Configuring IIS7 and ELB for HTTPS using wildcard common name

I have recently been asked to add support for HTTPS on one of our web applications. With little to no experience on how to perform this kind of operation, my first thought was, oh, shouldn’t be too hard, take the certificate and plug it in the web server and let’s go for a drink… not really what happened. I’ll try to give the maximum details with the references to help anyone in this process.

Let’s start by the environment I am running:

  • Couple of IIS7 Web Servers
  • Amazon Elastic Load Balancer (ELB)
  • DigiCert Certificate (any trusted provider should work)
  • Wildcard domain (*.mydomain.com)

To create your certificate you will need to send a CSR to your provider.

For IIS 7 Follow the instruction below:

  1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
  2. Click on the server name.
  3. From the center menu, double-click the “Server Certificates” button in the “Security” section (it is near the bottom of the menu).
  4. Next, from the “Actions” menu (on the right), click on “Create Certificate Request.” This will open the Request Certificate wizard.
  5. In the “Distinguished Name Properties” window, enter the information as follows:
    Common Name – The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
    Organization – The legally registered name of your organization/company.
    Organizational unit – The name of your department within the organization (frequently this entry will be listed as “IT,” “Web Security,” or is simply left blank).
    City/locality – The city in which your organization is located.
    State/province – The state in which your organization is located.
    Country/region – If needed, you can find your two-digit country code at http://www.digicert.com/ssl-certificate-country-codes.htm.
  6. Click Next.
  7. In the “Cryptographic Service Provider Properties” window, leave both settings at their defaults (Microsoft RSA SChannel and 2048) and then click next.
  8. Enter a filename for your CSR file.
    Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

The full tutorial with screenshot and video is located at http://www.digicert.com/csr-creation-microsoft-iis-7.htm

You provider should then generate the SSL certificate and you should be able to download them in appropriate format for IIS. I would recommend using individual .crts in zipped format. You would find bunch of files and the one that will be of interest is the star_mydomain_com.crt. You can now complete your request on IIS by following steps 1 to 3 from the CSR request instructions and then the forth step would be to use the “Complete Certificate Request” from the option pane.

Complete Certificate Request

One important thing to note here is that if you have a wildcard domain the Friendly Name used to complete the CSR should be exactly the same as your common name : *.mydomain.com (this might not seem very important, but you will see the importance afterwards) If you already imported the certificate, you can use the Certificate Services MMC snap-in to change the friendly name of the certificate, find more on this page : http://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx

Once done, you can duplicate your certificate for use on your other IIS boxes if any and repeat the same steps.

Let’s jump to the configuration of our Elastic Load Balancer (Amazon ELB) to support HTTPS and import our certificate there. There are several technique and ways to do that. I will use the one that has been working in my case.

Find the basic reference on Amazon Web services ELB documentation http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenarios.html

Amazon Elastic Load Balancer HTTPS Setup

You will need to fill in the following fields:

Certificate Name:* – Any meaningful name to recognized your certificates afterwards

Private Key:* – RSA PRIVATE KEY

Public Key Certificate:* – Public key

This is where it becomes a bit touchy; you don’t have this information from your basic CSR or the certificate you need to use OpenSSL to generate them.

First you need to SSL Certificate / Export your private key, try these steps:

  1. Start the Microsoft Management Console  > Run mmc.exe
  2. Click the ‘Console’ menu and then click ‘Add/Remove Snap-in’.
  3. Click the ‘Add’ button and then choose the ‘certificates’ snap-in and click on ‘Add’.
  4. Select ‘Certificates’ and click ‘Add’.
  5. Select ‘Computer Account’ then click ‘Next’.
  6. Select ‘Local Computer’ and then click ‘OK’.
  7. Click ‘Close’ and then click ‘OK’.
  8. Expand the menu for ‘Certificates’ and click on the ‘Personal’ folder.
  9. Right click on the certificate that you want to export and select ‘All tasks’ > ‘Export’.
  10. A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.

You can find the illustrated tutorial on this page: http://nl.globalsign.com/en/support/ssl+certificates/microsoft/all+windows+servers/export+private+key+or+certificate/
You need to have OpenSSL on your machine for the next step http://www.openssl.org/

Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Use the data in the server.key file for the Private Key:* required by ELB and you will now need to download a PEM version of your SSL certificate from your provide which will include all keys. Then take the first part of
—–BEGIN CERTIFICATE—–
Lots of fancy HEX here!!!
—–END CERTIFICATE—–

Copy and paste it in the Public Key Certificate:* and Amazon ELB should accept your certificate.

