Call WCF - Set SecurityProtocol & ServerCertificateValidationCallback

.Net Applications use ServicePointManager.SecurityProtocol Property to specify the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol for new connections, existing connections aren't changed.

It is recommended that you should not specify this property manually and let it be use its default value, which will be obtained from machine configuration. Still In some scenarios, you may want to specifically define the SecurityProtocol when calling a WCF service with Https link. In this case you can define the required protocols like this:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
                   | SecurityProtocolType.Tls11
                   | SecurityProtocolType.Tls12
                   | SecurityProtocolType.Ssl3;

Since these are flags, so you can use bitwise OR(|) operator to specifiy multiple protocols if your connection requires.

Another property is ServerCertificateValidationCallback, which is used by the client to perform custom validation for the server certificate. The sender parameter passed to the RemoteCertificateValidationCallback can be a host string name or an object derived from WebRequest (HttpWebRequest, for example) depending on the CertificatePolicy property.

If you trust the server and not using custom validation, you can simply return true from the callback method.

 
ServicePointManager.ServerCertificateValidationCallback =
             new RemoteCertificateValidationCallback(IgnoreCertificateErrorHandler);

Here is the definition of IgnoreCertificateErrorHandler, which will always return true.

private static bool IgnoreCertificateErrorHandler(object sender,
   X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{​​​​​​​
	return true;
}​​​​​​​

You can also replace the above callback method definition with a short-hand delegate syntax.

ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

References:

• Microsoft Docs: ServicePointManager.ServerCertificateValidationCallback Property

When to set ServicePointManager.SecurityProtocol Property

When communicating with external services using TLS/SSL through APIs (such as HttpClient, HttpWebRequest, FTPClient, SmtpClient, SslStream), .Net application uses ServicePointManager.SecurityProtocol Property as the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol for new connections, existing connections aren't changed.

Summary points

• No default value is listed for this property for .Net Framework versions prior to 4.6.2.
• Since default protocols and protection levels are changed over time in order to avoid known weaknesses. Therefore defaults vary depending on individual machine configuration, installed software, and applied patches.
• When developing custom applications, avoid the assumption that a given security level is used by default. Only if you are sure that a particular application connection requires an specific security level (SSL/TLS) then you can explicitly specify the matching level in your code.

Review the following points for TLS support in different .Net Frameworks.

• Starting with the .NET Framework 4.7, the default value of this property is SecurityProtocolType.SystemDefault. Which means the default security protocols from the operating system (or from any custom configurations performed by a system administrator) will be inherited by .NET Framework's networking APIs based on SslStream (such as FTP, HTTP, and SMTP).
• For .NET 4.6 and above: Includes a new security feature that blocks insecure cipher and hashing algorithms for connections. TLS 1.2 is supported by default.
• For .NET 4.5: TLS 1.2 is supported, but it’s not a default protocol. You need set manually. The following code will make TLS 1.2 default, make sure to execute it before making a connection to secured resource:

      ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
  

• For .NET 4.0: TLS 1.2 is not supported, but if you have .NET 4.5 (or above) installed on the system then you still set for TLS 1.2 even if your application framework doesn’t support it. The problem is that SecurityProtocolType in .NET 4.0 doesn’t have an entry for TLS1.2, so you would have to use a numeric value and cast it to SecurityProtocolType enum:

      ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
  

• For .NET 3.5 or below: TLS 1.2 is not supported. Upgrade your application to more recent version of the framework.

