9

I'm currently trying to create a chat based on the SslStream class. I was going through that msdn link: click here

I realized that I need to get an X509Certificate to establish that task. But I really don't know how can I get one? I know that there are ones who cost money, but there aren't free ones available?

P.S: I'm coming here after doing some search in google about that subject but haven't found any helpfull infomation.

So my question is: Where can I get an x509 certificate?

Thank you.

idish
  • 3,190
  • 12
  • 53
  • 85
  • You could use a self signed cert. However this will possibley prompt the end user to accept the cert. – zybroxz Jul 13 '12 at 19:42

4 Answers4

7

You can create certificates with the makecert tool.

Or, if your're only interested in encrypting the traffic, without signing it, and you control the client and the server, just use a CryptoStream.

Jordão
  • 55,340
  • 13
  • 112
  • 144
  • If I'm using that, and success creating one, the data trasferred between the client and the server will be encrypted ? – idish Jul 13 '12 at 19:43
  • If you use an `SslStream`, then yes. But be aware that for a certificate to be trusted by your client, he _must_ trust the certificate issuer. For production use, you should really get one from a trusted certificate authority. – Jordão Jul 13 '12 at 19:44
  • Aha, so you're saying that if I'm creating my own certificate, the client will be prompted and will have to accept the certificate to continue? Will he have to do it once or everytime he connects to the server? – idish Jul 13 '12 at 19:48
  • That depends on the client and how it's configured. If you're writing the client yourself, and you want _only_ encrypted traffic, another option could be to use a [`CryptoStream`](http://msdn.microsoft.com/library/system.security.cryptography.cryptostream.aspx). – Jordão Jul 13 '12 at 19:59
  • Yes, I am programming the client, I just want the communication to be encrypted between the server and the client as I said, I don't really understand in the security subject, what do you suggest me to use, CryptoStream or SslStream for that kind of task? – idish Jul 13 '12 at 20:05
  • Well then, go for the CryptoStream.... It's simpler for what you want to achieve, it will encrypt the traffic, but not sign it, and you won't need a certificate. – Jordão Jul 13 '12 at 20:07
  • Really? no Certificate? so it's better for my needs right? It is going to be a big project so I'm sorry for digging but I must be sure about that. – idish Jul 13 '12 at 20:11
5

You can generate your own, and sign it yourself, using openssl, though keep in mind if the client tries to verify it, and by client I usually mean the browser, since this is their most common use, though not the only one, they won't be able to.

I know that there are ones who cost money, but there aren't free ones available?

Basically what you are paying for is for a CA, certificate authority to sign it, as such when clients go and verify who you are with with CA it'll pass.

openssl: http://www.openssl.org/
This is the command I ussually use openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem

server.pem is your certificate and server.key is your private key.

Giving that you probably already have .NET SDK installed maybe makecert is a better/eassier approach since you would need to build openssl.

Stil I went to their docs and I couldn't find how to set the key size, though apparently the default is 1028 and I think using RSA , but I did find this: makecert -pe -ss MY -$ individual -n "CN=your name here" -len 2048 -r

from MakeCert - Is it possible to change the key size? to http://www.mazecomputer.com/sxs/help/shared.htm

openssl supports many types not just RSA but maybe you don't need them.

Community
  • 1
  • 1
Samy Vilar
  • 10,800
  • 2
  • 39
  • 34
  • I see, but as you're saying that the client needs to verify the certificate, I don't think it's a problem because it is a chat program, it's not a browser, I just want the data passed between the server and the client to be encrypted all over their messages sending to each other. – idish Jul 13 '12 at 19:46
  • then your good to go, sorry I wasn't sure if you meant web based or desktop based chat system, openssl allows you to have full control on how you want to create the certificate. – Samy Vilar Jul 13 '12 at 19:49
  • Really? I should use the openssl instead of the makecert as explained in one of the answers above? – idish Jul 13 '12 at 19:51
  • @idish updated the answer, though you can come up with your own encryption scheme, it all depends how secure you want it. – Samy Vilar Jul 13 '12 at 20:07
  • 1
    @idish, whether it's a browser or another client (chat or otherwise) doesn't really matter. If you want the connection to be protected against MITM attacks, the client has to be able to verify it one way or another (either via a CA it knows or explicitly if it knows the (self-signed) certificate directly). – Bruno Jul 13 '12 at 20:14
  • @Bruno OK, so you suggest me to explicity let the client know about my certificate so it won't cause any problems? Could you please give me a link or anything that explains how can I do that? (the client to to know my self signed certificate) Please! – idish Jul 13 '12 at 20:25
  • yep brunos right, though hardcoding or storing a hash of the certificate maybe a bit of a pain ... specially when you need to update it, maybe we can store multiple and simply choose one from a set during the initial communication this way can we simply red flag those certs that we no longer need or want to use, this way we can have certs of different strengths and types. – Samy Vilar Jul 13 '12 at 20:27
  • I see, could you please supply me a link or something that would help me start working about that? – idish Jul 13 '12 at 20:38
4

These guys http://www.cacert.org/ have been giving away free certificates for years.

Vlad
  • 9,180
  • 5
  • 48
  • 67
  • Will their certificate make my application pass Windows 10 security scrutiny so it won't pop up the dialog asking for permission every time my application is launched? – Wayne Lo Nov 03 '18 at 17:04
  • I think the PEM chain shows that the top most signing authority here is called `CA Cert Signing Authority`, but that is not a recognized root CA from my browser or OS. So I think these won't be widely accepted. – Orun Apr 19 '23 at 22:51
1

Read through this for clarity. You can sign your public key using Symantec's Verisign service. It is definitely not cheap. For testing, you can make your own certificate using a dummy CA.

user845279
  • 2,794
  • 1
  • 20
  • 38