Skip to main content

Creating a Developer Certificate for IIS, and having it trusted by the computer, not just you.

 

There's a few different ways to do this, but for me, with a Blazor Server application and backend API, this seemed to work the best. 

Step 1 - Create Certificate 


It's fairly well documented, but there's a few things to note: 
- Change Subject and Dnsname to your preferred name 
- Note the certifcate store location, in your personal store
- Note the hard coded password YourSecurePassword
- I don't know what the TextExtension field does, need to research that
- Note that the created cer file is deleted at the last step 

However, this process didn't get me in a position where the server itself trusted the certificate, which is what I needed for Blazor, see Step 2 below.

# setup certificate properties including the commonName (DNSName) property for Chrome 58+
$certificate = New-SelfSignedCertificate `
    -Subject localhost `
    -DnsName localhost `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -NotBefore (Get-Date) `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "cert:CurrentUser\My" `
    -FriendlyName "Localhost Certificate for .NET Core" `
    -HashAlgorithm SHA256 `
    -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") 
$certificatePath = 'Cert:\CurrentUser\My\' + ($certificate.ThumbPrint)  

# create temporary certificate path
$tmpPath = "C:\tmp"
If(!(test-path $tmpPath))
{
New-Item -ItemType Directory -Force -Path $tmpPath
}

# set certificate password here
$pfxPassword = ConvertTo-SecureString -String "YourSecurePassword" -Force -AsPlainText
$pfxFilePath = "c:\tmp\localhost.pfx"
$cerFilePath = "c:\tmp\localhost.cer"

# create pfx certificate
Export-PfxCertificate -Cert $certificatePath -FilePath $pfxFilePath -Password $pfxPassword
Export-Certificate -Cert $certificatePath -FilePath $cerFilePath

# import the pfx certificate
Import-PfxCertificate -FilePath $pfxFilePath Cert:\LocalMachine\My -Password $pfxPassword -Exportable

# trust the certificate by importing the pfx certificate into your trusted root
Import-Certificate -FilePath $cerFilePath -CertStoreLocation Cert:\CurrentUser\Root

# optionally delete the physical certificates (don’t delete the pfx file as you need to copy this to your app directory)
# Remove-Item $pfxFilePath
Remove-Item $cerFilePath

Step 2 - Get the Server to trust the certificate 

To get the server to trust the cerficate,  I used information from Robert McMurray - How to trust the IIS Express Self-Signed Certificate, namely the part under  "Resolution Number #2 - Configure your computer to trust the IIS Express Certificate"

Using these steps below, may allow other options for creating certifcates in Step 1 

Steps are: 

  • Open the Computers Certifcate's MMC.  Number of different ways to get there, control panel, Admin Tools, Manage Computer Certificates works 
  • The trick here, is that you're going to the computer account , local computer certificates.
  • Export the certificate created in Step 1, depnding on how you did it, it may be in Personal or Web Hosting
    • Only need to export the public key - no private key export needed
    • Export as DER X 509 
  • Once exported, Import it back in under " Trusted Root Certification Authorities"

That's it, you should be good.

Comments

Post a Comment

Popular posts from this blog

Changing Password - in AD, when you're changing one of your other accounts, not the logged in account

  Use Powershell  Step 1 - Put your existing password in a Secure String  $oldPassword = Read-Host "Your old Password" -AsSecureString  Step 2 - Start the password change set-AdAccountPassword -Identity paul-admin -OldPassword  $oldPassword Step 3 - Enter your new password You'll be prompted for your new password... Please enter the desired password for 'CN=xxxx,OU=Admin Users,OU=Users,OU=Privileged,DC=CAIS,DC=com,DC=edu,DC=au' Password: ************************** Repeat Password: **************************
Post a Comment
Read more

Tip to create an underline on a heading shorter than the heading itself

You can use a pseudo element with :before (or :after ): h1 { font - weight : 300 ; display : inline - block ; padding - bottom : 5px ; position : relative ; } h1 : before { content : "" ; position : absolute ; width : 50 %; height : 1px ; bottom : 0 ; left : 25 %; border - bottom : 1px solid red ; } http://jsfiddle.net/9e27b/ This is another solution that centers the heading, the problem here is that the underline gets shorter as the column gets shorter. h2 {   display: inline-block;   padding-bottom: 15px;   position: relative;   width: 100% ;   text-align: center; } h2:before{     content: "";     position: absolute;     width: 8%;     height: 1px;     bottom: 0;     left: 46%;     border-bottom: 1px solid red; }
Post a Comment
Read more

The web.config no extension mime problem Lets Encrypt on IIS/Windows

  Tip when using LetsEncrypt in Windows - Feature Requests - Let's Encrypt Community Support In a paragraph, just use the web.config file to set the mime type, eg...  After trying to figure out why my Lets Encrypt failed to generate in Windows, and discovering that it's the no extension mime type problem, I wondered whether certbot could fill in the missing gap. All that is needed is the following web.config file to be placed in the same directory as the challenge <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <staticContent> <mimeMap fileExtension="." mimeType="text/xml" /> </staticContent> </system.webServer> </configuration> Because there's no mime type for files without an extension on IIS, IIS sends back a 404 when verification happens. The web.config file above sets the mime type. After I created the .well-known
1 comment
Read more