References:

• Microsoft Docs - ServicePointManager.SecurityProtocol Property

OpenSSL - Creating CSR with -subj switch

If you are creating a CSR file by using a generated private key, you may use this command:

	openssl req -new -key mycertificate.key -out mycertificate.csr

You will be asked a series of questions after entering the above command:

• Country Name (2 letter code)
• State or Province Name (full name)
• Locality Name (e.g., city)
• Organization Name (e.g., company)
• Organizational Unit Name (e.g., section)
• Common Name (e.g., server FQDN)
• Email Address
• A challenge password
• An optional company name

Using the -subj Switch

-subj allows you to provide all necessary information within the command itself. This switch disables the question prompts when generating a CSR, hence you can generate the CSR without having to provide the answers for questions being asked after entering the command.

	openssl req -new -key mycertificate.key -out mycertificate.csr 
		-subj "/C=SA/ST=Riyadh/L=Riyadh/O=MyCompanyLtd/OU=IT/CN=mycompany"

References:

• https://www.openssl.org/

Related Post(s):

• Generate Private Key, CSR and Certificate
• Sign Child Certificate with Self-Signed Root CA
• extfile parameter to pass custom config file

OpenSSL - Check and display a certificate request (CSR)

In this series of OpenSSL, we have seen how to create CSR, Private Key, and generate Certificate , and then sign a child certificate using a Self-Signed Root CA . CSR is the required file use to generate certificate from, because it actually contains the information about the company for which the certificate is being generated.

Once a CSR is created, it is difficult to verify what information is contained in it because it is encoded. Since certificate authorities use the information in CSRs to create the certificate, you need to decode CSRs to make sure the information is accurate.

To check the CSR content you can use this command to view the information it contained (here mycertificate.csr is the file for which we need to view the content)

