Which certificates does the IIS https binding 'SSL certificate' dropdown show? - binding

It seems to only show certificates that are in the LocalMachine\Personal store?

There are two place to install certificates: local computer and current user.
IIS also can show certificates that are in local computer.

Related

Your connection is not private NET::ERR_CERT_COMMON_NAME_INVALID

I am facing strange issue on chrome while debugging local ASP.NET application on chrome. I am not able to open localhost without https. With Https it's giving error: Your connection is not private NET::ERR_CERT_COMMON_NAME_INVALID.
It was working on chrome till last update & is working on firefox & IE.
There is also no option in advanced setting to skip error & visit site.
Please help.
Finally banging head on desk for two days I found this setting in chrome://flags/ to Allow invalid certificates for resources loaded from localhost.
finally no disable all certificate error, only for localhost. Adding answer for someone struggling with same issue.
We have found that the best (and only) way to override Chrome is to type the phrase thisisunsafe at the Chrome generated webpage that blocks you. Just type the text directly to the page; there will be no text entry box.
We have servers on an internal network which use SSL but which are not externally signed and this is the only way to get to them.
Just when the page loads, don't click on page and type: thisisunsafe.
Page will automatically refresh and will load the content.
You can copy this tag and add to Google Chrome shortcut to bypass this warning permanently.
--ignore-certificate-errors
Updated - March 2020: Adding the above tag to Google Chrome shortcut does not work anymore. In order to temporarily turn off or bypass this annoying warning from Google Chrome, to go chrome://flags and search for this following entry:
Allow invalid certificates for resources loaded from localhost
After that, enable the option and restart your Google Chrome browser. By doing so, you can bypass the alert as long as you want until you turn off the option.
Source: Fix Your Connection Is Not Private Error In Your Browser
There is a short explanation over at serverfault as to what changed in the RFC spec to cause this. One of the suggestions is to use or add the IP address (presumably 127.0.0.1) to the name 'localhost' for the DNS property of the self-signed cert.
If you use the dotnet core tool: dotnet dev-certs https --trust (or run the export per instructions in devcontainer.json) the localhost certificate generated will use only the name 'localhost'.
But there are other options for generating self-signed certs including Powershell. But...rather than follow the older syntax, use Example #9 as found on the New-SelfSignedCertificate docs:
New-SelfSignedCertificate -Subject "localhost" -TextExtension #("2.5.29.17={text}DNS=localhost&IPAddress=127.0.0.1&IPAddress=::1")
This appears to resolve the cert error in Chrome (96.0.4664.45). It's necessary to close and re-open Chrome after generating the new cert and incorporating it into your web project or container.
I ran into this error and my problem turned out to be Charles (it's a web debugging proxying app). I needed to install a SSL Proxy Certificate for Charles.
Go to Help menu
SSL Proxying -> Install Charles Root Certificate
Open Keychain Access and enable/allow it
If you don't use Charles then obviously this answer doesn't help you at all.
I had similar problem when I tried to use my self signed certificate and run my xhtml app in browser under https and with tomcat. What I did:
in java's RE dir (usually Program Files\Java\jre1.8.0_202\bin) there is keytool and in command line I used this:
keytool -genkey -alias example -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -keystore "C:\yourdir\yourkeystore.jks" -ext san=dns:localhost,dns:yourdesktophostname,ip:127.0.0.1,ip:::1
Answer questions to create certificate which is created for 10 years, SHA-2 and what Chrome needs more: san(SubjectAlternateName).
I added below lines to tomcat's server.xml (usually Program Files\Apacha Software...\conf:
<Connector port="yourportnumber" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
compression="on" scheme="https" secure="true"
keystoreFile="conf/yourkeystore.jks"
keystorePass="yourpassword"
SSLVerifyClient="none" SSLProtocol="TLSv1.2"/>
Restart Tomcat.
Open the localhost address in Chrome browser (https:\localhost:yourport). It will tell "Not secure" at left side of address line and https crossed out Click on it and in that window press on certificate (invalid). It opens the certificate window and press on Details tab and press on copy to file button. Create crt file as instructed.
Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates. Select Trusted Roots tab and import the crt file here. Edit this certificate and mark all check boxes.
Restart Chrome
It's 2022 now and web everywhere is using https protocol. Sooner or later the hacks and workarounds in this post will become more and more annoying or not work anymore. If you are developing web applications, even for testing, you will need to either get a free SSL certificate or issue your own certificate for in-house uses.
For free certificates, there are three popular web sites providing this service:
https://www.sslforfree.com/
https://letsencrypt.org/
https://zerossl.com/
If you're developing a local web application for your company intranet, you should generate your own SSL certificate using OpenSSL with the information below.
If you would like to generate your own certificates for different purposes, using the latest OpenSSL tool (version 3.0 series) becomes very convenient and relatively easy, too. Just follow the steps listed on this SocketTools page.
https://sockettools.com/kb/creating-certificate-using-openssl/
I have just completed and make our internal web server and application free of security warnings on any browsers. Once you've got familiar with the simple commands and you will be able to expand the OpenSSL uses to other web application projects.
I was trying to run my first .net Core web app in chrome and had same error. Using Version 84.0.4147.135 of Chrome.
To Resolve (quick fix),
When you run the application you will see two options 'Advanced' and 'Back to safety' on page, shown by chrome browser.
Click Advanced button, it will show you 'Proceed to localhost(unsafe)'. Click that and your application should work.
(I know above one is not a actual fix. The actual resolution is about adding localhost certificate as trusted root certificate.)
If you want to install certificate - When you will see error and if you click on error - 'NET::ERR_CERT_AUTHORITY_INVALID' it will show you certificate. Copy that and install into trusted root. I tried that however it didn't resolved my issue. I will update it if get resolution to this.
Just figured out how to solve this! Click on the Debug tab in the top menu and click on Debug Properties (right below Options), then scroll down and uncheck Enable SSL. Now try debugging your application again and it should work! It may take a minute to load but it definitely solves the problem...
I also had the same problem. By default Chrome uses google.com which didn't work for me but google.com.bd worked for me(I live in Bangladesh). So if u live in for example in the UK, google.com.uk might work.
Go to this link it will help,
https://superuser.com/questions/169014/chrome-set-search-bar-to-google-co-uk-not-google-com
For angular apps using ng serve, you might have something like this in your package.json file:
"start:windows": "ng serve --port 44470 --ssl --ssl-cert %APPDATA%\\ASP.NET\\https\\%npm_package_name%.pem --ssl-key %APPDATA%\\ASP.NET\\https\\%npm_package_name%.key",
Go to that folder, e.g. C:\Users\{username}\AppData\Roaming\ASP.NET\https, and delete the .key and .pem files for your project. Next time you run it should regenerate them correctly.