Update #1 for configuration of ELB:

There is also one more thing that would avoid configuration of ELB, you can just set the TCP port 443 as inbound and outbound and your web server will act as the SSL termination. This should work straight forward.

Using windows hosts file

Windows hosts file, located under “[SystemDriveLetter]:\Windows\System32\drivers\etc” is very useful when you have to test your web applications hosted either locally or on a remote server and you do not wish to map them to your DNS.

Let’s take an example where you have a website named : http://www.my-simple-web-application.com. You will most likely have 3-4 versions of the application dev, preprod, test, live (where live would be http://www.my-simple-web-application.com)

To facilitate testing you could come up with a standard way of addressing these environments :

http://dev.my-simple-web-application.com
http://preprod.my-simple-web-application.com
http://test.my-simple-web-application.com

Each of these sub-domains might point to the same or different servers. This is where the hosts file comes handy, you can configure something like :

127.0.0.1 dev.my-simple-web-application.com
127.0.0.1 preprod.my-simple-web-application.com
127.0.0.1 test.my-simple-web-application.com

In this example all IP addresses are local, you can change them as needed, beware that this configuration should be place on each desktop (development and test) that you want to use these sub-domains.

On another note, this configuration can also be achieve network wide if you have a configurable router where you can add global hosts.

There a number of other situations where hosts file can be helpful :
1) You are migrating your website to a new server, in this case you can specify you existing domain name in the hosts file and point it to the IP of the new server
2) You have multiple web servers hosting the same application and one of them is not working properly you can target the mischievous server and change your host file to point only this server.

backup and share files using MozyHome and Dropbox

If you are wondering what are the choices you have to make share and backup your files, you might easily be able to find hundreds of alternative on the web today. Each one with their different features and technologies.

I came across 2 free tools that i use for my backup and file sharing:

MozyHome Remote Backup

 

MozyHome is a small application that runs on background and backups any folder that you configure it to. It will encrypt and then upload your files to your 2 GB free space. You have several tools to enable you to them restore any lost files. Nice for uploading document, project files. You have also the paid version with unlimited space.

Dropbox

 

Dropbox is a new tool, that just got public last week. It’s similar to Mozybackup with 2 GB free space and the posibility of backup your files. With some extra features such as file sharing and automatic sync. Personally I use it to share files only. Since your files need to be in the DropDox folder (Similar concept and LiveMSN sharing folder) to be able to share.

It also allows sharing of files and give you a nice public URL that you can easily send to the person you want to share your files with. The only lacking features i might see here, is that you can’t share an entire folder with files inside. i.e When you want to share several photos you can’t directly get a link to the folder. You must share it with someone that already has Dropbox. A feature that would enable a link to a zip version of an entire folder could be nice.

Yahoo! Search BOSS

Yahoo has just opened his search engine to us developer folks, we can now mindle and medle about to improve our search result on our own website. The codename for this open API is BOSS (Build your Own Search Service). As describe in zdnet article: is this a way for Yahoo to try to get some market shares in the search industry on GOOG.

Here is an extract from Yahoo! Search BOSS YDN

BOSS (Build your Own Search Service) is Yahoo!’s open search web services platform. The goal of BOSS is simple: to foster innovation in the search industry. Developers, start-ups, and large Internet companies can use BOSS to build and launch web-scale search products that utilize the entire Yahoo! Search index. BOSS gives you access to Yahoo!’s investments in crawling and indexing, ranking and relevancy algorithms, and powerful infrastructure. By combining your unique assets and ideas with our search technology assets, BOSS is a platform for the next generation of search innovation, serving hundreds of millions of users across the Web.

Yahoo! Search BOSS

I’ll try to experiment a bit on it, to see if i can get to integrate the search on this blog for a small…

Freelancing, Online jobs for professionals

Nowadays many professionals in different activity sector offers their services and expertise through freelance portals. These portals are websites were you can post job offerings and register as a freelance to take job offerings. In terms of business, you can bargain and get the work done at an affordable price with expert professionals.

So where is the catch ? Why doesn’t everyone go online and work as a freelancer ?

It’s quiet simple, before getting a Job online it can take quiet a while you must register to several websites either paid or non paid, then apply for job positions that fits your expertise, wait for an answer and if you are accepted start working. When working as a freelancer you are not bound by any long term contract many a time, you get to work on a module for 1 month and when the job is done, you simply have to get to the entire process again, which can sometimes take several weeks before you get another job. So being a freelance is a tedious and long process, but it is quiet a remunerative process, since you get to work on different project and gain much more experience.

Since I have expertise in Web Technology and Programming here are some websites that i am registered to.

