Applied Secure Socket Layer in .NET: Part 2 Installation and Testing

[Volume 2: Installation and Testing]

Before reading this article, I highly recommend reading the previous part:

1. Secure Socket Layer in .NET
   

The first volume of this series has described the Secure Socket Layer (SSL) in the context of .NET based websites. We have obtained a thorough understanding of SSL internals as such and how it works, what the role of digital certificates are and the advantages of SSL implementation upon ASP.NET websites. Now, this article is resuming the voyage by covering the applied aspect of SSL in .NET websites via IIS webserver along with the creation of digital certificates.

Abstract

Secure The Socket Layer (SSL) is specially designed to protect the data transmitted from a server to a client and vice versa, by enabling digital certificates on IIS websites that encode the communication and preventing others from observing sensitive information. SSL employs public key cryptography to establish a secure connection between the client browser and the server that literally concluding that anything encrypted with a public key can only be decrypted with the private key and vice versa.

Essentials

The process of SSL certificate configuration on a web server is considered to be very complicated. It typically requires subsequent software and utilities and a deep understanding of IIS web server internals.

• Visual Studio 2010 with SP1
• IIS Web Server 7.0
• Selfssl.exe
• Browser (IE, Chrome)

SSL (HTTPS) Implementation Life Cycle

Making ASP.NET secure by implementing a Secure Socket Layer (SSL) is considered to be a tedious task because diverse technology specialists become involved at 2 lifecycle stages during implementation. It is always recommended to attach a digital certificate issued by a trustable CA authority rather than self-signed so that users easily trust our website. This task in fact requires the involvement of a couple of financial and system admin representatives. We shall describe the SSL implementation via self-signed certificate over an ASP.NET website that is typically authenticating users during login and the user's logon information is validated by a custom web service. Hence, we shall use the following procedure:

1. Creating SSL certificate (self-signed)
2. Install Server Certificates on IIS Web Server
3. Create a Web Service to authenticate login credentials
4. Configure the Web Service Virtual Directory to Require SSL
5. Test the Web Service Using a Browser (optional)
6. Install the Certificate Authority's Certificate on the Client Computer
7. Develop a ASP.NET application to Call the web service
8. Test the website using Https://
9. Add self-signed certificate to trustable zone.

Getting Started

This section describes the IIS web server, secure ASP.NET application, digital certificate creation and the configuration in a step-by-step format. Hence, it is suggested that the aspirant should have all the prerequisites and do the configuration properly.

IIS Web Server Testing

Every website is hosted on a webserver to populate its resources on the internet. Since this tutorial is related to ASP.NET websites, Internet Information Services (IIS) servers must be configured on the developer machine because SSL setting is done at the web server where the web site is hosted, not at the programming site. IIS is typically provided as a builtin package in the latest versions of the Windows OS family but disabled by default. Generally we can check whether IIS services is either enabled or disabled by entering http://127.0.0.1 into the URL. If it is not configured then go to Windows Features and enable the following check boxes:



This process generally takes some time to install or activate IIS services on the client machine. We can also enable subsidary services such as FTP from here.

Configuring Website in IIS (Virtual Directory)

Once IIS is installed, open the template by issuing inetmgr.exe as a command from Run. During creation of the new website in ASP.NET, they are all bound to the default web site in IIS. But in this scenario, we shall create a new website virtual directory pointing to the %system-drive%\inetpub\wwwroot directory where our website's resources are located. Here, the newly configured website runs as www.sslTesting.com in the web browser.



The www.sslTesting.com is configured but it won't populate on the internet or locally because the DNS server settings are not attached to it so far. There is no point in running this website on the internet but in order to run it locally, we shall need to bind it with the local system IP address through the HOST file (located at %system-root/drivers/etc/) as in the following:

We are now able to run this website locally as if we are running a live website on the internet as in the following. But it is running particularly, on the HTTP protocol so far and just populating the server machine default page indeed.



Web Service Development for User Authentication

The front-end of this website displays a login page and a login authentication web service is employed at the back-end to validate the correct user name and password. The user sensitive information is typically stored in a database but in this exercise we are storing them in a XML file.

This XML file contains an entry for username and password for a single user identity as in the following:
Creating Self-Signed Digital Certificate

There are two options to create a digital certificate. First, buy a digital certificate from a trustable CA but it is not free and will cost some amount to issue a certificate that ensures the valid identity of our website. Second, in case we want to run the website on the intranet, then a self-signed digital certificate is the perfect option. Although the process of configuring both certificated on a web server is the same.

