Tips and tricks in C# .NET
February 8, 2016 4 Comments
Introduction
In the previous post we added a couple of components necessary to add client certificate authentication into the OWIN middleware chain. We haven’t yet put the elements to work though. That is the main topic of this post which will finish this series. We’ll also run a couple of tests.
Have the demo application open in Visual Studio in administrator mode.
February 4, 2016 6 Comments
Introduction
In the previous post we started adding the necessary OWIN-related libraries to our Web API project: a couple of NuGet libraries and the Startup class. We publish our application to the local IIS and it doesn’t allow us to break the code within Startup.cs. We’ll soon see that we can still debug the OWIN components further down the call stack.
In this post we’ll add the necessary elements to a client certificate based authentication in .NET MVC with OWIN.
February 1, 2016 Leave a comment
Introduction
In the previous post we accomplished a couple of things. First we secured our demo Web API website with a client certificate. Second we enabled client certificates for it so that IIS doesn’t just ignore them. Finally we saw that the client certificate is also picked up in the customers controller when sent in code in a web request.
In this post we’ll start discussing how to add client certificate handling as an OWIN middleware component.
Make sure you open the demo Web API project in Visual Studio as an administrator.
January 28, 2016 10 Comments
Introduction
In the previous post we investigated how to attach a client certificate to the web request and how to extract it in a controller. We faced an issue that by default client certificates are ignored by IIS so we couldn’t actually read the certificate.
We’ll solve that problem in this post.
January 25, 2016 9 Comments
Introduction
In the previous post we looked at a couple pf examples on how to work with digital certificates in C# code. In particular we saw how to load certificates from a certificate store, how to search for and how to validate one.
In this post we’ll go through how to attach a client certificate to a web request and how to extract it in a .NET Web API 2 project.
January 21, 2016 1 Comment
Introduction
In the previous post we discussed how to install certificates into the certificate store. We looked at the tool mmc.exe and its certificate handler snap-in. We also inspected the imported certificates visually and verified that the client certificate is valid.
In this post we’ll see a couple of examples how to work with client certificates in code.
January 18, 2016 9 Comments
Introduction
In the previous post we looked at two tools that help you create self-signed certificates: makecert.exe and pvk2pfx. Makecert performs the bulk of the certificate creation process and pvk2pfx is a packaging tool to build pfx files. Pfx files are easy to import into the certificate store. We also created a root certificate and derived a client certificated from that root. We therefore applied the idea of the chain of trust: if we trust the root then we also trust all its derived certificates.
In this post we’ll import the client certificate into the certificate store.
This process is very similar to importing the server side (SSL) certificate. We saw that process in this post.
certmgr and MMC snap in
The c:\windows\system32 folder includes two GUI tools for certificate management: certmgr.msc and mmc.exe. MMC.exe is a more general tool where you can import so-called snap-ins. Certificates have their own snap-in.
Run mmc.exe as an administrator. The following empty window will open:
January 14, 2016 Leave a comment
Introduction
In the previous post we went through a short introduction on client side certificates. We said that client certificates are used by web clients to strongly authenticate themselves. Client certificates can provide an extra step in the authentication process to tighten security.
In this post we’ll see how to create self-signed client certificates for testing using a tool called makecert.exe.
The process of creating client certificates on your local machine is almost identical to how we generated server side certificates in the series in this series.
January 11, 2016 1 Comment
Introduction
Digital certificates play a crucial role in web security. If you work as a web developer then you’ve probably come across at least some security related project where you had to deal with certificates in code.
Certificates come in a couple of different versions depending on their function, the most pervasive of which probably being server side ones for SSL connections. We’ve gone through server side certificates in some detail before on this blog starting here. In this series we’ll concentrate on client certificates and see what role they can play in web security. Most of the material on server side certificates, especially the first 2 posts are also relevant for this discussion.
It’s important to note already now that you can combine a number of security levels and solutions in your projects:
…and there are probably many more options not listed here. The point is that these techniques can be combined, you are not restricted to just using one of them.
September 18, 2015 21 Comments
Say you have a .NET MVC or Web API project and you’d like to run it on SSL. In other words you’d like to start up the project on a URL similar to https://localhost:xxxx.
The first step is easy. You just select the MVC/Web API project name in the solution and locate the property called “SSL Enabled” in properties window:
A directory of wonderful thoughts
Web development
Various tidbits
WEB APPLICATION DEVELOPMENT TUTORIALS WITH OPEN-SOURCE PROJECTS
Bite-size insight on Cyber Security for the not too technical.
Exercises in .NET with Andras Nemes 