it:ad:certificates:client:creating

IT:AD:Certificates:Client:Creating

Summary

Making certs is painful – not because it’s rocket science – but because we don’t do it day in and day out – and we forget things. Here is a list of what I just did to get a client web app to validate against an STS server.

Note that Making certs to certify the invokee/client is different the certifying a server's identity for SSL...

Prerequisites

You'll need the SDK.

Process

//To make certs that can authenticate themselves to servers...
//Preamble: You'll need the SDK btw, so that you can find makecert and pvk2pfx
//One might be used to using  IIS7.0's method for creating a self-signed server authentication cert:
:ssldiag /s:1 /selfssl /n:"CN=*.xact-solutions.com" /v:1780
//But one shouldn't for this case...(won't produce a cert that is CA capable, only good for SSL)
//Same for the tool that is built into IIS 7.0...(which I would avoid anyway and use the command line tool anyway)
 
//Make a CA 
makecert -n "CN=*.xact-solutions.com.FakeCA" -b "01/01/2011" -e "01/01/2015" -sky exchange -sv xact-solutions.com.FakeCA.pvk -sr LocalMachine -ss Root -r -pe xact-solutions.com.FakeCA.cer
//Once you have both files, you could import the CER into Certificates.mmc, but it would leave behind the private key.
//So Combine the two into a Public/Private key package:
pvk2pfx -pvk "xact-solutions.com.FakeCA.pvk" -spc "xact-solutions.com.FakeCA.cer" -pfx "xact-solutions.com.FakeCA.pfx"
//Import that into the Root of the workstation on which you will be generating other certs.
//Note:
//For the local station's Identities to have rights to the private key, the imported cert has to be compied from Root to My folder
//Then right click, give rights to account -- eg: IIS Svc.AP account.
//That done, one can go ahead and create other certs, such as this one to authenticate a client (hence EKU being what it is -- see http://skysigal.xact-solutions.com/Blog/tabid/427/entryid/1211/Make-Love-Make-Certs.aspx)
makecert.exe -n "CN=client.xact-solutions.com" -sky exchange -b "01/01/2011" -e "01/01/2016" -ir LocalMachine -is Root -in "*.xact-solutions.com.FakeCA" -eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3  -pe -sr LocalMachine -ss Root -sv "client.xact-solutions.com.pvk" "client.xact-solutions.com.cer"
 
//For the app to sign, it has to have rights to the pvk.
//That means we have to import not just cer, but pvk, in one go.
//To do that, we have to combine them 
pvk2pfx -pvk "client.xact-solutions.com.pvk" -spc "client.xact-solutions.com.cer" -pfx "client.xact-solutions.com.pfx"

Resources

  • /home/skysigal/public_html/data/pages/it/ad/certificates/client/creating.txt
  • Last modified: 2023/11/04 03:38
  • by 127.0.0.1