working with SSL in web API

Secure Sockets Layer (SSL) is the most widely deployed cryptographic protocol to provide security over internet communications, SSL provides a secure channel between two machines or devices operating over the internet or an internal network. One common example is when SSL is used to secure communication between a web browser and a web server. This turns a website's address from HTTP to HTTPS, the ‘S’ standing for ‘secure’.

Several common authentication schemes are not secure over plain HTTP. In particular, Basic authentication and forms authentication send unencrypted credentials. To be secure, these authentication schemes must use SSL. In addition, SSL client certificates can be used to authenticate clients.

In real-time, we need to buy SSL certificate from any authorized provider , but For local testing, you can enable SSL in IIS Express from Visual Studio. In this article we will learn both :-
• How to enable SSL on deployment server (IIS 10) after hosting.
• How to enable SSL on development Server (IIS express) for Local Testing.

Enabling SSL in IIS Express for Local Testing

To enable SSL in Visual Studio 2013/2015/2017 follow these steps

1. In the Solution Explorer click on your Web API project and press F4 key on the keyboard. This launches Project Properties window.
2. In the Properties window, set SSL Enabled property to true. As soon as we do this Visual Studio sets SSL URL, as you can see in the figure shown below.

3. At this point, when you try to navigate to https://localhost:44302/api/test in the browser, you will see the following browser security page.

Invalid SSL Certificate — Invalid Cerificate

4.To resolve this problem we have to place the certificate that visual studio has issued in the Trusted Root Certificates folder.
1. In the RUN window, type mmc.exe and click OK

2. On the window that appears, click "File" - "Add/Remove Snap-in".

3. From the "Available snap-ins" list select "Certificates" and click "Add".

4. On the next screen, select "Computer account" radio button

5. On the next screen, select "Local computer" radio button and click "Finish" and then "OK".

6. Expand Console Root - Certificates (Local Computer) - Personal - Certificates. In this folder you will find a certificate that is Issued To local and Issued By local.

7. Right click on the localhost certificate, and select "All Tasks" and then "Export"

8. Click "Next" on the subsequent screen.
9. Select "DER encoded binary X.509 (.CER)" radio button, and then click Next

10. On the next screen, provide a name for the certificate that you are exporting and click "Next". I have placed certificate in my case at c:\Certificates\localhost.

11. Click "Finish" on the next screen.

12. Expand Console Root - Certificates (Local Computer) - Trusted Root Certification Authorities - Certificates

13. Right click on "Certificates", and select "All Tasks" and then "Import"

14. Click "Next" on the subsequent screen
15. Enter the complete path where you have exported the certificate and click "Next". In my case the certificate is at c:\Certificates\localhost.cer

16. On the next screen, select "Place all certificates in the following store" radio button and click "Next".
17. Finally click "Finish".
At this point closes all instances of the browser. Open a new browser instance and navigate to https://localhost:44330/api/employees. Notice you don't get any certificate error. At the moment we can access our web api service using both http and https.

How to automatically redirect to HTTPS from HTTP.

After HTTPS is enabled, if a request is issued using HTTP we want it to be automatically redirected to HTTPS.Follow two simple steps to enable HTTPS for ASP.NET Web API service.

Step 1 : Right click on the ASP.NET Web API project and add a class file. Name it RequireHttpsAttribute. Copy and paste the following code.


   using System.Web.Http.Filters;

   namespace EmployeeService
   {
    public class RequireHttpsAttribute : AuthorizationFilterAttribute
    {
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
            {
                actionContext.Response = actionContext.Request
                    .CreateResponse(HttpStatusCode.Found);
                actionContext.Response.Content = new StringContent
                    ("Use https instead of http", Encoding.UTF8, "text/html");

                UriBuilder uriBuilder = new UriBuilder(actionContext.Request.RequestUri);
                uriBuilder.Scheme = Uri.UriSchemeHttps;
                uriBuilder.Port = 44337;

                actionContext.Response.Headers.Location = uriBuilder.Uri;
            }
            else
            {
                base.OnAuthorization(actionContext);
            }
        }
    }
  }

Step 2 : Include the following line of code in Register() method of WebApiConfig class in WebApiConfig.cs file under App_Start folder. This adds RequireHttpsAttribute as a filter to the filters collection.Now, If the request is issued using HTTP, it will be automatically redirected to HTTPS.


    config.Filters.Add(new RequireHttpsAttribute());

Please note : If you don't want to enable HTTPS for the entire application then don't add RequireHttpsAttribute to the filters collection on the config object in the register method. Simply decorate the controller class or the action method with RequireHttpsAttribute for which you want HTTPS to be enabled. For the rest of the controllers and action methods HTTPS will not be enabled.

