When using SSL you need to set up a Certificate Trust List (CTL) for the listener port. In the CTL you can define which issuers to trust. CTLs are very low level and are used during the inital SSL handshake. If the incoming certificate is not trusted, the connection gets refused already at the protocol level.
The whole process is straightforward if you are hosting in IIS. Simply edit the “Secure Communication” settings for the site. Since SSL (and thus CTLs) is TCP port based, you can only edit theses settings at the site level.
When self hosting, you have to do the following:
- Define the CTL. In the SDK you can find a tool called MakeCTL.exe which helps you with that. At the end of this process MakeCTL allows to store the CTL in the Windows certificate store. You will get a GUID as the identifier for the stored CTL.
- Use httpcfg.exe or netsh.exe (when on Vista/Server 2008) to assign the CTL from the store to the SSL endpoint (you need that GUID here again to make the link)
While this is the “right” way of restricting trust with transport security, you have some additional deployment steps. In the next post I show you a way that is security mode independent – but also slightly less efficient.
leastprivilege.com 