Configuring an ASPNET project for development with SSL

In a modern web solution, if your site has a login, or protected resources, or anything that a user could consider remotely sensitive, you should provide SSL for that site. I even think https should be enabled for almost any site by default. It is always a bit of a hassle to set up during development and even more so for production. But that is no excuse for not providing it and it is not that hard really. In this post I’ll describe how to do this.

First, you will have to select a dns alias address for development. This should be a fully qualified address that you (and other developers on the team) will use to access the site on their local development computer. In theory, you could use “localhost” for this, but some oauth/login providers do not accept a localhost address for testing, so it is better to use an address that could actually be valid on the internet. For my Cloud Auction project and for this post, I will use “auction.local.net” as my development address. I will use the default ports (80 and 443) for http and https, the same ports the live site will have, to make it easier to test redirections from http to https.

First, we need to make the address an alias for our local machine by adding it in the hosts file. This file is protected, so run an elevated instance of notepad (or Visual Studio) and open “C:\Windows\System32\Drivers\etc\hosts”. This is just a text file. Add a line for the alias:

127.0.0.1 auction.local.net

Save the hosts file (it has no extension). Test it by typing “ping auction.local.net” in a cmd window.

Next, create the certificate. In an elevated command prompt, from the solution folder, run:

C:\Projects\ClounAuction2\> MakeCert.exe -r -pe -n "CN=auction.local.net" -ss my -len 2048 auction.local.net.cer

This creates a self-signed (-ss) certificate for our chosen url, and puts the public key in a file auction.local.net.cer. The private key is placed in the user certificate store (my). It is exportable (-pe), so we can export it to a .pfx file and share this development certificate with others. To configure the certificate for use, I start mmc.exe and add the Certificates Snap-In two times: for the current user and for the local computer.

image_thumb[7]

We then export the certificate, including the private key, to a .pfx file.

image_thumb[12]

image_thumb[18]

image_thumb[17]

image_thumb[21]

Name the file auction.local.net.pfx.

I usually add the development .cer and .pfx files to source control.

C:\Projects\CloudAuction2\> git add -f auction.local.net.*
C:\Projects\CloudAuction2\> git commit -m “development certificates”

The default .gitignore configuration excludes .pfx files, so I am using –f to force it. Make sure you do not put your production certificates there.

Now, we need to import the key that we just exported to the “My” store of the local computer account. We browse to the “local computer” Certificates node in mmc, then do import.

image_thumb[24]

Then we select the .pfx file we just created, enter the password again, and import the certificate in the local computer account.

Because the certificate is self-signed, we also need to thrust it as a certificate authority. For that, we do not need the private key, but we do need the public key to be present as a valid Certificate Authority. Right-click the Trusted Root Certificate Authorities node, and select Import from the menu. Then browse to the auction.local.cer file that we created earlier (this file contains the public key and is not password protected), and import it as a Certificate Root Authority. Repeat this process for the Current User.

Now, we have to get Visual Studio and IIS Express to use and accept this certificate.

Make sure you start Visual Studio as Administrator, if you have not already done so. Select the web project, right-click properties and select the settings under “Web”. Set it up to use IIS Express, and set the address to the development url (auction.local.net in my case).

image_thumb[27]

Save and close the project settings. You will probably see an error now: “Unable to create the Virtual Directory. Cannot create the website. You must specify “localhost” for the server”.

Don’t worry, this is not true. Go to you “My Documents” folder, go into the IISExpress\config folder and open applicationhost.config in notepad or Visual Studio. Find the section for the development site, by searching for the previous setting in visual studio (probably “localhost”). Then we edit the bindings to the dns address I want to use, like this:

<site name="Auction.Web" id="4"> <application path="/" applicationPool="Clr4IntegratedAppPool"> <virtualDirectory path="/" physicalPath="C:\Projects\CloudAuction2\Auction.Web" /> </application> <bindings> <binding protocol="http" bindingInformation="*:80:auction.local.net" /> <binding protocol="https" bindingInformation="*:443:auction.local.net" /> </bindings> </site>
Save the config file. Then go back to the Visual Studio project web settings, and try to change it again. Now you should be able to save the settings. The project should now work on the new address using normal http://

Now we’ll configure SSL. Select the project again, but this time go to the properties area, and set SSL Enabled to True.

image

This will enable SSL and select a nonstandard port for it, by default Visual Studio will start from port 44300 and go up from there. But I want to use the default SSL port 443, to configure this we need to edit the project file. Unload the project, edit the project file, and change the SSL port to 443:

image

Save and reload the project. If all went well, you now have configured the Visual Studio project to use the dns alias with http and https.
image_thumb[30]

We are not done yet. We still need to hook up the certificate with the SSL port in Windows. You might also have to open the firewall for that port if you used a nonstandard port. I use a batch file with the following commands in it:

netsh firewall add portopening TCP 80 IISExpressWeb enable ALL
netsh firewall add portopening TCP 443 IISExpressWeb enable ALL
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 appid={314124ce-d05c-4309-9af9-9caa44b2b74b} certhash=ec5ee8a125494b1035f407de3f5d3cb5b8d49dbf

For the appId you can generate a random guid, the certhash has to match the thumbprint of the certificate. To get it, open the auction.local.cer file by double-clicking it, right-click and copy the Thumbprint line and paste it in your batch file. Remove spaces, and also remove the first invisible unicode character in the thumbprint that is copied, or netsh will give the unhelpful error “The parameter is incorrect”.

image

After all that, we have a working ssl development environment. We should now be able to do F5 build-start debugging and immediately run with the dns address. You can specify a https:// start address for debugging, so that you immediately test under SSL.

If you get an error that the port is in use you might have the real IIS running; you can do “net stop w3svc” on the command line to stop it. From now on, you will also have to run Visual Studio as Administrator for this project, or it won’t be able to run it.

In Chrome and IE, you should not get a certificate warning on the development machine if you registered the certificate as a certificate authority correctly. Firefox does not use the Windows Certificate Store, you will have to add an exception manually for Firefox.

image

image

image

The end result: self-signed https with no security warnings!

[This post is part of the series Development of a mobile website with apps and social features]