Certificate error while setting SSL enabled for my Asp.Net MVC project

When I run the project with SSL I get a warning in the browser, in every browser: firefox, IE, edge, chrome. When I launch the project it doesn't show me the warning dialog and I don't know if I have any certificate installed.
How to check if I have the certificate installed and if not, how to install it?
You probably need to add your certificate to CA Root.
High level plan:
Export SSL certificate from IIS.
Import that SSL certificate into CA Root.
Here is a blog post that explains everything in detail and with screenshots.
If you use Google Chrome, you might need to close and re-open it after installing a new SSL certificate due to browser's caching.
You can use online SSL checker tool to diagnoses issues regarding SSL certificate installation.
You should check that you are using a self-signed certificate or a CA signed certificate. If it’s a self-signed certificate then your users will experience warning message when they browse your site because browsers don't recognize it.
If you have a CA signed certificate, then you received a certificate via email from trusted third-party certificate authority, which contains the root, intermediate and primary certificates. You should install all three files on your server.
You should update your all browser. Modern browsers have already implemented root certificate, so you need to configure only intermediate and primary certificate on the server.
Follow below link which may help you to add CA Root certificate in the Trusted Root Certification Authorities store. https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

Visual Studio remotebuild for iOS fails with Error: self signed certificate in certificate chain

