Monday, August 28

Setting up SSL in ASP.Net 2.0

Today I was given the task of setting up SSL support for a ASP.Net website.
Here are the steps I had to take

1. Install IIS 6.0 Resource Kit,
http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en

which contains "Selfssl.exe".
SelfSSL (SelfSSL.exe) can help you generate and install a self-signed SSL certificate. Because the SelfSSL tool generates a self-signed certificate that does not originate from a trusted source, use the SelfSSL tool only in the following scenarios:
When you have to create a security-enhanced private channel between your server and a limited, known group of users
When you have to troubleshoot third-party certificate problems


2. Create a certificate for use, similar to this
selfssl.exe /N:CN=testMachine /K:1024 /V:7 /S:1 /P:443
where
/K:key size Specifies the key length. Default is 1024.
/V:validity days Specifies the validity of the certificate. Default is 7 days.
/S:site id Specifies the id of the site. Default is 1 (Default Site).
/P:port Specifies the SSL port. Default is 443.
3. Go to your IIS MMC-> "Default Website" and right click for "Properties". Go to the "Directory Security" tab and under "Secure Communication" associate the recently created certificate to the server certificate. Now all websites under the "Default Website" will have this Server certificate.

4. Browse to your virtual directory under the "Default website" and right click for "Properties".Go to the "Directory Security" tab and under "Secure Communication" click "Edit".
Then check the "Require Secure Channel" checkbox.

Now the entire site will be under ssl and the url that would be needed to use will need "https" and not "http".

But we also need to take care of the default redirecting to the start page if someone uses "http" instead of "https". If this feature is not implemented then the user will see a 403;4 page and will have to manually change the "http" to "https".

The following steps are needed to enable default redirection to the secure start page.
Please refer
http://weblogs.asp.net/pwilson/archive/2004/12/23/331455.aspx
for details
1. In your project, create a basic html page "Redirect.htm" with the following code
body onload="Redirect()"

[javascript]
function Redirect()
{
window.location = "https://testMachine/SllTest/SignOn.aspx";
}
[/javascript]
Note: Replace javascript with script tags and put braces before and after "body" tag

2. Browse to your virtual directory under the "Default website" and right click for "Properties". Click the "Custom Errors" tab and select the "403;4" error. Then click "Edit Properties" and set the error page to "Redirect.htm" in you r project directory.

3. Browse to your virtual directory under the "Default website" and rightclick on "Redirect.htm" and in the "Directory Security" click "edit" and turn off "Require Secure Channel" for this page.

So now our Redirect.htm is the only page that is unsecured and all it does is to redirect the user to the sign in page.

Happy SSLing. ;)

Comments: Post a Comment

Subscribe to Post Comments [Atom]





<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]