it:ad:iis_express:howto:configure:ssl:home

IT:AD:IIS Express:HowTo:Configure SSL

Summary

One advantage of IT:AD:IIS Express over Cassini is that it allows for developing using SSL.

Although sometimes one runs into issues.

To configure an ASP.NET project – ASP.MVC or WebAPI – to use SSL is as follows:

  • within Visual Studio
  • within the Solutino Explorer
  • select the Project
  • View its Properties
  • set Use SSL=true
  • A random 5 number starting with 443 will be assigned to application.
  • Restart IIS Express (From tray, Exit) or Visual Studio.

The above changes will persisted as follows:

In the *.csproj, will set Project/PropertyGroup/IISExpressSSLPort = 443378.

The changes will be persisted within IIS Express' local or shared config file.

The location of IIS Express' config file depends on the UseGlobalApplicationHostFile setting in the *.csproj file.

It will either be * $(solutionDir)\.vs\config\applicationhost.config * %userprofile%\Documents\IISExpress\Config\ApplicationHost.config

The values added to the config file will be something like:

            <site name="MyApp" id="16">
                <application path="/" applicationPool="Clr4IntegratedAppPool">
                    <virtualDirectory path="/" physicalPath="D:\Blah\MyApp.AppHost" />
                </application>
                <bindings>
                    <!-- the same port cannot be used for both. In IIS (full), for 
                         example, it's usually the defaults of 80 and 443. Here, I'd recommend
                         using 600xx and 443xx -->
                    <binding protocol="http" bindingInformation="*:60011:localhost" />
                    <binding protocol="http" bindingInformation="*:44311:localhost" />
                </bindings>
            </site>

But There's also something else that happens. IIS Express associates the dev cert to the above defined port, in a way that is similar to the following:

# assuming the thumbprint of the IIS Express cert is ‎c9cd18a22115d5266ed2cad570de8263b541c64f
# and assuming the appid IIS Express uses is always {214124cd-d05b-4309-9af9-9caa44b2b74a}
# assuming the port number is 44311
# remember to escape the curly brackets or it will fail with `The parameter is incorrect.`:

netsh http add sslcert ipport=0.0.0.0:44311 certhash=C9CD18A22115D5266ED2CAD570DE8263B541C64F appid=`{214124cd-d05b-4309-9af9-9caa44b2b74a`}

# if you get an error `Cannot create a file when that file already exists.` then delete the binding and try again.
netsh http delete sslcert ipport=0.0.0.0:44311

But there are times where the above doesn't work.

For one, Google has stopped accepting Certs of the quality that IIS Express makes by default, and recommended that you make a newself-signed cert (see Create) and install it by hand.

For example, if I were to replace the cert IIS Express gave me (thumbprint: c9cd18a22115d5266ed2cad570de8263b541c64f) with a newly generated cert (thumbprint: 284669368c2b55d0e422e2cba0a3c9aaa8a50337) I can do it in one of the following two ways:

It useful to know that IIS Express appears to always use an AppId of 214124cd-d05b-4309-9af9-9caa44b2b74a (you can see this by invoking netsh http show sslcert).

# do *one* site only within :

# always the same appId:
$appId = "`{214124cd-d05b-4309-9af9-9caa44b2b74a`}"
# use mmc.exe to get the thumbprint and notepad.exe to replace the spaces:
$localhostThumbprint = "284669368c2b55d0e422e2cba0a3c9aaa8a50337"
$port = 44311
netsh http delete sslcert ipport=0.0.0.0:$port 
netsh http add sslcert ipport=0.0.0.0:$port certhash=$localhostThumbprint appid=$appId

# do *every* IISEpress port in one go:

# always the same appId:
$appId = "`{214124cd-d05b-4309-9af9-9caa44b2b74a`}"
# use mmc.exe to get the thumbprint and notepad.exe to replace the spaces:
$localhostThumbprint = "284669368c2b55d0e422e2cba0a3c9aaa8a50337";
For ($port=44300; $port -le 44399; $port++) { netsh http delete sslcert ipport=0.0.0.0:$port }
For ($port=44300; $port -le 44399; $port++) {netsh http add sslcert ipport=0.0.0.0:$port certhash=$localhostThumbprint appid=$appId }

Chrome can still remain difficult.

Type the following into a new tab and restart Chrome:

chrome://flags/#allow-insecure-localhost

  • /home/skysigal/public_html/data/pages/it/ad/iis_express/howto/configure/ssl/home.txt
  • Last modified: 2023/11/04 02:48
  • by 127.0.0.1