Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSLStream example - how do I get certificates that work?

I'm using the SSLStream example from msdn here. The client code "seems" to work fine, as I can connect to google and it at least gets past authentication, but the server doesn't.

From the comments from the msdn page, I used the procedure on this page to generate my own private key, but it just doesn't work. I get an exception of System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. So I'm pretty sure whatever I'm doing is wrong.

So my question is simple: how do I get/generate keys that will work for my own little example program from msdn? It can be self-signed, whatever, but I'm too new to SSL to even know what exactly I need. All I want to do is to run the example as-given, except for specifying my own certificates for my local server. And it'd be great to know what I'd have to install on my 2nd machine if I just want to communicate between the two of them too (so it's not a 100% localhost example).

Personally I see this as a flaw in the example document. It should say "to run this, you need to do A, B, C, etc," but it doesn't.

like image 708
Kevin Anderson Avatar asked Apr 02 '12 19:04

Kevin Anderson


People also ask

How do I install a certificate in my system?

To install the certificates from a browserOn the browser, click Settings > Manage Certificates. On the Trusted Root Certification Authorities tab, click Import. After installation, click Close.

How can I get certificate from https server?

To obtain an HTTPS certificate, perform the following steps: Create a private and public key pair, and prepare a Certificate Signing Request (CSR), including information about the organization and the public key. Contact a certification authority and request an HTTPS certificate, based on the CSR.

How do I create a Web API certificate?

Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.


2 Answers

You can get the example to work even with self-signed certificates. I've extracted the commands from the makecert tutorial that you're using with minor modifications:

makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv  TempCert.pvk -pe -sky exchange TempCert.cer cert2spc TempCert.cer TempCert.spc pvkimprt -pfx TempCert.spc TempCert.pvk 

makecert and cert2psc can be found in your Microsoft SDKs\Window\v7.0A\Bin folder. The pvkImport.exe installer can be downloaded here (Provided by @Jospeph and VirusTotal verified). This used to be downloadable from the Microsoft Site, but they have since taken it down. Alternatively, @Dweeberly pointed us to a new Microsoft-provided replacement, pvk2pfx.

For this next step make sure that you select to EXPORT the private key when the dialog from pvkimprt comes up:

pvkimprt -pfx TempCert.spc TempCert.pvk 

enter image description here

pvkimprt will prompt you for a password when you elect to include the private key. You will need to provide this password later when you import the generated .pfx file into the personal store of your server machine

enter image description here

Next, import RootCATest.cer into your Computer store's Trusted Root Certification Authorities (on both the server and client). Notice that the certificate is issued to FakeServerName. This must match the server name that the SslTcpClient expects: sslStream.AuthenticateAsClient(serverName), where serverName is the value of the second argument passed to SslTcpClient.exe.

When your client connects, the server presents a certificate that tells the client "I'm FakeServerName". The client will accept this claim if the client machine trusts the CA that issued the certificate, which is achieved by importing RootCATest.cer into the client's Trusted Root Certification Authorities.

Finally, you need to import the private key that the server is going to use into the server machine's Personal store. This step is important because it addresses The server mode SSL must use a certificate with the associated private key.. This is achieved by importing the .pfx file that you generated earlier. Make sure that you change the file type filter to "all files" so that you can see the .pfx file that you generated:

enter image description here

The sample code provided by MSDN uses port 443 (which is the standard ssl port). Since I created console applications, I changed the port used by the sample classes to 8080:

SslTcpServer:

TcpListener listener = new TcpListener(IPAddress.Any, 8080); 

SslTcpClient:

TcpClient client = new TcpClient(machineName, 8080); 

Here's the output:

enter image description here

you would launch your server like this:

SslTcpServer.exe TempCert.cer  

from the client, you would connect like this:

SslTcpClient.exe <ip to your server> FakeServerName 
like image 122
Tung Avatar answered Sep 21 '22 03:09

Tung


generate your certificate using this command:

makecert -r -pe -n "CN=localhost" -m 12 -sky CertSubject -ss my serverCert.cer 

and then from client connect to the server like this (assuming we are using MSDN example you mentioned):

SslTcpClient.RunClient ("localhost", "CertSubject"); 

you will get validation errors in ValidateServerCertificate() call - but that's expected - you are using self-signed certificate. Just return true there.

UPDATE:

I disagree with Tung's suggestion of adding self-signed certificate into the client's Trusted Root Certification Authorities. I think it can cause issues later on if you plan to distribute/support your software. For example, client might reinstall windows, or move his profile to another PC, or whatever - and understanding WHY your software suddenly stopped working will be a pain (again, i'm talking long-term - a year or two from now, when you completely forget this little "trick").

Instead i would rather suggest to "hardcode" your certificate (by comparing subject and thumbprint) into client's logic, something like this:

X509Certificate2 certificate = (X509Certificate2)cert; if (certificate.Subject.StartsWith("CN=FAKE_SERVER_WHATEVER") &&     !string.IsNullOrEmpty(certificate.Thumbprint) &&     certificate.Thumbprint.ToLower() == "11c4446c572a9918ced3618728b91b3a07982787") {      return true; } return false; 
like image 27
avs099 Avatar answered Sep 24 '22 03:09

avs099