By giuseppe on Jan 22, 2010
Since I rarely need to create a self-signed certificates, I typically forget the necessary steps. So, perhaps this entry is more for my own use but it may be deemed useful to somebody else out there.
In order to set up IIS to have a self-signed cert to be used your .NET application, the following steps are needed:
- Download Pre-requisite Software
- Create the Self-Signed Certificate
- Assemble the Personal Information Exchange File
- Import into the Key Store
- Set the Permissions
- Test it out
Before I get into the details, you should download these required software:
- Utility that will enable you to generate your self-signed certificate. This will be found within the Windows SDK.
- Another utility that will copy your public key and private key information and place into a .pfx file (Personal Information Exchange) for use with signing. This will also be found within the Windows SDK.
- Utility required for Windows 2003 users to set the appropriate permissions correctly.
From the command line help for makecert:
|-r||Create a self signed certificate|
|-a <algorithm>||The signature algorithm. <md5|sha1> (Default to 'md5')|
|-pe||Mark generated private key as exportable|
|-n <X509name>||Certificate subject X500 name (eg: CN=Fred Dews)|
|-sky <keytype>||Subject key type <signature|exchange|<integer>>.|
|-sv <pvkFile>||Subject's PVK file; To be created if not present|
Given the above, here's an example of how I created a certficate:
makecert -r -a sha1 -pe -n "CN=Fedlet" -sky exchange -sv fedlet.pvk fedlet.cer
Hmmm... can you see where I'm going with this in the near future. :)
From the command line help for pvk2pfx:
|-pvk <pvk-file>||input PVK file name.|
|-spc <spc-file>||input SPC file name.|
|-pfx <pfx-file>||output PFX file name.|
Using the above, let's continue with our example:
pvk2pfx -pvk fedlet.pvk -spc fedlet.cer -pfx fedlet.pfx
At this point, we have the necessary file to import into our key store.
The Microsoft Management Console (mmc.exe) has an Add-In called "Certificates" which we'll use to import the public/private keys into the appropriate key store.
- Start MMC
- Add the Certificates Add-In. Be sure to specify Computer account for managing certificates.
- Navigate to the Path > Personal folder.
- Within the menu, choose Action > Import...
- Specify your .pfx file (for example, fedlet.pfx) and click Finish.
- Provide a friendly name for this certificate by viewing its properties and entering a value.
Once you have your public/private key in the local machine's personal key store, you have to ensure Internet Information Server (IIS) can access it correctly.
For Windows Vista and 2008:
- Within MMC's menu, choose Action > All Tasks > Manage Private Keys...
- Add the NETWORK SERVICE user account and specify Allow Read permissions
For Windows 2003:
- Run the command line utility winhttpcertcfg.exe mentioned earlier.
For our example, we would run it as follows:
winhttpcertcfg -g -c LOCAL_MACHINE\\MY -s Fedlet -a "Network Service"
Now that you've done all that, how do you know it's done? Well, in the latest nightly builds of the .NET Fedlet, you can try out the export metadata feature that will not only output your metadata, but if the extended metadata has the friendly name specified for the signing certificate alias, it will include the public key as well as sign the XML.
To try it out:
At this point, you should be able to see your metadata similar to what is defined in sp.xml but now with the additional signing key information as well as the XML being signed, all to confirm that your self-signed certificate is good to go for testing.