3

I have a certificate from GoDaddy, which I've previously used for an IIS hosted website. I've now converted the site over to an OWIN self-hosted WebAPI project and would like to use the same certificate for the new site on a brand new machine.

Do I need to install IIS just to import the certificate or is there a way to import it directly into the certificate store like you can with self-signed certificates?

Or does this need to be handled directly in the new OWIN project somehow?

jww
  • 97,681
  • 90
  • 411
  • 885
jt000
  • 3,196
  • 1
  • 18
  • 36

3 Answers3

4

You don't need IIS to import a certificate, you use certmgr (Certificate Manager). You should be able to import the certificate directly with the Windows certificate manager and then use netsh to register it for OWIN using its thumbprint.

SignalR with Self-Signed SSL and Self-Host

Just ignore the part where they import into Root Certification Authorities, GoDaddy is already a trusted CA (although you can download the cert chain/bundle and manually import that as well).

You can create a certificate manager snap-in by running MMC (start->run->MMC), then Add-Remove Snap-ins, choose Certificates. Save to Desktop.

Community
  • 1
  • 1
codenheim
  • 20,467
  • 1
  • 59
  • 80
  • Hmmm... That's what I had originally thought, but netsh seemed to have difficulty linking to it. netsh http>add sslcert ipport=0.0.0.0:443 certhash=<> appid={ac05b3ed-946d-4eb4-b344-ab871420beba} outputs: SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated. I'll have to keep playing to see if i can find more details. – jt000 Jul 11 '14 at 19:29
  • Which cert store did you import it into? – codenheim Jul 11 '14 at 19:29
  • Certificates (Local Computer)/Personal/ – jt000 Jul 11 '14 at 19:39
  • Hmmm... My certificate doesn't have a private key. Should it have one? – jt000 Jul 11 '14 at 19:46
  • You already have the private key. You received a .crt or .cer file from Godaddy, so you probably need to use openssl to combine cert + private key into a combined pfx file, then import the pfx file. – codenheim Jul 11 '14 at 20:32
3

Figured out my problem (though, I don't know if it will help anyone else if they encounter this). Turns out GoDaddy's "Download Certificate" page only downloads certificates without the private key. I had to export the certificate previously imported by IIS, then import it into my Personal store. I assume there's a way to get the private key w/o importing into IIS, but I personally don't know what it is (maybe I just missed a step somewhere this time around).

jt000
  • 3,196
  • 1
  • 18
  • 36
  • 2
    Yes, Godaddy never received your private key. Your original signing request only contains the public key. The only way you can create pfx is on your own. +1 for your answer since it should work. – codenheim Jul 11 '14 at 20:43
2

Yes, certificate must be installed with private key for it work with OWIN. I had to go through the same pain as most(all?) CA issue certificates without private keys. However you must have received the private key before hand. You must have your certificate in .crt format. This does not include the private key in it. So you need to create a certificate of .pfx format with private key in it.

If your private key is in plain text, then create .key file with plain text in as its content.Note that your .key file should have the standard first and last lines of private key else it'll complain about invalid key.

-----BEGIN PRIVATE KEY-----
<key-content>
-----END PRIVATE KEY-----

Now create a .pfx certificate using OpenSSL tool. 

openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt

To import this certificate just double click on .pfx file. In the import wizard choose 'Local Computer - Personal' as certificate store. After successful import you'd also notice a small (lock)key icon appearing on top of installed certificate icon.

Assuming you have bounded the server port with your OWIN application using netsh http add sslcert, it should start working!

Rajiv
  • 1,426
  • 14
  • 21