SSL(Secure Socket Layer) in .net

Part A- Iss implementing SSL different thing than SSL certificate or does it mean i must have a SSL certificate to implement SSL on my website?

Part B- Is it necessary to buy SSL certificate to put Https:// instead of Http:// on a webpage

in my project?

Part C- if yes, from where do i buy that certificate and how do i implement it in my asp.net application?

a) no.. same thing

b) buy? no… you can generate your own even, but it wont be “trusted” and the user will get a popup telling them that, its not a biggie if you are using it for your own needs but for a public interface you will want to get one from a trusted source.

c) lots of places… verisign is the biggest though. There is nothing to impliment really.. just an IIS config change and then enforcing an https:// on your urls.

Secure Socket Layer(SSL) is used for secured communication

over the internet. Banking services, e-commerce etc.

websites implement SSL so that they can be accessible

through Https protocol for secured communication. If you

wish, you can configure only a section of your website

should be accessible through https and rest of the website

can be accessed through http protocol. Like in the online

shopping website only the payment section of the website

can be configured to be access through https protocol.

 

In order to make website SSL enabled, we need a

certificate. There are many different web sites that

provide certificates for use on IIS like www.verisighn.com.

Although, windows comes pre-installed with some

certificates of trusted companies. These certificates can

be viewed by running certmgr.msc from the comsole window.

For any certificate in the list of trusted certificates

your program(IE), will not give you warning when you access

their website with SSL enabled.

 

To show how to setup an SSL website we will use a trial

certificate that Verisign provides to anyone. Before that

create the certificate request.

 

Follow these steps:

 

1. Open the IIS manager window.

2. Right click on the website/virtual directory and choose

property window.

3. In the Property window choose Directory Security tab and

click on server certificate button.

4. Certificate Wizard window will open, click on next and

choose Create a new certificate option. Now follow the

wizard steps.

5. The web server certificate wizard will create a

certificate request and it will ask you where you want to

save it to. Save it somewhere where you can easily access

it because you will need to open up the file and submit it

to Verisign in order for a certificate response to be sent

back to you.

6.Open the text file that contains certificate request and

copy its content.

7. Now open http://www.verisign.com/ in IE. Once the page

has loaded up find the link "SSL Trial ID" and click on it.

8. The Verisign web site will now take you though the

process of obtaining a certificate.

9. In this process on the step "Submit CSR" enter in the

certificate request that you copied earlier and click on

continue.

10. After the process steps complete, your certificate

response will be e-mailed to you.

11. Now check your mail account for the certificate

response,At the bottom of the e-mail Verisign sent you is

the certificate that you need. Copy this text from the

BEGIN CERTIFICATE to the END CERTIFICATE include those

lines.

12. Open notepad, paste the text into it and save the file

as response.txt.

13. Go back to your web site's Properties dialog and click

on the Directory Security tab. Click on the Server

Certificate button. Click "Next" until you come to the

screen shown. Make sure the "Process the pending request

and install the certificate" option is selected. Click Next.

14.In the next screen click on browse to browse the

response.txt file, click on next and complete the rest of

the steps.

15. Click on the "Edit" button located in the Directory

Security tab of the web site's Properties dialog.

16. Check the "Require secure channel (SSL)" checkbox and

click on OK.

 

Now Our site have become SSL enabled.To access your SSL

enabled website use https instead of http.

 

 

To configure a perticular web page inntead of whole site to

be accessed using https protocol, right click on that

perticular web page in the IIS manager and open its

property window.Click on the "Edit" button located in the

Directory Security tab of the web site's Properties dialog

and Check the "Require secure channel (SSL)"

What is Secure Sockets Layer (SSL)?

 

SSL is a protocol for transmitting private documents via the Internet. Web sites use the SSL to obtain confidential user information, such as credit card numbers. SSL uses a cryptographic system that uses two keys to encrypt data - a public key known to everyone and a private or secret key known only to the recipient of the message. SSL protocol uses a third party, a Certificate Authority (CA), to identify one end or both ends of the transactions.
Getting and using a digital secure certificate
In order to get SSL certificate, you need to submit Certificate Signing Request (CSR) - a data file containing your details to Certification Authority (CA). During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.

To create a Certificate Signing Request (CSR), right click on your IIS Server's Default Web Site, and choose Directory Security Tab, Click on Server Certificate. As shown in following diagram



IIS Certificate wizard will be opened. Select 'Create a new certificate' option and click next.



Follow the all the steps. In the end you will get 'certreq.txt' file as shown below



Now to https://www.thawte.com and go to trial section of certificate and follow the instruction to get the certificate. You need the paste contents of CSR in Textbox, provided for getting certificate. Paste all the contents including '-----BEGIN NEW CERTIFICATE REQUEST-----' and '-----END NEW CERTIFICATE REQUEST-----'. In the end you will get the certificate out in textbox, Copy it from textbox and make a .txt file, output should be like following image



Now click on 'IIS default Web Site' and choose Directory Security Tab, Click on Server Certificate. You will get the 'IIS Certificate Wizard'. Select 'Process the pending Request and install the certificate'. Follow the step to install the certificate (.txt) file created in last step.



Now certificates are installed on IIS.

C#/.aspx code to use SSL

 In order to use SSL in asp.net, you need to redirect request through https instead of http. Make a new aspx website and add two pages (Welcome.aspx, Login.aspx) in your website. You can see in the Page_Load() event of Welcome.aspx following code, how to redirect the request to https.

Welcome.aspx.cs

public class WelCome : System.Web.UI.Page

{

private void Page_Load(object sender, System.EventArgs e)

{

String url = https://athakur/AnandTestCert/Login.aspx;

Response.Redirect(url);

}

override protected void OnInit(EventArgs e)

{

//

// CODEGEN: This call is required by the ASP.NET Web Form Designer.

//

InitializeComponent();

base.OnInit(e);

}

/// <summary>

/// Required method for Designer support - do not modify

/// the contents of this method with the code editor.

/// </summary>

private void InitializeComponent()

{

this.Load += new System.EventHandler(this.Page_Load);

}
}

Login.aspx

 

<%@ Page language="c#" Codebehind="Login.aspx.cs" AutoEventWireup="false" Inherits="AnandTestCert.Login" %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<HTML>

<HEAD>

<title>Login</title>

<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">

<meta name="CODE_LANGUAGE" Content="C#">

<meta name="vs_defaultClientScript" content="JavaScript">

<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">

</HEAD>

<body MS_POSITIONING="GridLayout">

<form id="Form1" method="post" runat="server">

<DIV style="DISPLAY: inline; FONT-SIZE: large; Z-INDEX: 101; LEFT: 28px; WIDTH: 300px; COLOR:

navy; FONT-FAMILY: Verdana, 'Trebuchet MS'; POSITION: absolute; TOP: 44px; HEIGHT: 38px;

BACKGROUND-COLOR: white" ms_positioning="FlowLayout">This web page uses SSL</DIV>

<DIV style="DISPLAY: inline; FONT-SIZE: xx-small; Z-INDEX: 103; LEFT: 80px; WIDTH: 52px; COLOR:

navy; FONT-FAMILY: Verdana, 'Trebuchet MS'; POSITION: absolute; TOP: 120px; HEIGHT: 20px;

BACKGROUND-COLOR: white" ms_positioning="FlowLayout">Password</DIV>

<DIV style="DISPLAY: inline; FONT-SIZE: xx-small; Z-INDEX: 102; LEFT: 68px; WIDTH: 64px; COLOR:

navy; FONT-FAMILY: Verdana, 'Trebuchet MS'; POSITION: absolute; TOP: 96px; HEIGHT: 20px;

BACKGROUND-COLOR: white" ms_positioning="FlowLayout">User Name</DIV>

&nbsp;

<asp:TextBox id="TextBox1" style="Z-INDEX: 104; LEFT: 152px; POSITION: absolute; TOP: 92px"

runat="server"></asp:TextBox>

<asp:TextBox id="TextBox2" style="Z-INDEX: 105; LEFT: 152px; POSITION: absolute; TOP: 120px"

runat="server"></asp:TextBox>

<asp:Button id="Button1" style="Z-INDEX: 106; LEFT: 80px; POSITION: absolute; TOP: 152px"

runat="server" Text="Submit" OnClick="Button1_Click"></asp:Button>

<asp:Button id="Button2" style="Z-INDEX: 107; LEFT: 152px; POSITION: absolute; TOP: 152px"

runat="server" Text="Cancel"></asp:Button>

</form>

</body>
</HTML>

Make Welcome.aspx start page and run the application. You may get following message, which indicates that your application is using certificates.



See the URL it is redetected to https.



Now on the status bar you can see the lock symbol. Double Click on lock.



It will display the certificate details like issued to, issued by and valid date etc.


SSL encrypts any date the user submits to your site. It’s a must if you are taking any sensitive data from the user like bank details and its advised even if your taken non-sensitive data like address.
If you’re not using SSL and you’re taking the users data you’re putting them and you at risk. If the payment details are taken by a third party like Paypal/Google you shouldn’t have anything to worry about.
If you are accepting credit card payments, or other sensitive customer data from your web site, then it is essential to have some form of data encryption between the web browser and your customer when they fill in their details.
The strongest data encryption publicly available is 128 bit Secure Socket Layer data encryption. We have two choices for providing this on your web site. A shared 128 bit SSL certificate, or your own dedicated 128 bit SSL certificate