-
-
Notifications
You must be signed in to change notification settings - Fork 84
Using SSL on Windows
To enable SSL, set the bool ssl
to true
in the constructor.
Server s = new Server("127.0.0.1", 8080, true, DefaultRoute);
s.Start();
Alternatively, set the Enable
parameter of Ssl
to true
before calling Start()
.
s.Settings.Ssl.Enable = true;
s.Start();
Using SSL with Watson on Windows requires that the certificate be installed in the Windows Certificate Manager MMC snap-in. It is easiest to use IIS to generate your CSR, and then once you have your certificate and private key, import the certificate and private key into the Computer Account certificate store.
Once the certificate has been imported, double click the certificate (from within MMC) and go to the 'Details' tab to retrieve the certificate thumbprint.
Copy this value and paste it into Notepad.
You MUST use certificates installed in the Computer account and not the User account.
When copying from the Certificate Manager window into Notepad, there is often a special character, hidden from view, that is pasted into Notepad, that will cause you trouble. As a result, I like to manually type in the first two characters and the last two characters, paste in the rest (after copying from the Thumbprint
in the properties window), and then removing all whitespace.
Next, you will need to use the netsh
command to associate the certificate with the port upon which Watson is listening.
C:\> netsh http add sslcert ipport="0.0.0.0:443" certhash="[thumbprint]" appid="{00000000-0000-0000-0000-000000000000}" certstore=My
If you supply 0.0.0.0
it will allow the request to come in on any IP address. Replace 0.0.0.0:443
with the IP and port you are using if necessary. Replace [thumbprint]
with the actual certificate thumbprint. The appid value is arbitrary and any GUID will do.
From the Command Prompt, type netsh http show sslcert
to verify that your certificate is installed. THe output will appear as follows:
C:\Users\Administrator>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : d0013e91aab93f437a4443b13e6d18bd60f0279c
Application ID : {00112233-4455-6677-8899-aabbccddeeff}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
If a binding exists for the port which you wish to use, you must first delete it. Check your existing bindings using:
C:\Users\Administrator>netsh http show urlacl
URL Reservations:
-----------------
Reserved URL : https://host.domain.com:443/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
To delete a pre-existing binding, use:
C:\Users\Administrator> netsh http delete urlacl url=https://host.domain.com:443/
Now add the binding. It is generally best to use a specific hostname in the URL rather than +
.
C:\Users\Administrator> netsh http add urlacl url=https://host.domain.com:443/ user=everyone listen=yes
A helpful article on Stack Overflow related to this process can be found here: https://stackoverflow.com/questions/779228/the-parameter-is-incorrect-error-using-netsh-http-add-sslcert
If you see 503 errors: https://stackoverflow.com/questions/26412602/httplistener-server-returns-an-error-503-server-unavailable https://stackoverflow.com/questions/8142396/what-causes-a-httplistener-http-503-error
Also be sure to set your listener hostname when starting Watson to either the exact hostname used above, or +