Use SSL with Self hosted WebAPI on client side

Question

I have to do a peer-to-peer application on local network, basically a service which publishes files and another app on the local network consumes it.

My idea is to use WebAPI in the service and want to use SSL. Users will be installing both the apps locally. Is this a feasible solution? If so, I found this article but not sure how to get the certhash.

Answer 1

Yes - it's a feasible solution.

Here's a quick overview of what's going on behind the scenes when you've got SSL (or TLS) in the mix: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Specifically, you'll get two benefits from using HTTPS: - Encryption - Trust (as in, IF you've got certificates that identify each end-point, then you'll be able to be 'sure' that your client apps are connecting to each other and not, presumably, some 'sneak' on a laptop in the lobby/etc.)

The problem, then, is just finding some decent docs on how to get this all set up (and determining WHERE you're going to get your certs from (if they're self-signed (i.e., without your own/corporate signing authority or without a trusted 3rd party authority), then you can LOSE the trust benefit listed above).

In terms of docs, the following resource seem to be quite decent (though I've only GLANCED at it):

• http://woloski.com/2012/08/04/securing-aspnet-webapi-with-clientcerts/

And, it appears that Matias has even created a Nuget package that should make this all tons easier to set up: http://nuget.org/packages/Auth10.AspNet.WebApi.ClientCert/

(I need to check that out myself - as I've only glanced at it.)

Answer 2

I'm putting this here for reference; specific answer to your certhash question included below:

(This) article describes, in relatively good detail, how to set up HTTPS on a client / self-hosted .net application.

I was able to skip step 1 with a variant of a self-host project I was working on that ran under a Windows Service, but it is definitely required if you use a console or other app that runs under a user.

If you're working in VB.NET, your MyHttpsSelfHostConfiguration class will look like the below:

Imports System.ServiceModel.Channels
Imports System.Web.Http.SelfHost
Imports System.Web.Http.SelfHost.Channels

Public Class MyHttpsSelfHostConfiguration
    Inherits HttpSelfHostConfiguration
    Public Sub New(baseAddress As String)
        MyBase.New(baseAddress)
    End Sub
    Public Sub New(baseAddress As Uri)
        MyBase.New(baseAddress)
    End Sub
    Protected Overrides Function OnConfigureBinding(httpBinding As HttpBinding) As BindingParameterCollection
        httpBinding.Security.Mode = HttpBindingSecurityMode.Transport
        Return MyBase.OnConfigureBinding(httpBinding)
    End Function

End Class

Additionally, if you choose to run this under a windows service as opposed to a standard application (putting here for reference), you'll need to dim your 'server As New HttpSelfHostServer(config)' , instead of having a Using clause, as the windows service would dispose of the Using immediately (Or so i've read elsewhere).

If your rest client (for testing) of choice does not connect, try pointing to your service method in a browser, if possible, as the browser will tell you if there's a problem with the installed certificate when it tries to communicate over https.

I also struggled in getting the certhash.

You can do so via the following steps:

1. Open 'MMC'
2. File > Add Snapin > Certificates (Computer Account / Local Computer) > OK
3. Open Certificates snapin > Personal > Certificates, and locate a certificate with Intended Purpose of Server Authentication (in intended purposes column)
4. Double Click on this certificate.
5. Go to the Details tab, and find the Thumbprint key
6. Copy the value of this key. Paste it into notepad++.
7. Go to the encoding menu, and select convert to ANSI. This will show a hidden character '?' at the start that you must remove. Clear spaces from this number and you may then use it for your cert hash.

If you do not have a certificate in the list of certificates mentioned above, you may create one (self-signed) easily with the following steps:

1. Open IIS Manager
2. Open your server in IIS manager
3. Open the 'Server Certificates' page
4. On the right, under 'Actions', select 'Create Self-Signed Certificate'