Guru.com

Guru.com Logo Guru.com was launched August 2000 (as A2Zmoonlighter.com)
It’s Mission: To provide the most efficient platform to connect and perform transactions with freelance professionals locally, nationally, and globally.

Guru.com Baseline

Odesk.com

odesk logo Odesk.com was created in 2003
It’s Mission: Build the world’s best network of technology service providers through screening, testing, and feedback
Offer the platform that lets buyers successfully hire, manage, and pay service providers from around the world

odesk platform

thecodingmachine.com

The Coding Machine Logo thecodingmachine.com was launched in late 2006
It’s Mission: offers you IT services. Thanks to a new approach, your projects can be delivered quicker and at lower cost.
Has created a web platform and linked together coders from all over the world.

There are many for website offering job posting and freelance work but, there are a the one i experienced with and i find them pretty good tools to deal with when you are searching for a job online to share your expertise.

Leave your comment on other sites that might be good, I’ll review them and update this post.

Goodbye Netscape Navigator

10 years have now gone since the first apparition of Netscape Navigator and now it is time to say goodbye to this browser. As announced by AOL, the netscape browser support will end on the 1st of February 2008.

I still remember during my first days using internet i have been playing around with Navigator 3 or 4 i may think. It was kind of the impressive i may say the first time, but afterwards i switched to Internet Explorer, and now i am using both Internet Explorer and FireFox.

Netscape Navigator 9

Lenovo 3000 N100

I just bought a Lenovo 3000 N100 6 month ago. Now it’s time for some review on this piece of hardware.

The hardware specification is as follows:

Model: N100 0768-FFG
CPU: Core 2 Duo T5600 1.83 Ghz
Memory: 1Gb DDR2 PC5300
Hard Drive: 120 GB HDD (Fujitsu) SATA
Screen: 15.4″ WSXGA+ 1680×1050 Glossy
Optical Drive: DVD-RW Matshima
GPU: NVIDIA 7300 Go 128 MB (dedicated)
Network/Wireless: Intel Wireless 3945A/B/G, Realtek 10/100 Ethernet Card, Modem and Bluetooth
Inputs: 84 Key Keyboard with Two Button Touchpad with Scroll Bar
Buttons: Power, Lenovo Care, Power Up and Down, Mute, and WiFi/Bluetooth On/Off Switch.
Ports:

  • Four USB 2.0
  • Four-Pin Firewire
  • 4-in-1 Card Reader
  • Ethernet
  • Modem
  • VGA Out
  • S-Video Out
  • Microphone
  • Headphone
  • Security Lock
  • Power Connector

Integrated Camera (1.3 MegaPixel)
Fingerprint reader
6c Li-Ion

It was delivered with Windows Vista Business Edition. And some other software that makes it run slower than it should. Thus after the 1st month having Vista on it, i decided to downgrade back to Windows XP SP2 Pro. And this is just so fine. Beware before doing this operation make sure that you download any Driver that are needed. Since the set is not delivered with a driver CD. I found all the drivers on the Lenovo website.

Here are some stats and test that i did.

Using CPUz(http://www.cpuid.com/cpuz.php)

CPU

Cache

SPD

Mainboard

Super Pi Calculation (http://www.overclock.net/downloads/28044-definitive-super-pi-thread.html)

Will be coming soon… let me get some time.

Copy custom object in C#

There are several ways to clone custom object in .NET.

  • Using reflection to get information about each field and properties in the custom class, create a new instance and assign the proper value.
  • Manually implementing the clone method and assign each field and method and then return a new object
  • Using serialization and deserialization.

I have tried the third method, that can be found here, it seems to be working fine for the time being, more test need to be done for performance overhead.

Web Stress Tool

Today I have been trying to web stress my development website using ACT from Microsoft. I am using Visual Studio 2005 Professional, and while taking a look to find this precious tool that was readily available in the previous version VS.NET 2003. I couldn’t find it. (uh!!! did i forget to install it ???? ) checked out but nothing done, checked on the web and reach a forum post which said. Application Test Center is no more available on VS.NET 2005, you can buy a new licence of VS.NET Team tester to to be able to use some stress tool. Ok how nice 🙂 marketing strategy…

Anyway, i have been wandering around the web to find a proper web stress/load tool to be able to test my web developments. results have been pretty deceiving… could not find a proper tool for testing ASP.NET Websites. After some time i came up on sourceforge. to find this tool : WEBLOAD (Open source performance testing) which is the open source version of the recognised Radview Webload.

I’ll be now trying this tool and then give some feedback soon after.