How to Configure OWIN Self-hosted Web Application with SSL

An SSL certificate is required to allow a web application to serve HTTPS traffic. Usually, a self-signed SSL certificate is enough to implement HTTPS.

Modern browsers present an error, pointing out to the user that the SSL certificate is not trusted (because it is not in the set of trusted root certificates on the machine).

The user (who is most likely a developer) can add an exception to the browser and continue on to the web application via HTTPS.

A problem arises when accessing such a web application secured by a self-signed SSL certificate programmatically. Some web request libraries do not surface the certificate security error, thereby causing problems.

The method in this article adds the self-signed SSL certificate to the trusted certificates store on Windows. Afterwards, the self-signed SSL certificate will be fully trusted on the machine. It should be noted that this self-signed SSL certificate will only be trusted on this machine, and not be trusted in general, because, of course, real SSL certificates are issued by actual Certificate Authorities.

I recently had to create a self-hosted web application using OWIN, and had to configure it to serve HTTPS traffic.

Here's how I did it.

Create a self-signed certificate using IIS

Start IIS Manager and select the top-level node representing the machine itself.

Go into Server Certificates section.

Click on Create Self-Signed Certificate... on the right-side panel.

Specify a friendly-name for the certificate that you are creating.

Install self-signed certificate into Trusted Root Certification Authorities

Ensure that the newly created self-signed certificate is present in the Trusted Root Certification Authorities certificate store.

Configure the machine to serve SSL

Copy the Thumbprint value of the certificate and remove all spaces from it (you can use Notepad for that).

Copy the Application ID from the data output by the following command:

netsh http show sslcert

NB: Some of the output has been clipped to reduce the size.

IP:port                 :
Certificate Hash        : 9aabf51a7686248ec48a4997f95e89bc9e9e366d
Application ID          : {214124cd-d05b-4309-9af9-9caa44b2b74a}
Certificate Store Name  : MY
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout   : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

Issue the following commands in a Command Prompt with elevated privileges (you get that by using the Run As Administrator option).

C:\> netsh http add urlacl url=https://+:443/ user=Everyone

C:\> netsh http add sslcert ipport= certhash=1324fab6c9d0501d9e7ada935c7066ac13821acd appid={214124cd-d05b-4309-9af9-9caa44b2b74a}

That should be it.

Thanks for reading!