Trusted root certificate on azure app services - asp.net-mvc

I have an asp.net mvc app that needs to access a backend api and several services that is using self signed certs. Have no control over forcing client to use proper certs.
On my development environment, i am installing the self signed certs on Trusted Root Certificates to have it work.
However, I am facing SSL certification error when connecting to those services after publishing the asp.net mvc app to azure app services but I am unable to find a way to overcome this.
Is there any way that I can overcome this challenge like installing self sign cert on azure app services? I would not like to ignore ssl error in code level if possible as this would require changes on multiple part in code.
Limitation:
Production Backend API and other services provided by client is using self signed cert
The asp.net mvc app must be hosted on azure app services provided by client

Answering based on your requirements that you only need to connect to a private endpoint that has a private cert (your app service can have a public endpoint).
Try to follow the guide outlined here to first upload the private certificate chain: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#upload-a-private-certificate (make sure to include the whole chain).
Once you upload the private cert, follow this guide to access it from your code: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
From there you should be able to use the certificate as needed within your code.

Related

what is the best way to code sign(digitally sign) exe on client system more securely (with certificate safety)?

I have a windows service and part of business logic it generates a desktop file setup. Now, I want to code sign that desktop file setup Programmatically so that Windows will not warn the end user about an application from an "unknown publisher".
I also know its very straight forward process as I can do it by Microsoft signtool by taking certificate from local system and also can use Azure signtool by taking certificate from azure Key Vault for sign setup.
now, I have following doubts:
Now my problem is certificate security as windows service installed on client system and signing process will go on client system so, Its possible to misuse certificate by anyone.
currently using AzureSigntool which takes certificate from azure Key Vault directly but we doing it programmatically so we need to pass some sensitive info. like client Id, key vault Url, and secret Key with windows service code to access certificate during signing process. another point is that we doing signing by AzureSigntool on client system. does anyone can make forgery of my certificate from Azuresigntool during signing process?
If do not hesitate to suggest any other best possible approach also.

Which SSL-certificate can insure a secure TCP-connection between C# listener on Amazon Lightsail instance and iOS app?

I created a simple .NET Core Console application on C# which uses TcpListener to accept connections on a specific port and return an answer.
I bought an AWS Lightsail instance and deploy my server application manually via RDP. The instance has a static IP-address and a domain name like ec2-<IP>.eu-central-1.compute.amazonaws.com (as I discovered via reverse DNS lookup). The client is an iOS application and it needs a secure TCP connection to transfer data to server and vice versa. iOS app is not working with my self-signed certificate - it needs to use certificate from trusted CA, so the question is: where I can get the trusted SSL-certificate for Amazon Lightsail instance mentioned above?
I created a package to help with sockets and iOS using Obj-C. Also included is a very good resource for creating a certificate that will work. You will actually probably need to create a certificate authority, and intermediate certificate authority, and server/client certificates, check out the link:
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master

Getting client certificates in Azure Web App using OWIN

If you are using Azure Web Apps to host your web application (let it be an ASP.NET MVC web app) you do not have the possibility to set up the IIS behind the Azure Web App to accept client certificates through an HTTPS connection. My application has some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate. So in my case the only way is to accept client certificates.
I am not sure about that, but if I know well I can still get the client certificate by using OWIN while the SSL Settings in IIS is set to Ignore. If I use OWIN and go through the OWIN environment I can see a key called ssl.LoadClientCertAsync.
I am implementing endpoints that a third-party service will call, so I have no control over the content of the request. I know that there is a ssl.ClientCertificate key, with type X509Certificate, but in my case this key doesn't exist.
I have found some C# solution about using this ssl.LoadClientCertAsync key to get the certificate like in the CheckClientCertificate method of Katana or the solution in this C# Corner article. In every solution that I can find in the net, the author gets this type as a Func<Task> and then calls this task, by for example using the await operator.
var certLoader = context.Get<Func<Task>>("ssl.LoadClientCertAsync");
if (certLoader != null)
{
await certLoader();
...
After that they retrieves the certificate by using the ssl.ClientCertificate key.
var asyncCert = context.Get<X509Certificate>("ssl.ClientCertificate");
In this example, my asyncCert variable is always null. There weren't any ssl.ClientCertificate key in the OWIN context. I have tried to use the X509Certificate2 instead of X509Certificate, but I still got null.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN? If yes, why can't I get the certificate using the ssl.LoadClientCertAsync key?
According to your description, I have created my ASP.NET MVC web application for working with client certificate in OWIN to check this issue. The following code could work on my local side:
if (Request.GetOwinContext().Environment.Keys.Contains(_owinClientCertKey))
{
X509Certificate2 clientCert = Request.GetOwinContext().Get<X509Certificate2>(_owinClientCertKey);
return Json(new { Thumbprint = clientCert.Thumbprint, Issuer = clientCert.Issuer }, JsonRequestBehavior.AllowGet);
}
else
return Content("There's no client certificate attached to the request.");
For SSL Settings set to Accept, I could select a certificate or cancel the popup window for selecting a certificate.
AFAIK, we could enable the client certificate authentication by setting clientCertEnabled to true and this setting is equivalent to SSL Settings Require option in IIS.
As How To Configure TLS Mutual Authentication for Web App states about accessing the Client Certificate From Your Web App:
If you are using ASP.NET and configure your app to use client certificate authentication, the certificate will be available through the HttpRequest.ClientCertificate property. For other application stacks, the client cert will be available in your app through a base64 encoded value in the X-ARR-ClientCert request header.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN?
AFAIK, the current SSL Settings for client certificates only supports Ignore and Require for now. When hosting your web application on azure web app, for the client users who access your azure web app with client certificate authentication, they could specify the certificate to a base64 encoded value as your custom request header when sending request to your azure web app, then your could try to retrieve the header and verify the cert if the cert custom request header exists. Details, you could follow this sample.
Additionally, you could use Azure VM or Azure Cloud Service instead of azure web app, at this point you could fully control the SSL Settings in IIS.

Rails: Automatically Create & Provision SSL Certificate via API

I'm building a Rails-based website builder as an experiment and am wondering if there's an API for purchasing and provisioning an SSL certificate automatically for a new website via an API. I believe I have a way to set up the domain and unique IP (although still working through that), but not seeing a great way to set up the SSL certificate.
I found some sort of SSL API -- anyone used it? http://doc.rpc.gandi.net/cert/usage.html

ios generate application specific key

I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.

Resources