Enabling https with NancyFx Owin Self-host

Question

I'm selfhosting a NancyFx service with Owin (on intranet from a Windows 8 machine) and it works fine. Trying to switch to HTTPS but have run into problems.

I have:

• Created self-signed root CA
• Created exchange-cert using above CA (CN=mycomputer)
• Exported public key of CA and installed on client-machine
• Used netsh to add urlacl to https://+:5001
• Used netsh to add sslcert with thumb-hash etc.

The service-host looks to start allright on my address, https://mycomputer:5001, but when I try to access this address I first get the warning about unsecure connection (which I shouldn't if I have installed the public key CA-cert right?) and when continuing anyway I get a "service not available"-respons.

Any hints to what could be wrong?

Do I have to config Nancy/Owin to use the certificate somehow or is it enough to have it attached to the endpoint with netsh?

Answer 1

I've got it working. I've found it useful to have a number of checks in the process.

CHECK1 - Cert import ok: - After you install the cert on the machine run certutil -store MY - You shoudle see the cert details there (sha/user created/name etc) - If not STOP. You probably imported into the user store (or the cert is invalid). You MUST start with empty mmc and import certificates for the MACHINE.

CHECK2 - url is added to urlacl list in netsh - After you add the uri to acl run netsh http show urlacl - If your uri / port is not listed STOP. The url isn't added correctly.

CHECK3 - ssl is bound to urlacl - After running the add sslcert command run netsh http show sslcert - If your port/sha combination is not listed then check the sha has no spaces / appid is unique / app id + braces surrounded by quotes (if executing from PS)

Hope it helps. I created the above after 6 hours of head banging. It now works!