I have a Mac mini configured as the remotebuild server. Remote building my cordova app to the Mac was working ok in secure mode for a while but I was suddenly greeted with a Error: self signed certificate in certificate chain.
I've followed several suggestions of running the commands,
remotebuild certificates reset
remotebuild certificates generate
then updating the pin accordingly in Visual Studio to no avail. I can build successfully when running in non-secure mode.
remotebuild --secure-mode false
I've also tried cleaning my solution in VS2015, nuking the certs folder on the Mac and re-installing remotebuild. It may be worth noting that something in the build process was constantly corrupting the remote_ios.json file so I was having to keep removing that file to build every other time as explained here.
Any ideas on how to get around this error or why it would suddenly be a point of failure?
This "self signed certificate in certificate chain" error can happen if remotebuild generates a certificate under one identity (hostname / ip address) and is accessed via another one. The client will look at the certificate and find that it doesn't match what it expected, and so it does not trust the server. My guess is that it began failing for you due to a change in your network architecture.
If you know the identity that other machines will attempt to use, for example if they will use some.buildserver.local, then you can instruct remotebuild to generate a certificate using that identity via remotebuild --hostname="some.buildserver.local" --secure=true saveconfig && remotebuild certificates reset && remotebuild certificates generate.
Once you have created new certificates that should match client expectations, if you reconfigure them then they should accept the server's certificate.
Also apart from those I did restart my client computer as well.

iOS app SSL handshake failed

I am making an app to login to an aspx website over HTTPS by passing login credentials in a post method. When checking the response using Charles Proxy I can see a SSL Handshake failed error from seal.verisign.com, I am then taken back to the login page. I am not sure what I need to do to solve this issue.
I am testing this in the iPhone simulator.
I do not have access to the server implementation.
Any ideas?
Thank you!
On iOS >= 10.3, after installing the Charles Proxy certificate (as per #ashish-verma's excellent answer), you also need to enable it through Settings -> General -> About -> Certificate Trust Settings:
Full setup here: http://www.devsbedevin.net/debugging-ios-ssl-traffic/
If installing the certificate still doesn't help you, then it may be due to SSL Pinning.
From charlesproxy.com:
SSL Pinning
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
Perhaps testing on an actual device will give more insight?
To do that in Charles:
Goto Proxy: Proxy Settings...
Proxies tab: Enter "8888" in the HTTP Proxy port: field
SSL Tab: make sure the "Enable SSL Proxying" is on
On your dev machine:
Goto System Preferences: Network: Wifi: Advanced: TCP/IP Tab: Make note of the IPV4 Address: (i.e. 10.0.1.101)
On your iDevice:
Goto http://charlesproxy.com/charles.crt from your device and download Charles SSL certificate
Okay the certificate as trusted (be sure to disable or remove it once you're done)
Goto the Settings App: Wifi: Select the detailed disclosure button (round blue button with the white arrow) for your network
Under HTTP Proxy, select "Manual"
Enter in the address from step (dev machine 1.) into the Server field, and the port number from step (charles 2.)
Finally:
Restart Charles
Run Safari on your iDevice to test. This should prompt Charles to display a dialog box to allow or deny SSL proxying. Obviously allow and you should be good to go.
More Info at Charles's site: http://www.charlesproxy.com/documentation/proxying/ssl-proxying/
Also, are you getting a response to the connection:(NSURLConnection*)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge method?
You need to install SSL certificate to resolve this issue.
Follow these steps
Open Safari browser on iOS Simulator
Type "www.charlesproxy.com/getssl" in address bar
Install the SSL certificate
Restart Charles Proxy
It is possible that the server doesn't have a valid certificate for the url you are using.
Did you check that?
If you try the url using a browser, does it give you a warning?
You have to install SSL certificate on mobile device.
Search online for how to install SSL certificate for Charles Proxy.
Remove all old user credentials, then Re-Install new ssl certificate.
If running on the simulator, just restart both Charles Proxy and the simulator, making sure Charles Proxy starts first

MDM: ssl issue for server url

I want to manage the iOS devices using Lion Server,I have purchased the Lion Server and installed in Mac system which has Lion OS 10.7.
I want to manage the devices with in our own network, I have not taken domain specific for MDM.
While creating cofig profile for MDM in IPCU,it needs the server url must begin with "https://".
So I am not able to install the MDM config profile in the iOS device, due to "htts".I tried to get ssl certificate for trial , but that is not available for private networks.
Is there any solution to resolve the issue with out purchasing ssl certificate or public domain.
Please correct me if I am doing something wrong and suggest the correct approach.
Self-signed ssl will work and while generating self-signed ssl certificate in server side,generate identity.p12 certificate and this certificate you need to use in identity section of IPCU.
And go through this also.
If you visit a page on the MDM web server with Safari and get the pop-up dialog warning about the identity of the server then you will need to install the SSL certificate on the device to allow the certificate to be trusted. This can be achieved by using iPCU or allowing the certificate from a web server.

Resources