I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.
Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command.
Bonus points if you get the key usage settings right :-)
Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.
for reference, here is how to do it with makecert:
# create the self signed root certificate
makecert -n "CN=root.lan" -r -sv root.pvk root.cer
# create the certificate for IIS that gets signed with the root certificate
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe
# convert to other formats
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.
The documentation and the examples could seems still not clear enough for creating two certificates:
one self-signed certificate, which will be used as CA certificate from your example
the second SSL certificate, which signed with the first certificate.
The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
-Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
-KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)
-CertStoreLocation "Cert:\CurrentUser\My" -Type Custom
the output will look like
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE
The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name
dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"
or by usage certutil.exe -user -store My to display certificates on My store of the current user.
To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
-HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
-KeyUsage KeyEncipherment,DigitalSignature
-CertStoreLocation "cert:\LocalMachine\My"
-Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
-TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.
Related
I'm trying to run a react app created with create-react-app template in HTTPS mode:
set SSL_CRT_FILE=.cert/server.pfx&&set HTTPS=true&&npm start
I created this certificate using Power Shell. Although there are lot's of explanations how to run react app with certificate created using OpenSSL, it's not an option for me as I'm not allowed to install OpenSSL on my machine.
Cert creation:
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "localhost" -FriendlyName "MyCert" -NotAfter (Get-Date).AddYears(10)
$pwd = ConvertTo-SecureString -String `my_password' -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\my_react_app\.cert\server.pfx -Password $pwd
Then I imported this certificate to Personal certificates and copied it to Trusted Root Certification Authorities. But when I open the project in browser I'm getting NET::ERR_CERT_AUTHORITY_INVALID
What I'm doing wrong?
p.s.
Exporting as a .cer file also doesn't work:
Export-Certificate -Cert $cert -FilePath C:\my_react_app\.cert\server.cer
The following commands in PowerShell (run as admin) will create a root certificate and its associated trusted certificate:
1. We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
2. We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -FriendlyName "MyCert" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256" -NotAfter (Get-Date).AddYears(10)
3. We copy the thumbprint returned by the last command
4. (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002
5. We associate the new certificate with any ip and your port, 3002 for example (the appid value does not matter, is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint
6. Now, you must drag and drop the TestRootCA from the Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.
These commands also resolve the error ERR_CERT_WEAK_SIGNATURE_ALGORITHM returned later by Google Chrome because the certificate is created with SHA256 instead of SHA1
I recently deployed a Dart server application that serves HTTP requests. I wanted to add support for HTTPS so I have been trying to add SSL to the Dart server application.
This answer gives a clear explanation of how to add a self-signing SSL certificate to Dart. However, I want to add an SSL certificate I bought from an SSL provider.
The SSL provider e-mailed my 4 files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - my_domain.crt
I have been trying to figure out how certutil works and how to add these certificates to the certificate database, but I just can't figure it all out.
Anyone with experience enabling a CA SSL certificate in Dart?
SOLVED: Thanks to suggestion in the comments, I solved the issue. This is the gist of my complete setup: https://gist.github.com/stevenroose/e6abde14258971eae982
First of all, you probably have three files generated with openssl for your private key, server certificate and CA certificate. To convert all those into a PKCS12 file, you can use openssl:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CAcert.crt
Then, you can adapt the certutil commands as shown to load you PKCS12 instead of generating new certificates:
certutil -N -d sql:certdb
certutil -A -n mycertnick -i server.crt -t "TCu,Cu,Tuw" -d sql:certdb
certutil -A -n myCA -i CAcert.crt -t "TCu,Cu,Tuw" -d sql:certdb
pk12util -i server.p12 -d sql:certdb
It seems to work with the sample code in the referenced question.
Unfortunately the SSL management in Dart is known to be very lacking.
I reported this many times, with no serious answer from the Dart team.
