stackoom
  简体   繁体   中英

How to send a self signed certificate to clients over https with powershell

 原文  2019-05-03 21:07:58       powershell/ https/ certificate/ ssl-certificate/ client-certificates

Question

I am creating a REST api in PowerShell work over https protocol for testing purpose. My aim is to create a pseudo https API and use that to test a functionality of our application (the app needs to call my test https api). I am able to create a self signed certificate using the following code. 

$hostIP = Get-NetIPAddress | where{ ($_.InterfaceAlias -in @('Mgmt', 'Ethernet', 'management')) -and ($_.AddressFamily -eq 'IPv4')}
$win_path= 'c:\my_temp\'

$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -   dnsname $hostIP.IPAddress -NotAfter (Get-Date).AddYears(2)
$Certname = $hostIP.IPAddress.Replace('.','_')
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath 
$win_path\$Certname.pfx  -Force -Password $pw

The REST api I am writing looks something like this 

$listener = New-Object System.Net.HttpListener
$httpUrl = "http://" + $givenArgs.HostName + ":" + $givenArgs.Port + "/"
Write-Output $httpUrl
$listener.Prefixes.Add($httpUrl) 
$httpsUrl = "https://" + $givenArgs.HostName + ":" + 443 + "/"
Write-Output $httpsUrl
$listener.Prefixes.Add($httpsUrl)
$listener.Start()

The question I have is, if I install the certificate that I have created in my machine manually, I am able to send queries to my REST api successfully but only from my machine.

I would like to send the certificate (send a copy of the certificate for clients on intial request without using any CA) to clients so that when a client queries the server for the first time, it gets a copy of the certificate and can save it for further communication.

I have tried looking this up online but I could only find solutions leading to 1.Ignoring the certificate or 2. Importing the certificate manually which donot serve my need.

Appreciate your time for looking into this and your help. Thanks in advance.

2 answers

solution1
 2 ACCPTED  2019-05-03 22:36:09

You don't have to explicitly send the certificate. Every time the client visits the https site, the public key certificate is always returned with the request. The issue you have is that after that, the client then has to decide what to do with the certificate.

The client will first look at the certificate, and look to see if it is trusted. If it is a trusted certificate (ie you purchase a Verisign Certificate), then the connection is accepted. For self signed certificates, since they are not trusted, there are only 2 options that the client has:

  1. Ignore the certificate origin and blindly connect
  2. Accept that the origin can be trusted and Import the certificate

You can't get around this fundamental fact. Self signed certificates are like delivering a bomb shaped object to a client with a sticker on it saying "Not a Bomb - Trust me, I'm @user3543477", they can either ignore the sticker, or accept that I can Trust @user3543477. You can't shove the package through the front door without their explicit consent. If the sticker said "Not a Bomb - Trust me, I've been verified by Bomb Experts", since the client trusts Bomb Experts, the client will accept the package without question.

Self signed certificates are only used for Development purposes. I continually say to people to don't even try to make them work because you can't.

The right way to do certificates is to get a proper trusted certificate from the likes of Verisign or, what I now recommend, which is especially tailored for API's, is to get a free certificate from Let's Encrypt . That way you get a proper trusted certificate, and you don't deal with self signed certificates.

solution2
 0  2019-05-04 14:07:10

When a certificate is used, a certification path has to be established. root CA certificates are self signed. Point is, they are trusted beforehand.

On your local machine where your self signed certificate has been generated the certificate is trusted. Other machines won't have that certificate: to make them trust your certificate

  • the certificate has to be added (your option number 2.) usually to the Trusted Root Certificate store where the self signed certificates of public CA have been added by your operating system logics OR
  • the certification path has to be trusted even in presence of a untrusted root (your option 1.)

So basically your options are the ones you summarized.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Generate A Self Signed Certificate Signed By An Root Certificate in Powershell Unable to generate self signed certificate using Powershell Using PowerShell to Create Self-Signed Certificate PowerShell Code Sigining: How to do use a self signed certificate with password protection? How do I download the certificate from a web server that is self signed using PowerShell? Is it possible to connect to MsolService (powershell) using self signed certificate? Powershell Generated Self Signed Certificate Doesn't Include Private Key Using PowerShell to Create Self-Signed Certificate of 2048 bits length Create self signed iis ssl certificate from powershell PowerShell New-​Self​Signed​Certificate ip address
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM