自签名证书的 C# HttpListener (netsh) 问题

Question

I have some trouble with my HttpListener. I already searched and read some dicussions. For example: Httplistener with HTTPS support

Firstly I try to describe my scenario: I want to create a HTTP-Listener with SSL/HTTPS Support. Thats the main target. I used OpenSSL to create my own CA and I created my own server cert. Now I have:

• myCa.key
• myCa.pem
• myCa.srl
• myServer.key
• myServer.csr
• myServer.crt

I installed the myCa.pem and the myServer.crt certificate to my local computer. I moved the CA in the trusted store and the server certificate in "own certificates"

Then I took the fingerprint (certHash) of my server certificate. I created the netsh entry with admin-rights

netsh http add sslcert ipport=0.0.0.0:9649 appid= '{0a5ce-569a-4dc6-8ed7-9ef91241dec3}' certhash=4F556BDC3F97B31D555266DA74F573777FCCAA55

My C# implementation is relativly simple:

    this.Listener = new HttpListener();
    this.Listener.Prefixes.Add("https://*:9649");
    this.Listener.Start();
    this.Listener.BeginGetContext(new AsyncCallback(ProcessClient), this.Listener);

   //Process an incoming connection
   private void ProcessClient(IAsyncResult result)
   {
      var listener = (HttpListener)result.AsyncState;
      var clientContext = listener.EndGetContext(result);
   }

When I implemented SSL in my TcpStack I used a SSL-Stream and there I can validate a certificate with a ValidationCallback. Im not sure if this is possible here. I tried ServicePointManager.ServerCertificateValidationCallback += ValidateCert; But I never hit my breakpoint there.

Now to the problems:

When I try to connect with my own HttpClient (.NET HttpClient Class) I get always a RemoteNameMismatch Error on the SSL-Layer. I dont hit the breakpoint in the ProcessClient method. I tried without specific certificate (auto detection) and I tried also to advise the same certificate (with the same hash) to the client. In both cases I got the same error. I dont understand why I get any erros when I use the same certificate on the client and the server side. I always thought the netsh will compare the certhashes.

When I try a connect with Postman I hit the ProcessClient function. But Postman gets an error that he cant check the certificate. But I think the problem is that my certificate isnt a official certifcate. But the data exchange is working.

Another point is: I want to roll out my app also in containers with a unix os. .NET60 is designed for crossplatform. But whats the unix pendant to netsh? Is it possible to run my listener with https on unix? How works the mapping here between app and certificate? Maybe I have to change my technology? Alternative to HttpListener ? Mainly I dont want to use thridparty stuff.

UPDATE Solution: Like the guys said in the in comments. The FDQN was the problem. In easy words: I created my own CA and then I created a server cert signing request against the CA. Inside the server cert the CN is matching to my DNS of my personal computer. The connection with my HTTP-Listener is working now. Thank you for your help!

Thanks for reading and for help.

Greetings

Answer 1

I use this post to mark the question as solved. I dont find any other possibilites. The solution is in the updated question.