openssl req -noout -text -in mycertificate.csr

You will receive the output similar to this:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=SA, ST=Riyadh, L=Riyadh, O=BCB, OU=IT, CN=mycompany/emailAddress=idrees@mycompany.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d3:16:4c:b0:57:35:99:c9:a7:88:9e:04:24:e0:
                    61:59:3b:0e:46:4e:44:50:08:c6:de:58:40:12:2e:
                    fd:1a:f1:fa:49:be:25:49:f8:e2:93:d1:68:fa:a2:
                    ca:a7:95:93:ba:16:b9:1a:75:4a:04:70:59:87:39:
                    ff:75:d0:0b:5a:68:4f:7d:e0:32:c8:3f:16:17:bf:
                    1f:11:15:59:17:3d:ef:24:f6:3c:77:e2:4f:b7:f6:
                    10:70:29:cb:c4:e4:db:f7:4c:56:ed:b3:94:f6:37:
                    2f:bc:3e:f9:b6:69:e1:95:0a:61:af:7e:dd:64:03:
                    d8:0d:24:60:74:4d:31:22:f5:d3:10:c1:44:4f:b3:
                    e3:dc:ce:ca:5c:ac:82:5e:d3:45:eb:86:64:e9:aa:
                    37:48:55:52:09:e2:58:b1:14:59:d4:e6:08:fb:b2:
                    71:5e:af:a3:de:68:16:f8:88:a9:86:b1:6a:c1:cf:
                    be:0e:f6:2f:f2:f8:80:7f:bd:b2:77:9b:6a:76:28:
                    ad:44:13:29:46:46:e3:74:33:c4:03:29:20:63:76:
                    94:d2:09:e4:16:5f:f5:c9:ac:ba:46:12:22:f0:d3:
                    2d:26:d9:08:89:65:4b:1c:0a:fe:a3:f7:ed:73:ec:
                    57:a0:14:eb:2e:48:12:5c:9e:fd:17:8d:4d:e8:97:
                    ed:a8:8c:62:8e:a5:00:e4:20:85:69:30:39:87:b8:
                    18:be:df:40:18:97:ac:89:bf:3f:ab:ed:a1:ed:16:
                    0a:92:d6:c9:23:d6:60:cb:44:58:2b:bc:05:8d:41:
                    16:26:1f:65:04:bf:e1:71:51:54:f3:83:82:87:33:
                    dc:d9:d0:b3:6a:fc:15:88:ad:1a:c0:ed:c9:a7:f6:
                    dc:ef:9f:00:b3:43:db:32:34:a4:9c:ec:2b:7c:25:
                    74:72:59:25:ef:1d:66:80:e5:78:25:5d:39:81:8e:
                    6a:fa:65:2a:b8:14:af:f3:e7:20:b6:bd:bc:4e:b1:
                    de:07:31:64:22:9e:73:54:0b:7a:45:80:2e:d3:71:
                    98:08:5a:0f:58:d8:f0:4f:a8:4c:63:fb:80:f6:aa:
                    a4:a3:3e:3a:b2:c5:b7:43:c8:09:bd:7d:f9:40:9e:
                    2d:c9:e1:c1:40:9a:01:25:38:c0:04:0f:2a:13:56:
                    30:f8:fa:6d:86:16:5b:df:5e:31:0e:39:69:06:8e:
                    a0:6d:e3:d6:b6:ba:0e:d3:6d:ec:78:8a:2f:e7:fb:
                    71:4c:51:c1:d6:b2:1d:63:be:ef:0c:ef:59:34:db:
                    1f:5c:0e:1c:93:51:51:7c:de:19:fa:74:a0:8b:a6:
                    ae:2a:29:25:d6:d8:25:2f:3e:b2:ff:9a:d9:cb:2b:
                    aa:4a:1b
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :mypassword
            unstructuredName         :My Optional Company Name
    Signature Algorithm: sha256WithRSAEncryption
         14:fd:eb:04:ce:57:cc:ef:c2:ac:4c:c3:34:30:b5:25:e0:e2:
         ca:04:34:6c:d4:d1:ad:c7:b6:3a:c7:2a:86:6f:9a:2a:0d:f4:
         48:90:75:2b:a6:d3:30:be:c7:10:c2:f3:76:3f:67:6a:4e:58:
         a7:33:39:78:9a:2b:04:c8:83:8b:da:cb:c9:6f:39:c0:5f:b6:
         2d:61:33:1d:e7:89:cd:c6:03:c9:ae:e9:9d:5a:20:01:0a:42:
         a1:1e:ca:03:36:b3:27:5b:aa:e3:8e:ee:ca:59:7b:0b:75:e1:
         e2:fb:a4:c1:a9:07:65:42:7d:c6:24:da:47:fa:68:86:81:b1:
         5e:b9:bd:f9:88:1a:01:d2:33:cb:30:9a:77:67:bc:b2:07:e2:
         3c:9b:10:1d:15:bb:78:29:3b:b5:28:a0:55:31:c2:04:bd:07:
         59:88:96:e5:92:9e:9e:a2:38:26:b2:a5:d4:68:b5:75:2d:26:
         6d:cd:df:01:a0:d8:a6:2c:c4:2e:2c:d9:4d:b3:a3:d2:cd:21:
         30:00:90:df:67:6f:fc:3b:3b:ba:c2:a8:13:86:ab:ac:06:97:
         56:d0:2d:19:e1:14:2f:28:66:ea:79:33:24:c3:59:fc:d9:93:
         b1:33:34:d4:40:85:c7:02:e7:1d:f0:73:76:97:f1:2e:b5:0a:
         f2:cf:28:c7:15:cb:ce:77:2f:c5:0f:33:d5:69:aa:c8:e6:b4:
         5f:0f:84:4c:a1:10:a5:71:b1:05:5d:2a:6f:ca:8f:9e:24:cc:
         4a:49:72:ce:07:b1:e6:74:01:d3:d1:28:29:a9:36:18:45:f2:
         6c:45:44:b0:2c:ca:e5:e2:fd:d2:1b:6a:f8:be:52:20:21:10:
         da:6f:e5:83:28:7d:22:25:38:62:88:6c:8e:bc:24:ee:7e:ba:
         7b:1c:a8:d0:eb:bf:59:03:f1:97:9e:ba:37:a3:32:9d:2a:62:
         0a:cf:22:e2:96:1c:29:48:1c:e6:f9:23:a4:5c:63:8d:5f:76:
         35:c7:b1:32:0d:69:48:d7:2f:6d:a3:0f:e2:8a:6d:a0:ca:16:
         26:eb:32:d6:19:b5:a1:52:1c:21:f8:9e:62:fc:b6:3e:b4:12:
         96:74:e9:ca:d0:33:98:68:77:cb:71:1e:ed:ef:e6:9a:bf:17:
         db:8e:3a:09:f3:6b:28:3a:16:a4:31:54:10:58:a4:f7:46:da:
         45:30:ea:e4:cc:99:a6:a4:ce:95:69:31:f9:b3:c7:ca:83:82:
         14:69:8e:fa:7c:2f:96:2c:fd:d5:2c:98:b6:dd:f1:bc:29:63:
         fb:f7:6b:28:86:b7:f4:d8:83:64:ce:7d:7d:81:91:e6:01:3e:
         93:11:80:04:69:84:01:51

