I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.
Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?
Generate Certs for WCF
Generate a Certificate Authority Cert
makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer
-r Create a self signed
-pe Mark generated private key as exportable
-ss Subjects certificate store names that stores the output certificate
-sr Subjects certificate store location
The file pops up in the personal certs store of the machine you generate the cert from.
This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)
Generate Server Cert
You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx
Install this cert into the Personal Store of the server machine and use it to host the service.
Create Client Cert
Create server certificate from CA machine. This will generate a cert file with the private key embedded:
makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer
Take this cer file and install it on the client machine in the Trusted People store
Recap
Create a CA cert (or use the one you already have if you purchased one)
From the CA export a .pfx file that is password protected (Private Cert)
Create a Public Cert from the CA cert (Public Cert)
Then
Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server
Install the Private.pfx file into the Personal store of the server
Install the Public.cer into the trusted people store of the client
Ready to go.
Related
I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.
Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command.
Bonus points if you get the key usage settings right :-)
Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.
for reference, here is how to do it with makecert:
# create the self signed root certificate
makecert -n "CN=root.lan" -r -sv root.pvk root.cer
# create the certificate for IIS that gets signed with the root certificate
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe
# convert to other formats
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.
The documentation and the examples could seems still not clear enough for creating two certificates:
one self-signed certificate, which will be used as CA certificate from your example
the second SSL certificate, which signed with the first certificate.
The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
-Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
-KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)
-CertStoreLocation "Cert:\CurrentUser\My" -Type Custom
the output will look like
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE
The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name
dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"
or by usage certutil.exe -user -store My to display certificates on My store of the current user.
To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
-HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
-KeyUsage KeyEncipherment,DigitalSignature
-CertStoreLocation "cert:\LocalMachine\My"
-Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
-TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.
I know the server need a self-signed CA. But how can I generate a CA, and where can I put it to make server's PowerShell 2.0 work? And what is CN matching?
The following is what happens when I run the command winrm quickconfig -transport:https:
WinRM already is set up to receive requests on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not
have an appropriate certificate. To be used for SSL, a certificate
must have a CN matching the hostname, be appropriate for
Server Authentication, and not be expired, revoked, or self-signed.
Unless you want to go to the trouble of setting up a full-fledged single-tier or two-tier PKI infrastructure (which would be a topic for ServerFault rather than StackOverflow) you could make do with makecert.exe to create a self-signed CA certificate and host certificates signed with it.
Create the CA certificate like this:
& makecert.exe -pe -r `
-n "CN=TestCA" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky signature `
"TestCA.cer"
Then create certificate for the host:
$cn = if ($env:USERDNSDOMAIN) {
"$env:COMPUTERNAME.$env:USERDNSDOMAIN"
} else {
$env:COMPUTERNAME
}
& makecert.exe -pe `
-n "CN=$cn" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky exchange `
-eku 1.3.6.1.5.5.7.3.1 `
-in "TestCA" `
-is my `
-ir LocalMachine `
-sp "Microsoft RSA SChannel Cryptographic Provider" `
-sy 12 `
"$cn.cer"
The CN (Common Name) is the subject of your certificate and for host certificates must match the computer's FQDN.
If you want to create host certificates for other hosts than your local computer you need to set $cn to the name/FQDN of the other computer. To get the certificate and private key to the destination computer export both from your certificate store (<serial> is the serial number of the certificate):
& certutil.exe -exportPFX -f -privatekey -p "password" "<serial>" computer.pfx
Copy computer.pfx to the computer for which you generated the certificate and import it like this:
& certutil.exe -importPFX -f -privatekey C:\path\to\computer.pfx
You'll be prompted for the password you specified when exporting the certificate.
On all machines that should use certificates signed by your TestCA you need to import TestCA.cer under Trusted Root Certification Authorities for the computer account.
& certutil.exe -f -addstore ca C:\path\to\TestCA.cer
Note that makecert.exe isn't available as a separate download anymore, but you can get it from the Windows SDK (download the ISO image and run the SDK Tools installer from the subfolder \setup\WinSDKTools).
Note also that using a makeshift CA like that is strongly discouraged for any kind of production environment.
I know its bad to just share a link, but I'm on a mobile and its better than nothing and uses all/mostly PS commands.
https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/
I am trying to make a development certificate chain for myself for some testing for WCF. I'm following the insructions on msdn here: How to: Create Temporary Certificates for Use During Development
Unfortunately the instructions don't work. The private key is not exportable. I have even re-tried it with the "-pe" option to makecert.exe and it still doesn't work. I've tried it while running as an administrator and it doesn't work. In mmc itself when using "export" the first screen where it asks about private keys has the "yes/no" option greyed out, and a message below it that says: "The associated private key is marked as not exportable. Only the certificate can be exported."
Any advice? An updated procedure from MSDN maybe, or another one entirely? All I'm looking for is a cert to use with WCF for some basic testing. This is on Windows 8 Pro, though I doubt that matters.
