ssl

certificate validation overriding#


        csharp
        
            
        
     
ServicePointManager.ServerCertificateValidationCallback += 
  new RemoteCertificateValidationCallback(ValidateCertificate);

public static bool ValidateCertificate(object sender, X509Certificate cert, 
  X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
      return true;
}

persistkeyset#

Installed certificates expiring? Use X509KeyStorageFlags.PersistKeySet - What is the impact of PersistKeySet

ssl certificate binding#

bind a certificate#


        console
        
            
        
     
netsh http add sslcert ipport=<ipAddress>:<port> ^
    certhash={<certificateThumbprint>} appid={<someGuid>}

check current bindings#


        console
        
            
        
     
# all
netsh http show sslcert
# single ip/port
netsh http show sslcert ipport=<ipAddress>:<port>

remove binding#


        console
        
            
        
     
netsh http delete sslcert ipport=<ipAddress>:<port>

errors#

When attempting to bind, the following error might occur;

A specified logon session does not exist. It may already have been terminated.

This means a private key needs to be attached to the certificate prior to binding.

http.sys#

Demystify http.sys with HttpSysManager by Nicolas Dorier

windows certificate store#

Add certificate authority#

Via administrator session


        powershell
        
            
        
     
certutil -addstore "CA" .\SomeCertAuthority.pem

Add -f to force replace if the cert already exists

serve https locally#

Create a certificate


        bash
        
            
        
     
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout ~/git/key.pem -out ~/git/cert.pem

Current directory:


        bash
        
            
        
     
npx http-server -S --cors -C ~/git/cert.pem -K ~/git/key.pem -o --port 3001

A specific directory:


        bash
        
            
        
     
npx http-server my-directory -S --cors -C ~/git/cert.pem -K ~/git/key.pem -o --port 3001

install certificate authority on iOS#

Download the certificate authority certificate: myCA.pem
Tap install
Settings > General > Device Managemnet > Install the cert
Settings > General > About > Certificate Trust Settings > Enable the cert

open ssl helpers#

Display the subjectAltName of a certificate:


        bash
        
            
        
     
openssl x509 -noout -ext subjectAltName -in ./keys/cert.pem

Convert to pfx:


        bash
        
            
        
     
openssl pkcs12 -export -out ./keys/myCA.pfx -inkey ./keys/myCA.key -in ./keys/myCA.pem

Create a CA signed certificate:


        bash
        
            
        
     
openssl genrsa -out linkninja.key
openssl req -new -key linkninja.key -out linkninja.csr -config linkninja.cnf
openssl x509 -req -in linkninja.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out linkninja.pem -sha256 -extfile linkninja.cnf -extensions req_ext

install certificate authority on android#

Download the certificate authority certificate: myCA.pem
Settings > Security > Encryption and credentials > Install a certificate > CA certificate

mac keychain#

Add certificate authority#


        bash
        
            
        
     
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/myCA.pem