If you also want to verify the CSR you can add -verify operator in the same command.

openssl req -noout -text -verify -in mycertificate.csr

If the command successfully completed and verifies the CSR, it will also display the message verify OK alonwith previous output.

verify OK

References:

• https://www.openssl.org/

Related Post(s):

• Generate Private Key, CSR and Certificate
• Sign Child Certificate with Self-Signed Root CA
• extfile parameter to pass custom config file

OpenSSL - extfile parameter to pass custom config file

In this post you will see how to pass external/custom config file to openssl while signing a child certificate from Root CA. To pass external config file we will use extfile parameter.

-extfile filename

file containing certificate extensions to use. If not specified then no extensions are added to the certificate.

In following command we are using this parameter to override default extensions by providing our custom extension file my-openssl-client-auth.cnf. In this file we can only provide the extensions which we need to override.

openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt 
		-CAkey mycertificate.key -set_serial 01 -out childcertificate.crt 
		-extfile C:\Test\Openssl\my-openssl-client-auth.cnf

In this exmaple, our custom extension file(my-openssl-client-auth.cnf) contains the following content to override only one extension property extendedKeyUsage

extendedKeyUsage = clientAuth

clientAuth tells the openssl to create certificate for the purpose of only Client Authentication.

References:

• https://www.openssl.org/docs/man1.0.2/man1/x509.html

Related Post(s):

• Generate Private Key, CSR and Certificate
• Sign Child Certificate with Self-Signed Root CA

OpenSSL - Sign Child Certificate with Self-Signed Root CA

In the last post we have learned how to generate Private Key, CSR and a Self-Signed Certificate cert file. In this post we will go one step further and create a child certificate and signed it from root authority (which in this case is mycertificate.crt, created in last post)

Lets start creating the child certificate and then sign it for Self-Signed Root CA.

Generate a private key.

Run this command to generate private key:

openssl genrsa -out childcertificate.key 4096

Create a certificate signing request (CSR)

The CSR contains the common name and some other information. Here is the command you need to create CSR.

openssl req -sha256 -new -key childcertificate.key -out childcertificate.csr

After entering this command, you will be asked series of questions.

Here is the short description of questions.

• Country Name (2 letter code): The two-letter country code where the company is legally located.
• State or Province Name (full name): The state/province where the company is located.
• Locality Name (e.g., city): The city where the company is located.
• Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
• Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
• Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
• Email Address: Your email address. (To leave it blank; simply press Enter.)
• A challenge password: You password. (To leave it blank; simply press Enter).
• An optional company name: Optional Company Name (To leave it blank; simply press Enter).

Your answers to these questions will be embedded in the CSR.

From the above command, it will store the CSR information in childcertificate.csr file.

Generate a child certificate (crt file) and Sign with Root CA.

Run this command to create certificate(.crt) file from CSR, and also sign with Root CA by providing the root certificate's crt and key files.

openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt 
        -CAkey mycertificate.key -set_serial 01 -out childcertificate.crt

In this command:

• mycertificate.crt and mycertificate.key represents the Root CA being used to sign the child certificate.
• childcertificate.crt is the target file we want to generate from childcertificate.csr file.

Extract Public Key

If you want to extract the public key, you can use this command:

openssl rsa -in childcertificate.key -pubout > childcertificate.pub

It will generate the public key in childcertificate.pub file.

Generate PFX(or PKCS#12) file for the certificate.

