applications
Back to main coding page
Internet Information Server (IIS)
Fun testing SSL and HTTPS
In order to build the payment gateway to Protx, I need to have the capability of running a page as HTTPS. This as you may know stands for Hyper Text Transfer Protocol (Secure). This makes use of the SSL (Secure Socket Layer) of the TCP/IP transport layer, and allows encrypted data, such as credit card numbers, to move about on the internet with little chance of being accessed by third parties. My objective was to find or create a free test certificate in order to run a page in https mode on my server (IIS on XP Professional). After successful testing, the page would be sent to the public website, and a proper certificate would be purchased.
(Note that this discussion involves Microsoft IIS - Unix/Apache users may prefer to search for openSSL as a possible starting point. Although certificates are programming language neutral, we tend to lean on suppliers that specialise in our favoured spheres).
First we need a certificate. By the way a 'certificate' is a text file which has a public key on it which is unique, and acts as the key to encrypt text that is sent across the internet. Normally they are 'certified' by a trusted certificate supplier. Certificates can be purchased from Verisign or Thawte, for a couple of hundred dollars upwards. Cheaper certificates are available at GoDaddy! and other places. Some of the money you pay is spent by them to check on your activities, and to ensure you do nothing underhand - otherwise they can decide to lapse your certificate. But all I want to do is test a page and the payment gateway - running from my PC's IIS server (XP Professional) before I upload it to live. So there's no need to buy a certificate yet.
Obtaining a certificate with makecert.exe
Microsoft have two utilities for free download. One is called the makecert.exe tool. This is supplied in the .NET SDK (for download of this go to www.msdn.com. I found this difficult to use, and had to read a couple of articles on its use. I then found that my version differed in behaviour to that in the article (this might be because I have the ASP.NET 1.1 version - the link above is for the 2.0 version). The all important option -pe (to allow self certification) decided not to work. See these links for help on this tool (and maybe you'll have better luck than me):
http://blogs.technet.com/jhoward/archive/2005/02/02/365323.aspx
http://msdn2.microsoft.com/en-us/library/ms751408.aspx
Obtaining a certificate with SelfSSL.exe
So I gave up on that line of enquiry and tried SelfSSL which is also available from MSDN at this location at www.msdn.com.
Once the tool is downloaded run it this way.
(If you need help go to here )
start > all programs > IIS resources > SelfSSL
then enter SelfSSL /T and answer 'y' to the question about overwriting the certificate settings for site 1.
This creates a self certified certificate and adds this certificate to your trusted certificates list, as well as automatically adding it to the default website in your IIS settings. (So much easier than makecert!) There is some good documentation on the menu mentioned above. This gives a full list of options and switches, but the /T is the most important for my test purposes.
The MMC tool for maintaining certificates
There's a good way of monitoring what certificates you have. Run the MMC tool. Do this: go to start > run > mmc > file > new > add/remove snapin > add > choose 'certificates' > computer account > next > local computer > finish > close > OK. Expand the first node and you will see the certificate listed in 'personal'. By the way you can save this useful tool by running file > save as. To get this tool again, run mmc as before, then file > open, and it should be seen listed there. Default name is console1.
While here it would be a good idea to restrict the certificate to a specific use. This is because you will start getting unexpected problems in database access etc if you do not limit it. To modify its use, highlight the certificate then right click to display the properties. Using the radio and check boxes here, limit the use of the certificate. For my uses, all I enabled was its use as Server Authentication. SQL Server runs alongside this without the need for connections with encryption enabled. Remember the more you encrypt via IP the slower the perceived connection. Don't encrypt everything.
Another way of checking that something happened when SelfSSL ran above is to open up Internet Explorer (or your favourite browser tool) and look in the list of trusted CA's (Certification Authorities). In IE7 this is found by running tools (the grear wheel icon) > internet options > content > certificates > Trusted Root CA's. Your PC name should appear in this list as a trusted CA. If this is so it means that when you browse to a page that has this certificate attached, it should open it up after a caution screen. (By the way has anyone found out where the 'about' option in IE7 has disappeared to?)
Using the Certificate
So now you have a certificate. Next stage is to apply this certificate to your website, or directory, or file. In my case I just need the one page that requires encryption.
First ensure that the certificate has updated the default website when running SelfSSL above. Go to My Computer > manage (you must have XP Professional or better). Then in the MMC tool expand till you get to Default Website. Go to properties > directory security. Here you can see the certificate (View Certificate). If the certificate was added in correctly without a hitch, and it's trusted, there will be a small icon of a certificate in this window. If you see a red cross, something's wrong: it's not trusted and won't be any good for testing.
Now the point of all this: binding a file to a certificate. Go to the IIS MMC tool again and expand the website you are developing. This causes the individual .aspx and .html files to appear in the right hand pane. Right click the relevant file and then select properties. Choose the 'file security' and and select 'use SSL' and the box for 128 bit security (IE SSL 2.0). Press okay and it's done!
Before running Internet Explorer it may be wise to restart the IIS service. (To do this right click My Computer > manage then expand the bottom node, so you see 'services'. In Services, on the right hand pane press the restart hyperlink after highlighting IIS and clicking 'yes' to the question).
You now select the page modified above with https instead of http for example:
https://localhost/mywebsite/mypage.aspx
There should be a caution that the certificate is for a different website, but it should allow you to continue.
Pitfalls
There have been plenty of nasties that I have encountered. These are the ones I remember clearly.
When I look at the certificate in IIS Default Website, there's a red cross through it! This means the certificate is not trusted. In other words, the certifying authority is not listed in the trusted CA list. If you have used SelfSSL to create the certificate, you have not used /T option which automatically adds your computer in the list of trusted CAs.
My ASP.NET connection to the SQL database isn't working! The certificate has done this, correct. But it's a question of tuning. Well this is why. If a server certificate exists on the computer, with usage set to <all>, the SQL connection expects all connections to use encryption. If this has not been specified (using Encrypt=Yes) then the first job it tries to execute after getting a connection will fail. The way around this is to only use the certificate for specific uses. The way to amend a certificate to only affect specific jobs is by going into the MMC tool for certificates (see above) and amending one more more certificates. This is done by highlighting a certificate, then going to properties, then selecting the relevant use. You can alternatively disable a certificate completely, so that it's ignored completely by all services on the server / PC. After doing this, restart your MSSQL service(s).
But my ASP.NET SQL connection worked yesterday. What's going on? This is because the SQL service has most probably been restarted since yesterday. On restart, it found the certificate and henceforth decided that any connection to it via the internet should use encryption.
Using Internet Explorer, I can't run the page I have set up with https. It says the page uses a certificate that was set up for another website. It doesn't allow me to continue to the website when I click the relevant link. This is because the 'website' you are testing is most probably not the same name as the PC name. (The net bios name is that which is used by SelfSSL). There's two ways round this one. First, I just used Mozilla Firefox to continue testing! Secondly if you want to use Internet Explorer, amend the security in your internet options to low, so you are allowed to continue.
How do I test all this in the website? I did a very simple test. Create two html pages, secure.html and non_secure.html. Then I linked to eachother with absolute URLs. Remember that https can only work with fully qualified URLs. Of course the secure.html page has its file security enhanced by the steps mentioned above.
Pages using https still don't appear. I have done everything above. Make sure the service for http ssl is running. Mine was set to stopped. This would mean that any browser would not see a secure item. Set this to running in the services MMC (via My Computer > manage).
I get an annoying message saying the page contains secure and nonsecure items. To fix this all graphics files (and all other files referenced by this URL) have to be referenced via relative URLs. Alternatively secure the images directory (but remember: if these are referenced by non-secure pages using http, they won't show). If an image is referenced that does not have a relative URL and links to a non-secure location, you get the message. See this useful link. Basically if you have any 'http://' referenced anywhere in the source, it needs to be either: removed; or changed to a realtive URL or finally changed to 'https://' - which is a rather unexpected featurette. The ones that I tripped up on were the 'intellisence' http reference in the HEAD portion of the page, and the BASE element referencing the root page. Remming out one and changing the other to https sorted my problems out.
I have done everything above but I'm still getting problems running a test https session. Have a look at the following link. It has some rather extreme solutions like reinstalling the whole of IIS but other comments are useful. http://www.duxcw.com/faq/win/xp/secure.htm
Other useful links:
http://www.somacon.com/p41.php - Useful if you want to use OpenSSL to create a certificate rather than makecert.exe or SelfSSL.
http://support.microsoft.com/kb/324069/ - How to set up an https service in IIS.
http://www.codeproject.com/useritems/Certificate_Setup__HTTPS_.asp - more info about OpenSSL.
