Hosting .NET RESTful Engine on Azure Virtual Machine (HTTPS)
In order to run any website/service with HTTPS the website/service must have an SSL/TLS certificate installed on the hosting machine. An SSL/TLS certificate is used to guarantee the client is communicating with the correct server and that the data is communicated in a secure format (encrypted by client and can only be decrypted by the receiving server).
There are two main types of SSL/TLS certificates:
- Trusted
- Created by a Root Certificate Authority such as DigiCert, Entrust, GoDaddy etc.
- Costs money (usually between $100 and $700)
- Automatically trusted by operating systems and browsers
- Usually used in production or internet scenarios
- Self-Signed
- Created by you using a tool like IIS or openSSL
- Free
- Must be imported into all client's wanting to access your website/service as a trusted certificate
- Usually used in development or intranet scenarios
NOTE: TLS 1.3 is the current and most secure protocol
Steps
- Follow all instructions for Windard .NET RESTful Engine hosting on AWS with EC2 (HTTP)
- Determine the type of Certificate needed. If you do not have access to every possible client machine calling the RESTful web service and/or do not have the ability to install to the trusted certificate store of each client machine, you need to get a trusted certificate.
- Create the SSL/TLS certificate
- Install the SSL/TLS certificate for the web server
Obtaining an SSL/TLS Certificate From a Certificate Authority
Visit the Certificate Provider of your choice and follow their instructions. Some examples of Certificate Providers are:
- Verisign
- GeoTrust
- Comodo
- DigiCert
- Thawte
- GoDaddy
- Network Solutions
Self Signed Certificates
You should only be using a Self Signed Certificate in non-production scenarios and when the client machines calling your web server can be updated with your Self Signed Certificate as a Trusted Root Certificate.
Creating Self Signed Certificate with IIS
- Start Internet Information Services (IIS) Manager
- Click on the Server Name in the Connections Treeview on the left
- Double-Click on Server Certificates icon in the Listview pane
- Click on Create Self-Signed Certificate in the Actions pane
- When prompted, specify a name for the certificate
- You should now see a Certificate in the Server Certificate list with the name you specified.
Now that the Certificate has been created you will need to export it in order to deliver to client machines for importing of the certificate.
- Select the Certificate in the Server Certificates list that you want to export
- Select Export... from the Actions pane and a dialog will appear
- Specify the file location to Export to
- Specify a password and confirm the password
Associating A Certificate With Your VM
Obtain a certificate from a Certificate Provider or create a self signed certificate. Here are some helpful links:
Importing Self Signed Certificate into Client A Machine’s Certificate Store
- Browse to the endpoint in Internet Explorer which should use your self-signed SSL certificate. You should be greeted by an error message saying your certificate is not trustworthy.
- Click “Continue to this website”.
- Click on “Certificate error” in the address bar, and then click “View certificates”.
- Export the certificate
- Right click the windows icon, choose "Control Panel"
- Network and Internet
- Click "Internet Options" under All Control Panel Items
- Choose "Content" tab
- Click "Certificates" button
- Browse - select Trusted root
- Click “Place all certificates in the following store”, and then click “Browse”. Do not rely on the preselected option to automatically select the certificate store as this will not work!
- Inside the dialog box, click “Trusted Root Certification Authorities”, and then click “OK”.
- Finish the dialog.
- On Advanced tab uncheck Warn about certificate address mismatch
- Restart computer and navigate to .NET RESTful engine url again with https