[object Object]

Hosting ASP.NET apps on AWS Part 12 - SSL certificates in IIS

How-to written and screenshots taken on 2020 January 31

1. Certify SSL Manager

To enable https connections to our websites we need an SSL certificate. You can buy certificates through specialized companies: Certificate Authorities. Getting a fully validated business wildcard certificate will set you back hundreds or thousands of dollars.

We're running on the cheap, and without a load balancer we cannot get a free SSL certificate through AWS.

"Public SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application." https://aws.amazon.com/certificate-manager/pricing

That leaves us with the option to generate them manually through Let's Encrypt. I found an application that does make creating certificates really easy by providing a GUI.

  1. Go to https://certifytheweb.com/ and download the Certify SSL Manager.

  2. Run the installer and install.

  3. When you first open the program you're asked to fill in some basic information, like your name and contact information.

  4. Click the New Certificate button in the top left corner of the screen. Give you certificate a name. We'll take *.jodibooks.nl for this example. The asterisk shows us it's a wildcard certificate.
    In the Add domains to certificate box type jodibooks.nl and add domains, followed by *.jodibooks.nl and add domains. The program will show a notification we have to use DNS to verify the domain, OK. Lastly choose your preferred domain to show on the certificate.

    add jodibooks.nl wildcard certificate

  5. Go to the IAM console in AWS. Go to users and Add user. Add the user name ACME-DNS with Access type Programmatic access.

    add acme-dns iam user

  6. In the next step click Attach existing policies directly and search for Route53FullAccess. Select it and click Next.

    add route53 policy

  7. Press Next again after adding optional tags and clikc Create user.

    create acme-dns iam user

  8. Save the credentials and leave the browser tab open for a moment.

  9. Go back to Certify and go to Authorization on the right. Change the Challenge Type to dns-01 and the DNS Update Method to Amazon Route 53 DNS API.

    add domain authorization settings
    I already had a IAM user `ACME-DNS`. See next step how to add a new user.

  10. Now add new credentials and enter the Credential name ACME-DNS-EXAMPLE or just ACME-DNS and the credentials you just made.

    enter route53 credentials

  11. Click the 3 dots ... and choose the hosted zone. In my case jodibooks.nl.

  12. Click the Test button in the top-right of the window. Certify will start testing if it can add the necessary DNS records in Route 53.

    route53 dns test successful

  13. Close the Test Progress_and go to Other Options in the right menu. I increased the _CSR Signing Algorithm to ECDSA P-256. The higher the more secure, but probably also more CPU intensive. Press the Request Certificate button.

    increase signing algorithm strenght

  14. Certify goes to work. It can take a while, as the DNS records need to be propagated. Just be patience and a few minutes later you have a wildcard certificate. Note that it will expire in 89 days, but that auto renewal is enabled.

    automated requesting certificate process

2. HSTS in IIS

Certify will have automatically created https-bindings to all your website in IIS with the *.jodibooks.nl domain. What IIS doesn't do yet is redirect users from http to a secured https connection. To do that we have to configure HSTS in IIS.

  1. Open IIS Manager and select your website. Now all the way on the right, near the bottom there is a link to HSTS... Scan for the Configure heading to find it.

    find the HSTS link in IIS

  2. Enable it obviously, set a Max-Age to at least 10368000 seconds (120 days) and ideally to 31536000 (one year). Now also enable the other options: IncludeSubDomains, Preload and Redirect Http to Https. Repeat for all your websites.

    Source for HSTS Max-Age on Qualys security labs blog: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server

    edit hsts settings

3. Next: WordPress

With that our ASP.NET websites are running. In the next part a bonus feature: a WordPress blog on a super fast Ubuntu LEMP stack.