The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12

openssl pkcs12 -export -out childcertificate.pfx -inkey childcertificate.key 
        -in childcertificate.cer

References:

• https://www.openssl.org/

Related Post(s):

• Generate Private Key, CSR and Certificate

OpenSSL - WARNING: can't open config file: C:/OpenSSL/openssl.cnf

After installing openssl, we have to set the path for its config file. Otherwise it will keep giving a warning message for any command we run. For example you are trying to run this command to generate private key.

openssl genrsa -out mycertificate.key 4096

It will give you following warning message:

WARNING: can't open config file: C:/OpenSSL/openssl.cnf
Generating RSA private key, 4096 bit long modulus
......................++
.....................................................++
unable to write 'random state'
e is 65537 (0x10001)

To fix this issue, we have to tell openssl where to find its .cnf file.

We can do this by one of the following ways.

• Before starting to create private keys or CSR from openssl command prompt, run this command to set is config file path.

  set OPENSSL_CONF=C:\OpenSSL\bin\openssl.cnf

  You can find this cnf file inside bin folder, at the root of the path where you have installed openssl.
• Set the same variable OPENSSL_CONF in the Windows environment variables, with the path to the config file at your system.
• You can use -config parameter to append the config file path with each command you run from openssl. i.e.

  openssl ....................  -config C:\OpenSSL\bin\openssl.cnf

• If you are using powershell, you can set environment variable like this:

  $env:OPENSSL_CONF = "C:\OpenSSL\bin\openssl.cnf"

OpenSSL - Generate Private Key, CSR and Certificate

OpenSSL is a robust, commercial-grade tool for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Its an open-source command line tool that is commonly used to:

• Generate private keys
• Create CSRs
• Install your SSL/TLS certificate
• Identify certificate information.

In this we will see how to generate Private Keys, CSRs and Certificate.

If you do not have openssl already installed, you can download it from https://www.openssl.org/source/

Lets start creating the CSR and then Self-Signed Certificate.

Generate a private key.

Run this command to generate private key:

openssl genrsa -out mycertificate.key 4096

Create a certificate signing request (CSR)

This would be a .csr file used to send to a Certificate Authority (CA) (e.g., DigiCert) to request a public SSL certificate, since we are generating a self-sgined certificate so we will not send the generated CSR to a Certificate Authority (CA), but will create our own certificate .cer file using openssl.

The CSR contains the common name and some other information. Here is the command you need to create CSR.

openssl req -sha256 -new -key mycertificate.key -out mycertificate.csr

After entering this command, you will be asked series of questions.

Here is the short description of questions.

• Country Name (2 letter code): The two-letter country code where the company is legally located.
• State or Province Name (full name): The state/province where the company is located.
• Locality Name (e.g., city): The city where the company is located.
• Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
• Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
• Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
• Email Address: Your email address. (To leave it blank; simply press Enter.)
• A challenge password: You password. (To leave it blank; simply press Enter).
• An optional company name: Optional Company Name (To leave it blank; simply press Enter).

Your answers to these questions will be embedded in the CSR.

From the above command, it will store the CSR information in mycertificate.csr file.

Generate a certificate (cer file) from CSR.

Run this command to create certificate(.cer) file from CSR.

openssl x509 -req -sha256 -days 365 -in mycertificate.csr 
       -signkey mycertificate.key -out mycertificate.cer

Using our previsouly generated key and CSR, here we are generating the certificate (.cer) file with validity of 365 days.

Convert .cer file to .crt file.

You can use the folllowing command to create .crt file from .cer file (.crt may need if you want to create a child certificate being signed from this mycertificate)

openssl x509 -inform PEM -in mycertificate.cer -out mycertificate.crt

Extract Public Key

If you want to extract the public key, you can use this command:

openssl rsa -in mycertificate.key -pubout > mycertificate.pub

It will generate the public key in mycertificate.pub file.

Generate PFX(or PKCS#12) file for the certificate.

The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12

openssl pkcs12 -export -out mycertificate.pfx -inkey mycertificate.key 
        -in mycertificate.cer

References:

• https://www.openssl.org/

Related Post(s):

• Sign Child Certificate with Self-Signed Root CA