Star this issue if you want something done about it:
https://code.google.com/p/dart/issues/detail?id=20967
I am trying to make a development certificate chain for myself for some testing for WCF. I'm following the insructions on msdn here: How to: Create Temporary Certificates for Use During Development
Unfortunately the instructions don't work. The private key is not exportable. I have even re-tried it with the "-pe" option to makecert.exe and it still doesn't work. I've tried it while running as an administrator and it doesn't work. In mmc itself when using "export" the first screen where it asks about private keys has the "yes/no" option greyed out, and a message below it that says: "The associated private key is marked as not exportable. Only the certificate can be exported."
Any advice? An updated procedure from MSDN maybe, or another one entirely? All I'm looking for is a cert to use with WCF for some basic testing. This is on Windows 8 Pro, though I doubt that matters.
See this SO answer. I used it for a WCF project a few months ago.
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature).
The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= allow batch command-line to wrap line)
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange).
It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
The issuing certificate is in a file (-ic), as is the key (-iv).
Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
You could always use openssl to create a self-signed certificate, you'd then just import the certificate into the windows certificate store. It's pretty easy to do from the command line:
openssl genrsa -des3 -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
The first line generates the private key and the second line the actual self-signed certificate. There's a Win32 installer available.
For me, it is still to find why option -pe is not working.
Answer given in Make exportable private key with makecert and http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development may help you.
It suggests that to output the private and then generate PFX file using certificate and private key and then import this PFX file.
Try the SSL Diagnostics tool.
You should be able to create your development certificate for IIS without headache:
http://www.softpedia.com/get/Internet/Servers/Server-Tools/SSL-Diagnostics.shtml
And yes, the tool lets you do some diagnostics too.
I read that self-signed certificates suffer from performance issues (for example, here) but which ones exactly? I can guess this can be related to revocation checks or something but not sure.
I disagree with the article about "performance problems" in using of certificates created by MakeCert.exe.
If no revocation information will be included in the created certificate then no performance loss can be because of revocation. Probably the only thing which is specific for using of self-signed certificate is following: you should include the self-signing certificate in the Root certificates store (Trusted Root Certification Authorities) or more better in the AuthRoot certificates store (Third-Party Root Certificate Authorities) on all computers which will use it. After this your self-signing certificate will be not more worth as VeriSign root certificate in the most scenarios. Of cause this way is possible only inside of one company and can be difficult used in the enterprise scenarios with a lot of independent client computers.
By the way it is possible to create a simple PKI with respect of MakeCert.exe utility. For example you can create the self-sign root certificate of your mini CA:
MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 4096 -e 12/31/2020 -r
-n "CN=My Company Root Authority,O=My Company,C=DE" MyCompany.cer
then you can create an additional child certificate
MakeCert.exe -pe -ss MY -a sha1 -len 2048 -e 12/31/2020 -eku 1.3.6.1.5.5.7.3.2
-n "CN=My Name,O=My Company" -sky exchange
-is MY -in "My Company Root Authority"
You can choose different enhanced key usage OIDs in the eku switch depends from the scenarios in which you want use the certificate.
To add the root certificate of your mini CA in the AuthRoot certificate store (Third-Party Root Certificate Authorities) we can use for example CertMgr.exe utility
CertMgr.exe -add -c MyCompany.cer -s -r localMachine AuthRoot
You can also create and use Certificate Revocation List File if it needed for your scenario.
See How to: Create Temporary Certificates for Use During Development and other How to Articles for more examples.
I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.
Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?
Generate Certs for WCF
Generate a Certificate Authority Cert
makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer
-r Create a self signed
-pe Mark generated private key as exportable
-ss Subjects certificate store names that stores the output certificate
-sr Subjects certificate store location
The file pops up in the personal certs store of the machine you generate the cert from.
This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)
Generate Server Cert
You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx
Install this cert into the Personal Store of the server machine and use it to host the service.
Create Client Cert
Create server certificate from CA machine. This will generate a cert file with the private key embedded:
makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer
Take this cer file and install it on the client machine in the Trusted People store
Recap
Create a CA cert (or use the one you already have if you purchased one)
From the CA export a .pfx file that is password protected (Private Cert)
Create a Public Cert from the CA cert (Public Cert)
Then
Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server
Install the Private.pfx file into the Personal store of the server
Install the Public.cer into the trusted people store of the client
Ready to go.