Secure WebSocket access as well as HTTPS access

Hello,

I have 2 things to secure with a valid public SSL certificate :

  • A web site (HTTPS)
  • A WebSocket access on the same server (other port)

I expect to be able to issue a certificate for my HTTPS access fairly easily with “Certify the web”.
Will I be able to get the same certificate protect the WebSocket access ?
Does someone did that already and has some advice for me ?

Thx for your help

Cheers
Christophe

I haven’t used the technology directly, yet… but my understanding is that the negotiation of a websocket first happens over HTTP. Once the negotiation is complete, it becomes a websocket. Just as HTTP can be secured with SSL/TLS to make it HTTPS, WS when negotiated over HTTPS is WSS.

So a server would presumably use the exact same certificate since web traffic and websocket data both happen through the same negotiation. WSS would typically happen on port 443… but just with HTTPS, you can tell the server to use other ports and thus you could have two different servers on different ports, one for web traffic and one for websocket connections.

You’d need to explain what type of server you’re using to say much more on the subject.

Interesting question! I’m assuming your web socket service is using the built-in WebSocket protocol extension for IIS?

jijtr = you are right it could be but my websocket server is not hosted throw IIS or another http server

I am using the “websocketsharp” tool that has a server object that I host in a standalone Windows service.
At startup the class needs a certificate file = as another web server would when it starts with HTTPS

So I guess that my question is =
How can I automatically extract the SSL certificate from the store and serialize it in a file to be used by my websocket service ?

or

How do I have “certifytheweb” generate my certificate in a file that I can use with my websocket service and have it automatically imported in Windows cert store to have it used by my web site also ?

thx for your answers

Cheers
Christophe

I can’t verify that websocket-sharp uses HTTP.SYS to share web ports… but I assume you know already what name/port your components use.

You still haven’t mentioned what webserver you’re using… just that you have one that isn’t related to the websocket-sharp Windows service.

Anyways, if your webserver uses HTTP.SYS (such as IIS), Certify can share that domain name on port 80 if it is already in-use and generate your certificate. If your webserver is not using HTTP.SYS and is also using port 80, the best Certify can do is place folder/files where you claim your webroot is.

Depending on what you tell Certify to do, it will put a copy of the certificate in the store and it also saves the PFX to a filestore(C:\ProgramData\Certify\certes\assets\pfx\). You’ll have to use a powershell script to grab it as the filename changes every issuance.

yes its IIS

I managed to have the certificate generated and registered in the windows store
then I exported it in PKCS12 format (PFX)
and then have it loaded in websocket-sharp server
=> seems to be working

now to automate the process, I have to find where is stored the file created by certifytheweb and move it where I need it = I will have a look tomorow in the folder you said

Thx
Christophe

You can use a post-request script like the following:

param($result)
$destFile = "C:\path\to\your\service\cert name.pfx"	# set this destination
$svcName = "yourservicename"				# set this service name
echo Name:  $result.ManagedItem.Name
if($result.IsSuccess)
{
	echo Message:  $result.Message
	echo CertPath: $result.ManagedItem.CertificatePath
	echo Thumb: $result.ManagedItem.CertificateThumbprintHash
	Copy-Item $result.ManagedItem.CertificatePath $destFile
	net stop $svcName
	net start $svcName
}
else
{
	echo 'Failed...'
	echo $result.Message
}
1 Like

For general scripting info, please also see https://docs.certifytheweb.com/docs/script-hooks

To work with the current PFX file without exporting it manually, look at Show Advanced Options > Other Options, that shows the path to the current PFX file.

But yes a script like the one above would be simplest way to just copy it (or convert it) to the file you need and optionally restart the service if required.

Thx a lot

I had my WebSocket server working with the PFX I extracted
I am definitely going to use your advices to create a post generation script

Many thanks
Christophe