?
What item (Serial number? Thumbprint?) would remain the same if that cert has to be renewed every year? Or do I have to update my config and store a new serial number or thumbprint every time the cert has been renewed?
If I understand correctly you need to ensure that you are communicating with correct web service.
You are using https to connect to the REST service. Is it a WCF service or Web API? Either way the web server will handle the SSL part (hmm, only if hosted on a web server and not self hosted). So if we make it easy then the web service is hosted on a web server. The web server will handle establishing SSL connection and will send you server certificate.
Then you need to check if you are communicating with correct web server. Your options are:
manually update config file with thumbprint that will change every time the certificate of web server will be renewed. Also serial number will change when they renew the certificate.
check for common name in the subject or better if the is correct DNS name (of the web server) in Subject alternative name (SAN = extension in the certificate) or in CN (when SAN is not in the certificate)
build a certificate chain (using X509Chain.Build method) from web server's certificate and check if it contains a CA certificate that you have embedded in ASP.NET application or if it matches given thumbprint of CA from you config.
1) - will work but you have to ensure to update config file every year
2) - will work nice until they change DNS name of the web server, but it would result in change of your web.config so ... it will work. One thing to note is that extracting any extension from X509Certificate2 class using standard .NET framework is not easy. You would need to either go to ASN.1 level or use some crypto library that can extract the SAN in a friendly way.
3) - will work nicely. You can use Root CA certificate or dedicated intermediate CA certificate. You have to ensure that web server certificate is trusted for certificate chain to be built but that applies generally to all solutions. It will work pretty long time because CA certificates are issued to i.e. 20-30 years.

Installing Wildcard SSL Certificate on Azure VM

I'm developing an application on Azure VM and would like to secure it by using the wildcard SSL certificate that I'm already using with my main domain. The SSL cert works with any *.mydomain.com and the application on Azure VM is accessible through myapplication.cloudapp.net
Based on the research that I've done, CNAME should be the best option to do that (I can't use A record since we need to shutdown the VMs every week and turn them back on the next week and will lose the ip addresses).
My two questions are:
How can I have myapplication.cloudapp.net be shown as subdomain.mydomain.com?
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?
How can I have myapplication.cloudapp.net be shown as
subdomain.mydomain.com?
Yes - this is just the CNAME forwarding and ensuring that the appropriate SSL certificate is installed on the server.
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?
Well as you're already exposing the Application through the VM - this should happen seemlessly.
Just a word of caution, you mention that you're using the certificate on the main domain, but haven't mentioned where you're using this. Be aware that, out-of-the-box, you can only assign one SSL per HTTPS endpoint. You can enable multiple SSL certificates on an Endpoint for Azure / IIS using Server Name Identification and can be enabled directly or automatically. If you do take this route, remember to configure your SNI bindings first, then apply the default binding - it kinda screws up otherwise.

SSL Cert on Seperate Email Server and Web Hosting Server?

I am working with a client who needs SSL on their Email and Web Site.
We have their site hosted on a Rackspace Cloud Site (Wordpress so Apache and all that jazz).
From what I can tell their Email is on an ISS server of their own.
They want to apply this SSL Cert they bought through GoDaddy and apply it to this email server and to the site on our hosting server. Now I am only a Web Developer with enough server knowledge to get sites launched and running, But I don't think you can apply the same SSL Cert on two different types of servers.
What would the solution be for this?
Would you purchase a second ssl? Is that even possible?
Sorry if this is a all completely wrong I am trying to use my limited knowledge of SSL to describe the situation.
I'm pretty sure you can use the same certificate if it's going on two servers as long as they are both using the same domain. You don't need to purchase a second ssl. The tricky part might be if the two servers require different certificate file formats.
Also, just do the CSR part on ONE of the servers (use the one you trust the most). On the other server just install the certificate bypassing the CSR part.