Enabling HTTPS with self-hosted ASP.NET Web API

In a previous post, I showed how to  self-host ASP.NET Web API. This post shows how to change that example in order to enable HTTPS support.

  1. On an elevated console (“Run as administrator”), execute “netsh http add urlacl url=https://+:4443/ user=<your user name>”, to allow the running user to listen on port 4443 using HTTPS (note the use of ‘https’ instead of ‘http’ in the above command).
  2. Also on an elevated console, register the server certificate by running

    netsh http add sslcert ipport= certhash=thumbprint appid={app-guid} where

    • port is the listening port (e.g. 4443); the special IP address matches any IP address for the local machine;
    • thumbprint is the certificate’s SHA-1 hash, represented in hexadecimal;
    • app-guid is any GUID (e.g. {00000000-0000-0000-0000-000000000000}) , used to identity the owning application.
  3. In the previous post’s Main method, replace the HttpSelfHostConfiguration class with the new MyHttpsSelfHostConfiguration class, containing the following code.
  4. class MyHttpsSelfHostConfiguration : HttpSelfHostConfiguration
        public MyHttpsSelfHostConfiguration(string baseAddress) : base(baseAddress){}
        public MyHttpsSelfHostConfiguration(Uri baseAddress) : base(baseAddress){}
        protected override BindingParameterCollection OnConfigureBinding(HttpBinding httpBinding)
            httpBinding.Security.Mode = HttpBindingSecurityMode.Transport;
            return base.OnConfigureBinding(httpBinding);
  5. Change the base address passed to the MyHttpsSelfHostConfiguration constructor: var config = new MyHttpsSelfHostConfiguration(“https://localhost:4443&#8221;);
  6. Run the program, open a browser and access https://localhost:4443/helloimage

That’s it: you now have a self-hosted ASP.NET Web API server, using the secure HTTPS protocol.

18 thoughts on “Enabling HTTPS with self-hosted ASP.NET Web API

  1. ray2k

    Thank you for posting this and being so clear. It allowed me to not only get self-hosted webapi working under ssl but also nancy and servicestack endpoints (which use HttpListener).

  2. RichM

    Thanks for the article. Works like a champ!

    Any reason in your example you chose to bind to port 4443 instead of 443, which I thought was the standard port for the HTTPS protocol?

    1. pedrofelix Post author

      Yes, 443 is the standard HTTPS, which is typically in usage by IIS on my dev. machine. This why I chose 4443 for the self host demo.
      Glad you liked.

  3. chuck

    Does that then mean that when you deploy your app you need to
    A. Programmatically execute (or part of an MSI install ) the netsh http add sslcert …
    B. the user running this ( or installing the msi ) needs to have administrative rights on the box?

  4. Pingback: Use SSL with Self hosted WebAPI on client side | BlogoSfera

  5. Sandeep Kakumanu

    This does not seems to work on Visual Studion 2012 using .Net 4.5. I am getting an error:

    The type or namespace name ‘BindingParameterCollection’ could not be found (are you missing a using directive or an assembly reference?)

    It looks like the BindingParameterCollection is some internal class that cannot be accessed.

    1. Sandeep Kakumanu

      I did add a reference for System.ServiceModel.Channels and the corresponding using statement. It still throws the same error.

      1. Sandeep Kakumanu

        I got it to work! Actually, we do not need the MyHttpsSelfHostConfiguration override. It turns out that HttpsSelfHostConfiguration automatically enables SSL if we use https://localhost:443 … in the initialization step (var config = new HttpSelfHostConfiguration(“https://localhost:443”);)

  6. Pingback: IIS HTTPS configuration for Team development | Software Engineering

  7. Xiaonan Dong

    I use one self host (as what you config), then send request to the self host , but I could get the certificate from the request . do you know why?

  8. James Reategui

    Is there an update to this? Using the latest nugets get an exception when trying to startup now, doesn’t seem to like the 4.0 version of the system.web.http or something like that. COM Interop error.

  9. david

    the browser complain about the self signed certificate when i try https request. How would we solve that problem?

    1. pedrofelix Post author

      You need to obtain a certificate and private key from a “trusted CA”, such as https://letsencrypt.org. Alternatively, for a dev environment, you can add your CA certificate to the list of Window’s trusted certificates.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s