如何使用Powershell通过https将自签名证书发送给客户端

Question

I am creating a REST api in PowerShell work over https protocol for testing purpose. My aim is to create a pseudo https API and use that to test a functionality of our application (the app needs to call my test https api). I am able to create a self signed certificate using the following code.

$hostIP = Get-NetIPAddress | where{ ($_.InterfaceAlias -in @('Mgmt', 'Ethernet', 'management')) -and ($_.AddressFamily -eq 'IPv4')}
$win_path= 'c:\my_temp\'

$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -   dnsname $hostIP.IPAddress -NotAfter (Get-Date).AddYears(2)
$Certname = $hostIP.IPAddress.Replace('.','_')
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath 
$win_path\$Certname.pfx  -Force -Password $pw

The REST api I am writing looks something like this

$listener = New-Object System.Net.HttpListener
$httpUrl = "http://" + $givenArgs.HostName + ":" + $givenArgs.Port + "/"
Write-Output $httpUrl
$listener.Prefixes.Add($httpUrl) 
$httpsUrl = "https://" + $givenArgs.HostName + ":" + 443 + "/"
Write-Output $httpsUrl
$listener.Prefixes.Add($httpsUrl)
$listener.Start()

The question I have is, if I install the certificate that I have created in my machine manually, I am able to send queries to my REST api successfully but only from my machine.

I would like to send the certificate (send a copy of the certificate for clients on intial request without using any CA) to clients so that when a client queries the server for the first time, it gets a copy of the certificate and can save it for further communication.

I have tried looking this up online but I could only find solutions leading to 1.Ignoring the certificate or 2. Importing the certificate manually which donot serve my need.

Appreciate your time for looking into this and your help. Thanks in advance.

Answer 1

You don't have to explicitly send the certificate. Every time the client visits the https site, the public key certificate is always returned with the request. The issue you have is that after that, the client then has to decide what to do with the certificate.

The client will first look at the certificate, and look to see if it is trusted. If it is a trusted certificate (ie you purchase a Verisign Certificate), then the connection is accepted. For self signed certificates, since they are not trusted, there are only 2 options that the client has:

1. Ignore the certificate origin and blindly connect
2. Accept that the origin can be trusted and Import the certificate

You can't get around this fundamental fact. Self signed certificates are like delivering a bomb shaped object to a client with a sticker on it saying "Not a Bomb - Trust me, I'm @user3543477", they can either ignore the sticker, or accept that I can Trust @user3543477. You can't shove the package through the front door without their explicit consent. If the sticker said "Not a Bomb - Trust me, I've been verified by Bomb Experts", since the client trusts Bomb Experts, the client will accept the package without question.

Self signed certificates are only used for Development purposes. I continually say to people to don't even try to make them work because you can't.

The right way to do certificates is to get a proper trusted certificate from the likes of Verisign or, what I now recommend, which is especially tailored for API's, is to get a free certificate from Let's Encrypt . That way you get a proper trusted certificate, and you don't deal with self signed certificates.

Answer 2

When a certificate is used, a certification path has to be established. root CA certificates are self signed. Point is, they are trusted beforehand.

On your local machine where your self signed certificate has been generated the certificate is trusted. Other machines won't have that certificate: to make them trust your certificate

• the certificate has to be added (your option number 2.) usually to the Trusted Root Certificate store where the self signed certificates of public CA have been added by your operating system logics OR
• the certification path has to be trusted even in presence of a untrusted root (your option 1.)

So basically your options are the ones you summarized.