So, select the system machine name from the left-panel in IIS manager and click over Server Certificates as in the following:



Now, choose the "Create Self-Signed Certificate..." command from the very right pane in the IIS manager as in the following:



Here, specify any name of the self-signed certificate. For example, www.sslTesting.com as in the following:



The self-signed certificate is created and located in the Server Certificates list with other information such as issued To, By and Date as in the following:



Binding Certificate to website

It is not necessary that only a single website is hosted in the IIS web server. The list could be multiple and we need to bind the created self-signed certificate to our website www.sslTesting.com as in the following:



Up until now, the website www.sslTesting.com was running on the HTTP protocol under port 80. In binding, we shall allow our website to run with port 443 and the HTTPS protocol as well as attaching the digital certificate as in the following:



Then we can observe the www.sslTesting.com website has also been configured to allow secure traffic on port 443 with the HTTPS protocol as in the following:



ASP.NET Web Application (with Https)

First of all, open Visual Studio 2010 with Administrative Privileges and then choose "File" -> "New" -> "Website..." to create a new ASP.NET website. Moreover, choose HTTP as Website Location and select Default Web Site from local IIS and be sure to check the "Use Secure Sockets Layer" option as in the following:



Moreover, design a typical login form prototype by placing two text boxes and two buttons in the default.aspx file. Finally the design turns out to be in the form as in the following:


It is not necessary that every user is a computer geek and he must have the difference HTTP and HTTPS protocols. Some users type the name of the website in directly, without even using the Https:// prefix. Hence the following code to check whether or not the URL entered contains https. If not, then it is automatically prefixed with "https://".
In this exercise, we are validating users on behalf of the correct user name and password information that resides in a XML file in spite of locating it in a typical database. The following code extracts the login information from the XML file and validates the user credentials.
The coding for Login form implementation is completed. Now, compile the website. As decided, the web page will be run by the https:// protocol this time because we enabled the SSL option earlier. But, the URL produces an error cross mark regarding unrecognized digital certificate. So no one is willing to open our website until that cross mark doesn't appear.



Testing on Custom Website (Host name)

We have configured a local website by making an entry into the system host files, so that it gives us an impression of a real HTTPS website. But as usual, it produces a digital certificate error. Although all browsers provide an option to proceed even if the digital certification expiry alert is flashing.



We can even go forward and run the login page but the IE address bar repeatedly shows the Certification error as in the following:



This is not an issue especially with the IE browser. If we consume this website in another prominent browser such as Google Chrome then the result would be the same as earlier.



Such a digital certificate related error always makes a bad impression or especially if a user neglects our website because we don't ensure them that there sensitive data is safe at our website, they won't surf to it and in this case only a valid digital certificate can ensure our website entity.

Adding a Self-Signed Certificate to Trustable CA

So, our website is ready to use, every configuration is placed properly but we have failed to handle the digital certificate related alert message. It is obvious that we will get that error when we use a self-signed certificate in our local website. But we can eradicate this error by adding a manual entry of our self-signed certificate into the system's trustable CA. Hence, open IIS and note down the ID of our current www.sslTesting.com website; it is of course, 4.



Open a command prompt with Admin rights and run the selfssl.exe with the following parameters. Here, the /v switch determines the validity of the certificate in terms of days and the /S switch specifies the ID of our current website.



Then, open MMC and add the Certificates templates from the Add or Remove snap-ins.



Allow the certificates snap-in to manage the local computers. Once it is installed, we can have multiple folders related to the certificates managed in the root. The Personal folder specifies the repository of locally created self-signed certificates as we can observe in the following. Hence, this is the hack, until we won't move it into the Trusted Root Certificate, our browser always shows an alert related to the SSL certificate.



Hence, copy the recently created self-signed certificate “www.ssltesting.com” and paste it into the Trusted Root Certificate sub-folder Certificate as in the following:



Now, run the IE browser and locate the website with HTTPS. This time the browser does not show an error because the self-signed certificates has been added to the IE trust zone.



IE won't give any SSL alert because it is a Microsoft product itself but it is not guaranteed that other browsers also won't produce an alert. The Google Chrome browser still shows the cross mark in https as in the following figure.

We can fix this problem in the Chrome browser by clicking the Certificate Information from the cross in the https.



In the details tab, we can get all the information related to this self-singed certificate “www.sslTesting.com” such as validity, issuers and so on. But the Chrome browser is still unable to recognize them because they are not exported to the Chrome trusted zone so far.



However, click on the Copy to File Tab and export these details in an ad-hoc file as crmCert.cer that is stored somewhere in the memory.



Now, go to the Chrome browser advanced settings and go to Manage Certificates in the HTTPS/ SSL. Thereafter, switch into the Trusted Root Certificated authorities that list all the valid digital certificates.



Now, import the crmCert.cer file here and the moment it is added, the Chrome browser trusted zone will also have the self-signed certificated information.



It is important to place the details from the ad-hoc file into the Trusted Root Certificated authorities as in the following:



Finally, test the URL with https:// in the Chrome browser, it is running perfectly this time as in the following:



After showing the digital certificates, in the browser via https, we can ensure the user that his login information such user name and password are completely safe and intact when transmitted across the network.

Final Note

This paper showcased the complete life cycle behind SSL implementation in the form of a digital certificate over a typical ASP.NET website. We have seen how to drive our website to be populated by the https protocol so that all the communication happens in encrypted form back and forth. The purpose of configuring a self-signed digital certificate for our website is so that the user manipulates his sensitive data through our website fearlessly.