This article explains SSL and how to implement SSL in an ASP.Net web application.
Difference between HTTP and HTTPSThe HTTPS protocol is more secure than HTTP protocol because it includes the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. It is a more secure way to send a request to the server from a client, also the communication is purely encrypted which means no one can understand what you are looking for. This kind of communication is used for accessing those websites where security is required. Banking websites, payment gateways, emails (Gmail offers HTTPS by default in the Chrome browser) and corporate sector websites are some great examples where HTTPS protocols are used.For a HTTPS connection, a public key trusted and signed certificate is required for the server.Example of HTTPS siteIn Facebook and Gmail the messages are transferred in encrypted form and we want that nobody can see our messages, so HTTPS for security is used: The key indicator to let them know they are currently protected by an SSL encrypted session is the lock icon in the lower right-hand corner. Clicking on the lock icon displays your SSL Certificate and the details about it.What is SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.For SSL connection a web server requires a SSL certificate. Your web server creates two cryptographic keys, a Private Key and a Public Key.The Public key does not need to be secret and is placed in a Certificate Signing Request (CSR) that is a data file also containing your details like your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. This information is submitted to the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.Implementation of SSL in Web ApplicationBefore implementing SSl it is important to understand self-signed certificates. Self=signed certificatesIn cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. There are various processes to create the self-signed certificate but the following are 2 easier options available:
1. Using IIS
2. Using MakeCert.exeNow the other way to create a certificate is implementing. This is run from a Visual Studio command prompt with this command:makecert.exe -r -pe -n "CN= localhost" -b 01/01/2012 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
r: Creates a self-signed certificate.pe: This allows the private key to be included in the certificate.
n: Specifies the subject's certificate name.
b: Specifies the start of the validity period. Defaults to the current date.
eku: Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate.
ss: Specifies the subject's certificate store name that stores the output certificate.sr: Specifies the subject's certificate store location. The location can be either currentuser (the default) or localmachine.
sky: Specifies the subject's key type, that must be one of the following: signature (that indicates that the key is used for a digital signature), exchange (that indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.
sp: Specifies the subject's CryptoAPI provider name.
sy: Specifies the subject's CryptoAPI provider type, that must be defined in the registry subkey.
After clicking enter on command prompt the two self-signed certificates have been created.Integrate with Web ApplicationI have created one application and now, I am running my application on HTTP protocol. This is successfully run:Now, I am trying to run on the HTTPS protocol and it will issue an error.The error occurs because this is not configured with SSL so now go to configure with SSL:
Pro WPF: Windows Presentation Foundation in .NET 3.0