HTTP Support

(originally taken from http://www.towersoft.com/sdk/doku.php?id=ice:setting_up_an_ice_server_to_use_ssl)

Introduction

For added security, the ICE Server supports the Secure Sockets Layer (SSL) Protocol. This encrypts all traffic between the client and the ICE server, so that sensitive data is protected. If you’re running your ICE server over the internet, encrypting your ICE server data is highly recommended.

This article describes how to use ICE with SSL. It also discusses how to use the OpenSSL toolkit or Microsoft Makecert to generate a self signed certificate to test the ICE functionality.

About SSL Certificates

The certificates used by C# Webserver to encrypt traffic need to be valid PKCS#12 certificates, with the extension “pfx” or "p12". You can obtain these certificates from a certifying authority like Verisign, or you can generate them yourself using an Open Source Toolkit called OpenSSL.

C# WebServer uses X509 security certificates to provide a secure interface between the client and the server. There are two basic types of certificate. Self-signed certificates which provide a poor level of security but are simple to produce. They should only be used during testing. A Certificate Authority (CA) signed certificate, these provide a high level of security.

Generate Self-signed Certificate with OpenSSL

To be able to use certificates using OpenSSL in ICE, here are the steps we used when testing out SSL (ready for production):

Note:

PERL must be installed to run the .pl scripts. Win32 user can download Active Perl at http://www.activestate.com/
If you haven’t got OpenSSL, you can download a win32 installer at http://www.slproweb.com/products/Win32OpenSSL.html
Set up the Certificate Authority (CA):

(Note: If the following command returns instantly, it might have detected that you have already got the demoCA setup. You will need to delete the folder demoCA under C:\OpenSSL\bin\

C:\openSSL\bin>CA.pl -newca

     Enter PEM pass phrase:
     Verifying - Enter PEM pass phrase:
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     Country Name (2 letter code) [AU]:AU
     State or Province Name (full name) [Some-State]:ACT
     Locality Name (eg, city) []:Canberra
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:ELEPHANT Software
     Organizational Unit Name (eg, section) []:R&D
     Common Name (eg, YOUR name) []:ICE
     Email Address []:john@elephant.com.au 
     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []:elephant
     An optional company name []:
     Using configuration from C:\OpenSSL\bin\openssl.cnf
     Loading 'screen' into random state - done
      Enter pass phrase for ./demoCA/private/cakey.pem:
      Check that the request matches the signature
      Signature ok
      Certificate Details:
      Serial Number:
          bc:2e:d2:f7:40:e5:33:13
      Validity
          Not Before: Aug 16 01:20:38 2006 GMT
          Not After : Aug 15 01:20:38 2009 GMT
      Subject:
          countryName               = AU
          stateOrProvinceName       = ACT
          organizationName          = ELEPHANT Software
          organizationalUnitName    = R&D
          commonName                = ICE
          emailAddress              = john@elephant.com.au
      X509v3 extensions:
          X509v3 Subject Key Identifier:
              19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73
          X509v3 Authority Key Identifier:
              keyid:19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73
              DirName:/C=AU/ST=ACT/O=TOWER Software/OU=R&D/CN=ICE/emailAddress=john@elephant.com.au
              serial:BC:2E:D2:F7:40:E5:33:13
          X509v3 Basic Constraints:              CA:TRUE
      Certificate is to be certified until Aug 15 01:20:38 2009 GMT (1095 days)'' 
      Write out database with 1 new entries
      Data Base Updated 


c:\openSSL\bin\>CA.pl -newreq

      Loading 'screen' into random state - done 
      Generating a 1024 bit RSA private key
      .........++++++
      ...++++++
      writing new private key to 'newkey.pem'
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:
      You are about to be asked to enter information that will be incorporated into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some                                 
      fields there will be a default value, If you enter '.', the field will be left blank.
      Country Name (2 letter code) [AU]:AU
      State or Province Name (full name) [Some-State]:ACT
      Locality Name (eg, city) []:Canberra
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:ELEPHANT Software
      Organizational Unit Name (eg, section) []:R&D
      Common Name (eg, YOUR name) []:ICE
      Email Address []:john@elephant.com.au 
      Please enter the following 'extra' attributes to be sent with your certificate request
      A challenge password []:elephant
      An optional company name []:
      Request is in newreq.pem, private key is in newkey.pem 


c:\openSSL\bin\>CA.pl -signreq

      Using configuration from C:\OpenSSL\bin\openssl.cnf
      Loading 'screen' into random state - done
      Enter pass phrase for ./demoCA/private/cakey.pem:
      Check that the request matches the signature
      Signature ok
      Certificate Details:
      Serial Number:
        bc:2e:d2:f7:40:e5:33:14
      Validity
          Not Before: Aug 16 01:23:10 2006 GMT
          Not After : Aug 16 01:23:10 2007 GMT
      Subject:
          countryName               = AU
          stateOrProvinceName       = ACT
          localityName              = Canberra
          organizationName          = ELEPHANT Software
          organizationalUnitName    = R&D
          commonName                = ICE
          emailAddress              = john@elephant.com.au
      X509v3 extensions:
          X509v3 Basic Constraints:
              CA:FALSE
          Netscape Comment:
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
              04:7F:C7:5F:AB:F7:72:16:78:03:95:BC:0A:37:9E:91:A3:A0:DD:D5
          X509v3 Authority Key Identifier:
              keyid:19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73 
      Certificate is to be certified until Aug 16 01:23:10 2007 GMT (365 days)
      Sign the certificate? [y/n]:y
      1 out of 1 certificate requests certified, commit? [y/n]y
      Write out database with 1 new entries
      Data Base Updated
      Signed certificate is in newcert.pem 
c:\openSSL\bin\>CA.pl -pkcs12 “ICE Test Certificate”

      Loading 'screen' into random state - done
      Enter pass phrase for newkey.pem:
      Enter Export Password:
      Verifying - Enter Export Password:
      PKCS #12 file is in newcert.p12
You now have a self signed certificate ready for use in ICE.

Generate Self-signed Certificate With Microsoft Makecert

You can either download openSSL and follow the instruction above OR generate your self-signed certificate with Microsoft makecert utitliy. Either way should get your ICE server up and secured with SSL.

Get Makecert.exe
Download makecert program from Microsoft.

If you have visual studio installed, it should be in the “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” or get it here at

http://download.microsoft.com/download/platformsdk/update/5.131.3617.0/nt45xp/en-us/makecert.exe

Read article.
There’s a good article explaining how to generate self-signed certificate with make cert.exe http://blogs.technet.com/jhoward/archive/2005/02/02/365323.aspx

Or you can paste the following commands in the MS-DOS command line. (Makesure makecert is available at the current working directory in DOS).

 makecert -pe -n "CN=Test And Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test and Dev Root Authority.cer" 
 makecert -pe -n "CN=yourhostname.yourdomainname" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root
     Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 yourhostname.cer 

You will either have to add the “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” to the system path or run the above command in the same directory where makecert.exe resides.

Note: The certificate will be generated on the same directory that you running the makecert.exe from.

You now have a self signed certificate ready for use in ICE.

Last edited Dec 23, 2008 at 11:29 AM by jgauffin, version 1

Comments

devvvy Jan 27, 2013 at 1:52 AM 
ok this article tells you how to generate the certificate - but how can you make our Codeplex Webserver to point at this certificate? Thanks

jrezuke Jul 3, 2010 at 1:52 PM 
The towersoft link is no longer active