locked
.net core secure webAPI intranet hosting RRS feed

  • Question

  • User891563438 posted

    We have WebAPI with Azure AD Authentication ready.

    Now need to publish that https secure api as Intranet APIs (IT team have done DNS mapping the sites, test (https://test.abc.com) and prod (https://abc.com)

    When we access the Test site, it gives standard warning (certificate isn't valid may be due to Issuer could not be verified), currently we select I understand the risk and procced to the site.

    Queries

    1. What are the steps I need to do or need to ask to IT team about SSL for the API?
    2. Should buy Test and Prod domain names and certificates both? well if it is intranet can we avoid that?
    3. Is generating certificate from internal DNS server will solve the problem? if yes how to do that?

    Wednesday, January 29, 2020 8:43 AM

All replies

  • User475983607 posted

    The certificate URL, when you made the certificate request, must match the actual URL the certificate securing.  Otherwise, you'll get the certificate error described above.  Purchase a new certificate for the new domain.  I use a wild cart certificate, *.mydomain.com so I only have to manage a one certificate for dev.mydomain.com, test.mydomain.com, and www.mydomain.com sites.

    Anyway, this question is out of scope for this Web API forum.  However, you IT or Security Team should be able to provide assistance.

    Wednesday, January 29, 2020 11:48 AM
  • User-474980206 posted

    DNS servers do not generate certificates, so they are not involved.

    you can buy a certificate and have installed, or use self signed certificates. if you company is using self signed, then a group policy needs to be set to trust your self signed cert authority. 

    this is really an issue your network team should support. 

    Wednesday, January 29, 2020 5:12 PM
  • User753101303 posted

    Hi,

    As told already we can't really help but if you click on the certificate area in the browser and then ask for certificate details most if not all browsers should show exactly why it is not valid.

    More likely this is a "self signed" certificate or it doesn't match the actual host name for which you bought it.

    Edit: found an interesting site at https://badssl.com/ that allows to see what happens for various bad/good cases, what the browser shows, and then you can use the browser UI to inspect the bad certificate: https://www.clickssl.net/blog/how-to-view-ssl-certificate-details-in-every-browser

    With that you should know what is wrong and hopefully those in charge should know what to do next...

    Wednesday, January 29, 2020 5:36 PM
  • User891563438 posted

    Thanks Bruce,

    Can I avoid buying domain and certificate as it is Intranet? If the Self signed certificate can be used for WebAPI and angular site (both hosted on IIS) - so what should be done to apply some group policy or any other way (share steps or MS docs url?

    Thursday, January 30, 2020 6:14 AM
  • User891563438 posted

    Thanks Patrice, those are useful links,

    well this is very normal case, but I am bit new to hosting and certificates, can you give more details like 

    Best way you would go for intranet site with SSL? WebAPI + front-end both are https 

    Thursday, January 30, 2020 6:21 AM
  • User753101303 posted

    And so the problem is that the CA is not trusted ? Usually certificates are issued by a trusted 3rd party CA so that you can't pretend to be some known bank or corporation and start to fool people...

    AFAIK self signed  certificate are used for testing. If internal use only you could install them "by hand" on a couple of machines or with some admin work, use your own internal CA.

    As soon as an external 3rd party is involved neither is realistic and you should get a certificate from a known CA. Note also it needs some attention (for example your app will stop working when the certificate expires).

    Edit: forgot about https://letsencrypt.org/ which might be an option (never tried, from a  quick look it seems you need to do something on the domain name to proove you have control over the domain for which you asked a certificate). You are using a public domain ?

    Thursday, January 30, 2020 4:25 PM