What is SSL and How to Implement in ASP.Net Web Application

This article explains SSL and how to implement SSL in an ASP.Net web application.

Difference between HTTP and HTTPS

The HTTPS protocol is more secure than HTTP protocol because it includes the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. It is a more secure way to send a request to the server from a client, also the communication is purely encrypted which means no one can understand what you are looking for. This kind of communication is used for accessing those websites where security is required. Banking websites, payment gateways, emails (Gmail offers HTTPS by default in the Chrome browser) and corporate sector websites are some great examples where HTTPS protocols are used.

For a HTTPS connection, a public key trusted and signed certificate is required for the server.

http ans https

Example of HTTPS site

In Facebook and Gmail the messages are transferred in encrypted form and we want that nobody can see our messages, so HTTPS for security is used:

Example of https site

The key indicator to let them know they are currently protected by an SSL encrypted session is the lock icon in the lower right-hand corner. Clicking on the lock icon displays your SSL Certificate and the details about it.

What is SSL

Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

For SSL connection a web server requires a SSL certificate. Your web server creates two cryptographic keys, a Private Key and a Public Key.

The Public key does not need to be secret and is placed in a Certificate Signing Request (CSR) that is a data file also containing your details like your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. This information is submitted to the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.

Implementation of SSL in Web Application

Before implementing SSl it is important to understand self-signed certificates.

Self=signed certificates

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. There are various processes to create the self-signed certificate but the following are 2 easier options available:

  1. Using IIS
  2. Using MakeCert.exe

1. Using IIS

  • Step 1: Open IIS Server: We can open directly or by type "inetmgr" in run.

    run

  • Step 2: Now go to Server name and here click on Server Certificates.

    Server Certificates

  • Step 3: Now click on the Create self signed certificate link that is present in Actions. Now here provide the friendly name of certificate that is our PC name and click ok the certificate has been created.

    certificate has been created

2. Using MakeCert.exe

Now the other way to create a certificate is implementing. This is run from a Visual Studio command prompt with this command:

makecert.exe -r -pe -n "CN= localhost" -b 01/01/2012 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

MakeCert exe

    r: Creates a self-signed certificate.

    pe: This allows the private key to be included in the certificate.

    n: Specifies the subject's certificate name.

    b: Specifies the start of the validity period. Defaults to the current date.

    eku: Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate.

    ss: Specifies the subject's certificate store name that stores the output certificate.

    sr: Specifies the subject's certificate store location. The location can be either currentuser (the default) or localmachine.

    sky: Specifies the subject's key type, that must be one of the following: signature (that indicates that the key is used for a digital signature), exchange (that indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.

    sp: Specifies the subject's CryptoAPI provider name.

    sy: Specifies the subject's CryptoAPI provider type, that must be defined in the registry subkey.

After clicking enter on command prompt the two self-signed certificates have been created.

self signed certificate

Integrate with Web Application

I have created one application and now, I am running my application on HTTP protocol. This is successfully run:

http protocol

Now, I am trying to run on the HTTPS protocol and it will issue an error.

run on https protocol

The error occurs because this is not configured with SSL so now go to configure with SSL:

  • Step 1: Go to IIS Server and here go to Default Web Site and click on Bindings. Now configure with the HTTPS protocol that we need to add.

    configure with https protocol

  • Step 2: Now we have 2 bindings, one for HTTP and the other is for HTTPS.

    bindings now

    Now the application will run successfully over the HTTPS protocol.
Only implement HTTPS protocol

There are the following 2 ways to implement it.
  1. If I remove HTTP from the binding.

    remove http from the binding

    If we use this method then all the web application HTTP bindings have been removed so the second method will be used.

  2. Only for single application we always prefer this. Go to the SSL Settings on IIS and check Require SSL.

    Require SSL
Import and Export the SSL file
  1. Export File

    Go to the Server certificate and here click on the Export link and provide the name of the file and password and click OK. And this file will be saved in the "C:\Windows\System32" path.

    Export File

  2. Import File

    Go to Server certificate and here click on the Import link and open the file.

    Import File

    And here if you want that file to be exported then check the checkbox.