Last post Jan 30, 2020 04:25 PM by PatriceSc
Jan 29, 2020 08:43 AM|praveen49|LINK
We have WebAPI with Azure AD Authentication ready.
Now need to publish that https secure api as Intranet APIs (IT team have done DNS mapping the sites, test (https://test.abc.com) and prod (https://abc.com)
When we access the Test site, it gives standard warning (certificate isn't valid may be due to Issuer could not be verified), currently we select I understand the risk and procced to the site.
Jan 29, 2020 11:48 AM|mgebhard|LINK
The certificate URL, when you made the certificate request, must match the actual URL the certificate securing. Otherwise, you'll get the certificate error described above. Purchase a new certificate for the new domain. I use a wild cart certificate,
*.mydomain.com so I only have to manage a one certificate for dev.mydomain.com, test.mydomain.com, and www.mydomain.com sites.
Anyway, this question is out of scope for this Web API forum. However, you IT or Security Team should be able to provide assistance.
Jan 29, 2020 05:12 PM|bruce (sqlwork.com)|LINK
DNS servers do not generate certificates, so they are not involved.
you can buy a certificate and have installed, or use self signed certificates. if you company is using self signed, then a group policy needs to be set to trust your self signed cert authority.
this is really an issue your network team should support.
Jan 29, 2020 05:36 PM|PatriceSc|LINK
As told already we can't really help but if you click on the certificate area in the browser and then ask for certificate details most if not all browsers should show exactly why it is not valid.
More likely this is a "self signed" certificate or it doesn't match the actual host name for which you bought it.
Edit: found an interesting site at https://badssl.com/ that allows to see what happens for various bad/good cases, what the browser shows, and then you can use the browser UI to inspect the bad certificate: https://www.clickssl.net/blog/how-to-view-ssl-certificate-details-in-every-browser
With that you should know what is wrong and hopefully those in charge should know what to do next...
Jan 30, 2020 06:14 AM|praveen49|LINK
Can I avoid buying domain and certificate as it is Intranet? If the Self signed certificate can be used for WebAPI and angular site (both
hosted on IIS) - so what should be done to apply some group policy or any other way (share steps or MS docs url?
Jan 30, 2020 06:21 AM|praveen49|LINK
Thanks Patrice, those are useful links,
well this is very normal case, but I am bit new to hosting and certificates, can you give more details like
Best way you would go for intranet site with SSL? WebAPI + front-end both are https
Jan 30, 2020 04:25 PM|PatriceSc|LINK
And so the problem is that the CA is not trusted ? Usually certificates are issued by a trusted 3rd party CA so that you can't pretend to be some known bank or corporation and start to fool people...
AFAIK self signed certificate are used for testing. If internal use only you could install them "by hand" on a couple of machines or with some admin work, use your own internal CA.
As soon as an external 3rd party is involved neither is realistic and you should get a certificate from a known CA. Note also it needs some attention (for example your app will stop working when the certificate expires).
Edit: forgot about https://letsencrypt.org/ which might be an option (never tried, from a quick look it seems you need to do something on the domain name to proove you have control over the domain for which you asked
a certificate). You are using a public domain ?