Installing Wildcard SSL Certificate on Azure VM - redirect

I'm developing an application on Azure VM and would like to secure it by using the wildcard SSL certificate that I'm already using with my main domain. The SSL cert works with any *.mydomain.com and the application on Azure VM is accessible through myapplication.cloudapp.net
Based on the research that I've done, CNAME should be the best option to do that (I can't use A record since we need to shutdown the VMs every week and turn them back on the next week and will lose the ip addresses).
My two questions are:
How can I have myapplication.cloudapp.net be shown as subdomain.mydomain.com?
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?

How can I have myapplication.cloudapp.net be shown as
subdomain.mydomain.com?
Yes - this is just the CNAME forwarding and ensuring that the appropriate SSL certificate is installed on the server.
Will doing that make it possible for wildcard SSL certificate to be used for Azure application too?
Well as you're already exposing the Application through the VM - this should happen seemlessly.
Just a word of caution, you mention that you're using the certificate on the main domain, but haven't mentioned where you're using this. Be aware that, out-of-the-box, you can only assign one SSL per HTTPS endpoint. You can enable multiple SSL certificates on an Endpoint for Azure / IIS using Server Name Identification and can be enabled directly or automatically. If you do take this route, remember to configure your SNI bindings first, then apply the default binding - it kinda screws up otherwise.

Related

Mutiple wildcard domains on same subscription with Plesk Obsidian

I’m using Plesk Obsidian and I need to host an application on it (a website builder).
On this application, users can create websites on subdomains, and the application will determines what website to show itself by checking the subdomain. Multiples main domain are available.
website1.domain1.com
website2.domain2.com
website3.domain3.com
All the main domains (domain1.com, domain2.com and domain3.com) and also all the subdomains must:
Go to the same directory in server
Be secured by a SSL certificate
Also, as users can also have a custom domain, I need to be able to add it and set the same directory in server and get a SSL certificate.
I’ve tried to create a service plan and a subscription and added the first domain (domain1.com) to it.
For the others domains, I’ve added an alias (domain2.com and domain3.com).
The problem is that I can’t add the wildcard for those 2 domains and have a wildcard SSL neither.
So accessing to anything.domain2.com result to a NET::ERR_CERT_COMMON_NAME_INVALID error.
For others domains set as alias, SSL need to be regenerated each time we add a new domain and they're are bonded to the main domain...
If it's not possible through Plesk interface, I'm not against build a custom script launched in command line.
However, I don't know were I can put those custom generated virtualhosts without risking to be erased on Plesk update.
You can set up a wildcard SSL as far as you use a CA that admits wildcards on the SAN (which nowadays are almost all of them).
Concretely, if you want free certificates issued by Let's Encrypt, you just need to follow the following steps:
Log in to Plesk
Install the Plesk extensions SSL It! and Let's Encrypt
Go to Domains > domain1.com > Hosting Settings
Make sure SSL/TLS support is enabled
Go to Domains > domain1.com > SSL/TLS Certificates
Click on Install > More options > Install a free basic certificate provided by Let's Encrypt
Select explicitly Secure the wildcard domain
Click on Get it free
Same for the rest of the domains.

SSL certificate for WebAPI

We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.

HTTPS for local IP address

I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.

Certificates being renewed yearly - how to reliably find them in the cert store?

I've been tasked to add security by means of certificates to an external web service we call from our ASP.NET 4.0 Webforms application.
I've been able to play around with the certificate and get the code to work properly, but there are still a lot of questions unanswered when it comes to deployment of that solution. I'm pretty new to actually using (and dealing with) certificates - I understand the basic theory behind them, just never used them much myself.
The service is an external REST webservice provided by a company which also issues the certificates - and those will expire on a yearly basis and need to be renewed yearly. So "baking" them into the ASP.NET app as an internal resource doesn't seem like a good idea.
I'm leaning towards putting them into the certificate store on the Windows 2008 Server. That works fine, but what I'm not sure about: how do I FIND the appropriate certificate from code? I know about the X509Certificate2 and X509Store classes - but what criteria should I search for?
What item (Serial number? Thumbprint?) would remain the same if that cert has to be renewed every year? Or do I have to update my config and store a new serial number or thumbprint every time the cert has been renewed?
If I understand correctly you need to ensure that you are communicating with correct web service.
You are using https to connect to the REST service. Is it a WCF service or Web API? Either way the web server will handle the SSL part (hmm, only if hosted on a web server and not self hosted). So if we make it easy then the web service is hosted on a web server. The web server will handle establishing SSL connection and will send you server certificate.
Then you need to check if you are communicating with correct web server. Your options are:
manually update config file with thumbprint that will change every time the certificate of web server will be renewed. Also serial number will change when they renew the certificate.
check for common name in the subject or better if the is correct DNS name (of the web server) in Subject alternative name (SAN = extension in the certificate) or in CN (when SAN is not in the certificate)
build a certificate chain (using X509Chain.Build method) from web server's certificate and check if it contains a CA certificate that you have embedded in ASP.NET application or if it matches given thumbprint of CA from you config.
1) - will work but you have to ensure to update config file every year
2) - will work nice until they change DNS name of the web server, but it would result in change of your web.config so ... it will work. One thing to note is that extracting any extension from X509Certificate2 class using standard .NET framework is not easy. You would need to either go to ASN.1 level or use some crypto library that can extract the SAN in a friendly way.
3) - will work nicely. You can use Root CA certificate or dedicated intermediate CA certificate. You have to ensure that web server certificate is trusted for certificate chain to be built but that applies generally to all solutions. It will work pretty long time because CA certificates are issued to i.e. 20-30 years.

Are/can SSL certificates be specific to the service (e.g. server uses different certificate for HTTPS than for SMTP/TLS)

I can't work out a definitive answer on this, but from searching I find two links which seem to indicate to me that a server (in this case it's MS Exchange as per the links) can have different certificates in place for https than for secure smtp/TLS.
http://technet.microsoft.com/en-GB/library/bb851505(v=exchg.80).aspx
https://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
I have an issue which no-one has been able to help with here and this question is a follow on, in that I am coming to the suspicion that my first problem is that my machine trusts the https certificate, but not the one being used for smtp/TLS. But what I'm asking now, is that even possible?
Going through the diagnostic steps here shows me that the certificates in use when I access my mail server's web interface through https are fully trusted. However when I look at the debug of my c# process it is stating a completely different certificate issued by one of our servers to it's self (the server on which exchange is installed).
So... any one know if it's possible that I am thinking along the right lines... is it possible that when I do an https connection I get one certificate and when I use the .net SMTP client I get a completely different certificate (from exactly the same address, but I assume a different port)?
Is it possible that when I do an https connection I get one certificate and when I use the .net SMTP client I get a completely different certificate (from exactly the same address, but I assume a different port)?
Yes, you can have a different certificate for each listening socket on the machine, that is SMTP and HTTPS can use different certificates. On a machine with multiple hostnames you could even have multiple different certificates on a single socket, which get distinguished by the hostname (using SNI).