See this SO answer. I used it for a WCF project a few months ago.
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature).
The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= allow batch command-line to wrap line)
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange).
It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
The issuing certificate is in a file (-ic), as is the key (-iv).
Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
You could always use openssl to create a self-signed certificate, you'd then just import the certificate into the windows certificate store. It's pretty easy to do from the command line:
openssl genrsa -des3 -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
The first line generates the private key and the second line the actual self-signed certificate. There's a Win32 installer available.
For me, it is still to find why option -pe is not working.
Answer given in Make exportable private key with makecert and http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development may help you.
It suggests that to output the private and then generate PFX file using certificate and private key and then import this PFX file.
Try the SSL Diagnostics tool.
You should be able to create your development certificate for IIS without headache:
http://www.softpedia.com/get/Internet/Servers/Server-Tools/SSL-Diagnostics.shtml
And yes, the tool lets you do some diagnostics too.
I have been having this issue for about 2 weeks. I have done a lot of research and tried different ways but no joy. I have a development website on my computer (Windows 7 Pro) with sql server 2008 r2 and using IIS 7.5. There is an actual development server running the database and Webserver but because of my location I cannot use the main development site. I issued a self signed Trusted Root Certificate:
makecert -r -pe -n "CN=ROOT AUTHORITY" -ss my -sr CurrentUser -a sha1 -sky signature -cy authority -sv ca.pvk ca.cer
Then I install that into the trusted root on the local computer. After that I created a certificate for IIS to use.
makecert -pe -n "CN=example.website.name.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic ca.cer -iv ca.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv server.pvk server.cer
Then I create the .pfx file for IIS
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
After I do the above. I import the certificate into IIS and then I bind the website to the SSL certificate (server.pfx)
After all that is done, I go on the website https://example.website.name.com and I get 403.7 forbidden.
Can somebody please help me out with this issue?
take a look at some of these pitfalls...
Server Issue #1 - The client cert passed in has 1 or more certification paths that do NOT exist on the server. Open the cert go to certification path (tab) and make sure each of the root authorities are in the SERVERS trusted root certificate authorities. Note, you DO NOT need to install the cert on the server just the root authorities public keys under Certificates (Local Computer) \ Trusted Root Certification Authorities.
Server Issues #2 (previously mentioned solution) - In IIS, for the site, make sure the SSL Settings are set to Accept OR Require (never ignore). The benefit of using Require is that the IIS logs will show you are 403 7 error where as Accept will just get your the IsPresent == false but with a 200 http code.
Client Issue #1 - Same as server issue #1, got to trust those authorities!
Client Issue #2 - You have the trusted root authorites but NOT the private key for the cert itself. Make sure you install the pfx (private key) into the cert store not the public key (.cer). You can also see if you have the private key by double clicking the cert in the cert store and on the general tab you should see a message saying as much.
Client Issue #3 - You put the cert in the wrong place. Probably best to place your cert in Certificates (Local Computer) \ Personal \ Certificates, rather than (current user). This will make the cert available to process accounts that are running your code and actually need access to it.
Client Issue #4 - Right mouse click the cert (in the store not a .cer file) --> All Tasks --> Manage Private Keys... and make sure the process account running your code has "Read" permission. A quick test of this (but not recommended for production use) is to add "Everyone" as read to see if this is your issue
Background: I need to test an https endpoint for a WebRole on Windows Azure. For that I need to upload a self-signed certificate, add the certificate's thumbprint to the WebRole's configuration and finally associate the endpoint with that configured certificate.
I created a self-signed certificate using makecert.exe, which is available through the Visual Studio Command Prompt. I used the following command:
makecert.exe -r -pe -n "CN=test.cloudapp.net" -sky exchange -ss my -len 2048 test.pfx
The command succeeds and I can upload the certificate file to the Windows Azure hosted service. But deployment of the WebRole fails with the following error:
Certificate with thumbprint 6AB... associated with HTTPS input
endpoint Endpoint2 does not contain private key.
I have to export the certificate from the my store, and choose to include the private key and provide a password. If I upload this exported certificate file and use its thumbprint, then deployment succeeds.
I want to create a certificate file that includes the private key, without first saving the certificate to any store and exporting it from the store. Is that possible using makecert.exe?
To create a certificate without saving it to any store you'll need to use pvk2pfx.exe (available through the Visual Studio Command Prompt).
It works like this:
makecert.exe -sv CertKey.pvk -n "CN=My Azure Certificate" CertKey.cer
pvk2pfx.exe -pvk CertKey.pvk -spc CertKey.cer -pfx MyPFX.pfx -po yourPasswordHere
Running makecert.exe will aks you for a password for the private key. You'll need to enter that password for the -po argument of the pvk2pfx.exe command.
Finally you'll have a pfx file (containing private key) named MyPFX.pfx