Enabling SSL on Production Server (IIS 10)

In order to understand how to enable SSL on production server that is on IIS 10, you need to first understand CSR.

What is a CSR?

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time when you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate provider will use this CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

How to create CSR in IIS 10

follow these steps to request CSR
1. Start IIS Manager.

Start IIS Manager. One quick way to do this is by opening the Run command, then typing inetmgr and clicking the OK button.

2. Select server.

Select the server in the Connections pane, on the left side of the window.

3. Open Server Certificates.

Double-click the Server Certificates icon, located under IIS in the center pane of the window.

4. Click “Create Certificate Request.”

Click the Create Certificate Request link, in the Actions pane on the right side of the window.

5. Enter Distinguished Name Properties.

The Request Certificate wizard will open. Fill out the Distinguished Name Properties form with the following information:

• Common Name: The hostname that will use the certificate. This is usually a fully-qualified domain name, like www.domainname.com, or store.mydomain.com. You can also use a wildcard, like *.mydomain.com.
• Organization: The legal name of your company or organization.
• Organizational Unit: The departmental or division name for your group.
• City/locality: The city where your company is located.
• State/province: The state where your company is located.
• Country/region: Please use the two-character abbreviation for your country.
When you are finished filling out the form, click the Next button.

6.Set Cryptographic Service Provider Properties.
Next, set the Cryptographic Service Provider Properties. Use the drop-down menus to select Microsoft RSA SChannel Cryptographic Provider as the cryptographic service provider, and a bit length of 2048 (unless you have a reason to set these to other values). When you are finished, click the Next button.

Cryptographic Service Provide Properties — Crytographic Sevice provider properties

6.
Create a file name for your CSR, then click the Finish button.

7. Next steps is to submit this CSR to any authorized SSL provider and download the issued SSL certificate.

How to add SSL certificate in IIS 10

• Start IIS Manager.
Start IIS Manager. One quick way to do this is by opening the Run command, then typing inetmgr and clicking the OK button.

• Select server.
Select the server in the Connections pane, on the left side of the window.

• Open Server Certificates.
Double-click the Server Certificates icon, located under IIS in the center pane of the window.

• Click “Complete Certificate Request”
Click Complete Certificate Request, in the Actions pane, on the right side of the window.

• Click … button.
The Complete Certificate Request wizard will appear. First, click the button labeled “…” to open the file open dialog box.

complete certificate request1 — complete certificate request2

• Navigate to certificate file.

Navigate to the file you downloaded from provider. Note that you will have to change the drop-down menu to the right of the File name field from *.cer to *.* to see the file.

• Open file.

Click the Open button.

• Create a friendly name.

Next, enter a memorable name for the certificate in the Friendly name field .

• Click OK.

Click the OK button.

• Finished!

The certificate is installed! The next step is to bind the certificate to a particular website, port, and/or IP address.

How to bind SSL certificate to a particular website on IIS 10

Binding a certificate to a website in IIS means that you are activating the installed digital certificate and associating it with a particular website, port, and/or IP Address. Binding in IIS can be performed by following these simple steps. (These instructions assume that you have already installed your certificate in IIS.)

1.Start IIS Manager.
Start IIS Manager. One quick way to do this is by opening the Run command, then typing inetmgr and clicking the OK button.

1. Select website.
In the Connections pane on the left side of the window, navigate to the Server and Site you wish to bind the certificate to.

2. Open bindings.
In the Actions pane on the right, click Bindings.

3. Click Add
Click the Add… button.

4. Select binding type.

The Add Site Binding window will open. For Type, select https.

5. Select IP address.

For IP address, select All Unassigned, or the site’s IP address.

6. Enter port.

For Port, enter 443.

7. Select certificate

Select the desired certificate from the SSL certificate drop-down menu.

8. View certificate details.

You can use the View… button to get details about the selected certificate.

9. Require Server Name Indication (SNI) if necessary.

If you are serving more than one domain name from the same IP address, enter it in the Host name field and check the Require Server Name Indication box. If not, you can safely leave these blank.

10. Close “Add Site Binding” window.

Click the OK button to close the window.

11. Close “Site Bindings” window.

Verify that the binding has been added, then close the Site Bindings window by clicking the Close button.

12. Edit existing binding (if necessary).

You may also edit an existing binding. To do this, simply select the item and click Edit. You can change the port, the IP Address, the host name, and the certificate to use.