SSL/TSL certificate pinning

%3CLINGO-SUB%20id%3D%22lingo-sub-1419676%22%20slang%3D%22en-US%22%3ESSL%2FTSL%20certificate%20pinning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419676%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20researching%20how%20to%20do%20SSL%20pinning%20for%20our%20UWP%2FWPF%20-%20MSIX%20app%20to%20secure%20the%20server%20communication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20somebody%20help%20me%20how%20MSIX%20plays%20into%20this%3F%20I%20have%20configured%20the%20packaging%20project%20with%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-html%22%3E%3CCODE%3E%3CEXTENSION%20category%3D%22windows.certificates%22%3E%0A%20%20%20%20%3CCERTIFICATES%3E%0A%20%20%20%20%20%20%20%20%3CCERTIFICATE%20storename%3D%22root%22%20content%3D%22trustid-x3-root.cer%22%3E%3C%2FCERTIFICATE%3E%0A%20%20%20%20%20%20%20%20%3CCERTIFICATE%20storename%3D%22root%22%20content%3D%22isrgrootx1.cer%22%3E%3C%2FCERTIFICATE%3E%0A%20%20%20%20%20%20%20%20%3CTRUSTFLAGS%20exclusivetrust%3D%22true%22%3E%3C%2FTRUSTFLAGS%3E%0A%20%20%20%20%3C%2FCERTIFICATES%3E%0A%3C%2FEXTENSION%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EFrom%20my%20reading%20of%20the%20documentation%20this%20should%2Fcould%20replace%20the%20machine%20trusted%20certificate%20store%20with%20only%20the%20two%20certificates%20that%20I%20have%20provided%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20does%20not%20seem%20to%20work%20neither%20for%20my%20packaged%20wpf%20app%2C%20nor%20for%20the%20packaged%20UWP%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advice%3F%20Am%20I%20doing%20it%20wrong%2C%20or%20is%20this%20not%20something%20MSIX%20can%20help%20me%20with%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1444026%22%20slang%3D%22en-US%22%3ERe%3A%20SSL%2FTSL%20certificate%20pinning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1444026%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548680%22%20target%3D%22_blank%22%3E%40marvin_r%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20provide%20more%20details%20on%20what's%20not%20working%2C%20are%20you%20still%20able%20to%20connect%20to%20servers%20without%20those%20certs%20or%20are%20you%20getting%20an%20error%20when%20trying%20to%20connect%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20some%20quick%20checks%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMake%20sure%20the%20public%20key%20of%20the%20certs%20you're%20referencing%20are%20available%20in%20your%26nbsp%3B%20package%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EMake%20sure%20the%20server%20you're%20connecting%20to%20has%20the%20certs%20you%20specify%20in%20the%20trust%20chain.%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHave%20a%20look%20at%20these%20docs%20for%20more%20guidance.%20(the%20first%20link%20also%20includes%20using%20code%20checks%20as%20an%20option)%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465031%2528v%253dwin.10%2529%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465031%2528v%253dwin.10%2529%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465019%2528v%253dwin.10%2529%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465019%2528v%253dwin.10%2529%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465031(v%3Dwin.10)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fapps%2Fhh465031(v%3Dwin.10)%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ECheers%2C%3C%2FP%3E%0A%3CP%3ETanaka%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I've been researching how to do SSL pinning for our UWP/WPF - MSIX app to secure the server communication.

 

Can somebody help me how MSIX plays into this? I have configured the packaging project with 

<Extension Category="windows.certificates">
    <Certificates>
        <Certificate StoreName="root" Content="trustid-x3-root.cer"/>
        <Certificate StoreName="root" Content="isrgrootx1.cer"/>
        <TrustFlags ExclusiveTrust="true"/>
    </Certificates>
</Extension>

From my reading of the documentation this should/could replace the machine trusted certificate store with only the two certificates that I have provided? 

 

This does not seem to work neither for my packaged wpf app, nor for the packaged UWP app.

 

Any advice? Am I doing it wrong, or is this not something MSIX can help me with?

 

1 Reply

Hi @marvin_r,

 

Can you provide more details on what's not working, are you still able to connect to servers without those certs or are you getting an error when trying to connect?

 

Just some quick checks:

  • Make sure the public key of the certs you're referencing are available in your  package
  • Make sure the server you're connecting to has the certs you specify in the trust chain.

Have a look at these docs for more guidance. (the first link also includes using code checks as an option):

Cheers,

Tanaka