Someone recently asked me at that last Silverlight UK User Group as to whether communication between Silverlight and a web service can be secured. Silverlight is a plug-in that runs in the context of the browser, and so only supports the HTTP protocol but this does include HTTPS too.
So first off, we’ll need to to add a service binding.. if you have a HTTPS service already setup, adding a service reference will do all the hard work for you otherwise you’ll need to specify:
<bindings>
<basicHttpBinding>
<binding name="MySecuredService">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="http://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
The line of interest is <domain uri="http://*"/> which allows access to an HTTPS service from an HTTP application (normally this is omitted).


Now, take note of the the new website’s ID, you can find this out by clicking on the Sites node in IIS Manager. The reason why I point it out is because you may have many other websites running and the SSL certificate can only be set against one of these sites.
Open up a command prompt (as an administrator if you’ve got UAC turned on) and run up the SelfSSL command:
SelfSSL /N:CN=<your domain name> /V:<number of days till expiry> /S:<site id>
thus following continuing my example:
SelfSSL /N:CN=www.mytest.com /V:365 /S:2
The command prompt will just state that a certificate was successfully assigned, but we can check this by looking at the Server Certificates panel in IIS Manager (click the Root node and then Server Certificates in the IIS section). Note that this is different to creating a self-signed certificate in the IIS7 Manager which creates a certificate issued by your computer’s name instead.
Although we have a self-signed certificate, it is still not trusted and we’ll get the following certificate error which can be overridden by the user when browsing to the site. However, we’re now in good stead, since we’ve a certificate issued by a domain name that can be configured to be be trusted.
So, going back to the Server Certificates panel, select the certificate just generated and click Export in the actions pane.
An export certificate dialog will appear and so fill in the destination for the certificate and a password (make it really secure if you want to use this for a live website). Note, give the destination file a pfx extension so that Windows recognises this as an exported certificate file.
Now, if this was a shared web server, you can pass the certificate to all those users that want to access the HTTPS services from the specified domain name. Open a command prompt (as an administrator if you have UAC enabled) and execute the pfx file. This will activate an install certificate wizard.
First step is just an introduction, the second specifies the certificate file we are importing:
The third step requires you to type in the password that was set for this certificate file, accept the defaults for the other options (as shown):
The fourth step is important. Normally, the “Automatically select” option is selected and to enable this trust across web pages and web services exposed by our secured server. If we did allow Windows to automatically select the certificate store it will pick a location for which only browsers can utilise the connection – not services. Thus, select the second option – “Place all certificates in the following store” and then click Browse.
Be patient, the wizard may take a little while to open up the certificate stores. Tick the “Show physical stores” and then select “Trusted Root Certification Authorities”, and then “Local Computer”. Click OK.
Note: if you don’t see “Local Computer” you did not run the wizard as an administrator!
The final step of the wizard is a confirmation for which clicking OK will add the certificate into the certificate store for this computer.
Wow.. look at that. Navigating to my default page did not ask me for a certificate… you’ll find the same for any web service calls no more un-trusted certificate warnings.
Additionally, looking in the IE Options panel, on the Content tab, click Certificates:
Cycle through the tabs till you find the Trusted Root Certification Authorities tab and somewhere in the list should be the certificate we imported.
This process of creating and installing a trusted self-signed certificate does not just apply to Silverlight testing, but is the normal process for adding a certificate to for any HTTPS website or web service testing.
enjoy!
This is a cross post from my EMC blog, mainly for backup duplicity and to aggregate some of my past postings. My EMC blog used to be under the Conchango brand but was acquired by EMC so I’ve also retrospectively refreshed some of the old links and maybe a tweak a bit of content too. permalink to the original post here |