How to Configure a TCP Port with an SSL Certificate

Scenario: You have a WCF service that uses the basicHttpBinding binding and you would like to configure the basicHttpBinding with an SSL certificate.

This post will walk you through using IIS Manager and a Command Prompt for creating, configuring, and installing the SSL certificate.

Create a Self-Signed Certificate

Under production scenarios you will not use a Self-Signed Certificate, but to get good idea as to how to configure a TCP port with an SSL cert, a self-signed cert is sufficient.

Open IIS Manager, then open “Server Certificates”

In the Server Certificates window, click the “Create Self-Signed Certificate” link, give the cert a name, then click “OK”.

We will eventually need the Thumbprint of the certificate. So, double-click the certificate that you just created and copy the “Thumbprint” value to the clipboard.

Configure a TCP Port with the SSL Certificate

Copy the Thumbprint of the SSL cert

Open a command prompt and enter:

netsh http add sslcert ipport=0.0.0.0:8080 certhash=bb14d78228ff2c8965de040c2cc1a1fff3132d76 appid={B8CA0613-6250-4DDB-A693-74B8678C2DF6}

The certhash is the certificate’s thumbprint (Note that you must remove the spaces that may exist in the thumbprint!). The appid is an arbitrary GUID (Note: You can easily create a GUID using Visual Studio’s “Create Guid” tool. Just make sure that you choose the “Registry Format” option when creating the GUID.

If you are running a WCF service and fail to assign a certificate with the port that your service is running on, you may receive any one of the following exceptions:

An error occurred while making the HTTP request to https://localhost:8080/CustomersService. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

If you receive any one of the exceptions above, you may resolve the exception by creating a new self signed cert and assigning it to your service’s port.

How To Delete an SSL Certificate From a Port Number

Open a command prompt and use Netsh.

Netsh http delete sslcert ipport=0.0.0.0:8005

Where :8005 is the port number that was associated with the SSL cert.

If everything went well, the netsh command will respond with “SSL Certificate successfully installed.”

Print All SSL Certificate Bindings

If you would like to view the existing SSL Certificate Bindings (or list of ports that are assigned to an SSL Certificate), run the following netsh command:

netsh http show sslcert

The netsh command above will return a list of binding info that looks something like this:

C:\Windows\system32>netsh http show sslcert

SSL Certificate bindings:
-------------------------

IP:port : 0.0.0.0:443
Certificate Hash : 77e20073484988523a67fe6ea3e43e569e4ded37
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

IP:port : 0.0.0.0:56789
Certificate Hash : bff283154709a0e0ff5c3fc8d8b4567e1a5d9999
Application ID : {38afa4c0-5eba-427a-aff7-e612ed8fc4f0}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

Security

In some cases you may get an exception error that states:

Keyset does not exist.

Typically, this exception is thrown when your certificate is being used by IIS (I’ve experienced this error when I was running a WCF service hosted by IIS) and IIS does not have rights to perform a signature. To give IIS rights to the cert;

  1. Open C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
  2. Open the Security settings for the key in question – You can usually guess which key is the one you want to configure by looking at the “Date Modified” value.
  3. Add the “Network Service” user name to the list of users and grant the Network Service user “Full control”.

For more netsh command, check out Technet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s