Certifiable

Since I rarely need to create a self-signed certificates, I typically forget the necessary steps. So, perhaps this entry is more for my own use but it may be deemed useful to somebody else out there.

General Overview

In order to set up IIS to have a self-signed cert to be used your .NET application, the following steps are needed:

  1. Download Pre-requisite Software
  2. Create the Self-Signed Certificate
  3. Assemble the Personal Information Exchange File
  4. Import into the Key Store
  5. Set the Permissions
  6. Test it out

Pre-requisite Software

Before I get into the details, you should download these required software:

makecert
Utility that will enable you to generate your self-signed certificate. This will be found within the Windows SDK.
pvk2pfx
Another utility that will copy your public key and private key information and place into a .pfx file (Personal Information Exchange) for use with signing. This will also be found within the Windows SDK.
winhttpcertcfg
Utility required for Windows 2003 users to set the appropriate permissions correctly.

Create Self-Signed Certificate

From the command line help for makecert:

-r Create a self signed certificate
-a <algorithm> The signature algorithm. <md5|sha1> (Default to 'md5')
-pe Mark generated private key as exportable
-n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
-sky <keytype> Subject key type <signature|exchange|<integer>>.
-sv <pvkFile> Subject's PVK file; To be created if not present

Given the above, here's an example of how I created a certficate:

makecert -r -a sha1 -pe -n "CN=Fedlet" -sky exchange -sv fedlet.pvk fedlet.cer

Hmmm... can you see where I'm going with this in the near future. :)

Assemble Personal Information Exchange File

From the command line help for pvk2pfx:

-pvk <pvk-file> input PVK file name.
-spc <spc-file> input SPC file name.
-pfx <pfx-file> output PFX file name.

Using the above, let's continue with our example:

pvk2pfx -pvk fedlet.pvk -spc fedlet.cer -pfx fedlet.pfx

At this point, we have the necessary file to import into our key store.

Import into the Key Store

The Microsoft Management Console (mmc.exe) has an Add-In called "Certificates" which we'll use to import the public/private keys into the appropriate key store.

  1. Start MMC
  2. Add the Certificates Add-In. Be sure to specify Computer account for managing certificates.
  3. Navigate to the Path > Personal folder.
  4. Within the menu, choose Action > Import...
  5. Specify your .pfx file (for example, fedlet.pfx) and click Finish.
  6. Provide a friendly name for this certificate by viewing its properties and entering a value.

Setting the Permissions

Once you have your public/private key in the local machine's personal key store, you have to ensure Internet Information Server (IIS) can access it correctly.

For Windows Vista and 2008:

  • Within MMC's menu, choose Action > All Tasks > Manage Private Keys...
  • Add the NETWORK SERVICE user account and specify Allow Read permissions

For Windows 2003:

  • Run the command line utility winhttpcertcfg.exe mentioned earlier. For our example, we would run it as follows:

    winhttpcertcfg -g -c LOCAL_MACHINE\\MY -s Fedlet -a "Network Service"

Test it out

Now that you've done all that, how do you know it's done? Well, in the latest nightly builds of the .NET Fedlet, you can try out the export metadata feature that will not only output your metadata, but if the extended metadata has the friendly name specified for the signing certificate alias, it will include the public key as well as sign the XML.

To try it out:

  • Download the nightly build of OpenSSO
  • Extract the Fedlet-unconfigured.zip and deploy the Sample App as described in the README
  • Specify the friendly name as the value for the signCertAlias within the sp-extended.xml found within the App_Data/ folder within the Sample App.
  • Restart the Application Pool associated with your Sample App.
  • From your browser, access the exportmetadata.aspx page within your Sample App. For example:

    http://sp.example.com/exportmetadata.aspx?sign=true

  • At this point, you should be able to see your metadata similar to what is defined in sp.xml but now with the additional signing key information as well as the XML being signed, all to confirm that your self-signed certificate is good to go for testing.

    Cheers!

    Comments:

    Post a Comment:
    • HTML Syntax: NOT allowed
    About

    giuseppe

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today