How To – Create and Install Temporary Certificates in WCF for Transport Security During Development

- J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen

Applies to

  • Microsoft® Windows Communication Foundation (WCF) 3.5
  • Microsoft .NET Framework 3.5
  • Microsoft Visual Studio® 2008

Summary

This How To article shows you how to create, configure, and install temporary certificates that you can use for transport security with WCF during development. First, you use makecert.exe to create a certificate to act as your root certificate authority (CA). You then use your root CA certificate to sign additional certificates for your WCF services.

Contents

  • Objectives
  • Overview
  • Step 1 – Create a Certificate to Act as Your Root Certificate Authority
  • Step 2 – Install Your Root Certificate Authority on the Server and Client Machines
  • Step 3 – Create and Install Your Temporary Service Certificate
  • Step 4 – Configure Your Temporary Service Certificate in IIS to Support SSL
  • Deployment Considerations
  • Additional Resources

Objectives

  • Learn how to create temporary certificates for transport security using makecert.exe utility.
  • Learn how to create a temporary root certificate authority to be used by transport security.
  • Learn where to store temporary certificates to be used by WCF when utilizing transport security.

Overview

During development and test cycles, it is necessary to work with temporary certificates when developing a service that uses X.509 certificates to provide transport security. This is because production-quality certificates are very expensive and might be unavailable. When using transport security, the certificate is validated with chain trust, which requires placing the certificate in the host service in specific store locations. Chain trust will validate the certificate against the issuer of a certificate known as root authority. To emulate this during development and testing cycles, you will need to create a self-signed root certificate authority that will be placed in the Trusted Root Certification Authority store. The certificate used by the service to protect the transport will be created from root CA and will be installed in the personal store of the local machine.

Summary of Steps

  • Step 1 – Create a Certificate to Act as Your Root Certificate Authority
  • Step 2 – Install Your Root Certificate Authority on the Server and Client Machines
  • Step 3 – Create and Install Your Temporary Service Certificate
  • Step 4 – Configure Your Temporary Service Certificate in IIS to Support SSL

Step 1 – Create a Certificate to Act as Your Root Certificate Authority

In this step, you use the makecert tool in the service host machine to create a root CA that will be used to sign your temporary certificate.
  1. Open a Visual Studio command prompt and browse to the location where you want to save the certificate files.
  2. Run the following command to create the root CA

makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

In this command:
  • -n – Specifies the subject name for the root CA. The convention is to prefix the subject name with "CN = " for "Common Name".
  • -r – Specifies that the certificate will be self-signed.
  • -sv – Specifies the file that contains the private key of the certificate.
  • RootCATest.cer – Specifies the name of the file containing the public key of the certificate.
  1. In the Create Private Key Password dialog box, enter a password, confirm the password, and then click OK. Optionally, you can click None without entering the password, but this is not recommended for security reasons.
  2. In the Enter Private Key Password dialog box, enter the password again and then click OK.
This is the password needed to access the private key file RootCATest.pvk in order to generate the file RootCATest.cer containing the public key.

This step creates a certificate named RootCATest.cer and a private key file named RootCATest.pvk.

Note: This step is necessary because the root certificate will be required to be installed in the root certification authority store; otherwise, when the client communicates over the HTTPS, the HTTP layer raises a webexception: “the remote server returned an error (403) forbidden”.

Step 2 – Install Your Root Certificate Authority on the Server and Client Machines

In this step, you install the certificate in the Trusted Root Certification Authorities location on both the server and client machines. All certificates that are signed with this certificate will be trusted by the client machine.

Important: Be sure to delete this certificate from the store after you have finished developing and testing for your application.

Repeat the following steps on both the client and the server machines:
  1. Copy the RootCATest.cer file to the client and server machines.
  2. Click Start and then click Run.
  3. In the command line, type MMC and** then** click OK.
  4. In the Microsoft Management Console (MMC), on the File menu, click Add/Remove Snap-in.
  5. In the Add Remove Snap-in dialog box, click Add.
  6. In the Add Standalone Snap-in dialog box, select Certificates and then click Add.
  7. In the Certificates snap-in dialog box, select the Computer account radio button because the certificate needs to be made available to all users, and then click Next.
  8. In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
  9. In the Add Standalone Snap-in dialog box, click Close.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
  12. Under Trusted Root Certification Authorities, right-click the Certificates subfolder,select All Tasks, and then click Import.
  13. On the Certificate Import Wizard welcome screen, click Next.
  14. On the File to Import screen, click Browse.
  15. Browse to the location of the signed Root Certificate Authority RootCATest.cer file copied in step 1, select the file, and then click Open.
  16. On the File to Import screen, click Next.
  17. On the Certificate Store screen, accept the default choice and then click Next.
  18. On the** Completing the Certificate Import Wizard** screen,** click Finish.
The signed root CA certificate is now installed in the Trusted Root Certification Authorities store. You can expand the Certificates subfolder under Trusted Root Certification Authorities to see the RootCATest certificate installed properly.

Important: If you do not install the self-signed root CA on the client machine, the proxy generation either from the UI or from the command prompt using svcutil will fail with the following error message:

“There was an error downloading 'https://MachineName/servicefolder/Service.svc'.
The underlying connection was closed: Could not establish trust relationship
for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.”

Step 3 – Create and Install Your Temporary Service Certificate

In this step, you create and install the temporary certificate on the server machine from the signed root CA created in the previous step.
  1. Open a Visual Studio command prompt and browse to the location where you have the root CA certificate and private key file installed.
  2. Run the following command for creating a certificate signed by the root CA certificate:

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=<<MachineName>>" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe <<MachineName>>.cer

In this command:
  • -sk – Specifies the key container name for the certificate. This name needs to be unique for each certificate you create.
  • -iv – Specifies the private key file from which the temporary certificate will be created. You need to specify the root certificate privatekeyfile name and make sure that it is available in the current directory.
  • -n – Specifies the key subject name for the temporary certificate. If the name of the certificate does not match the DNS or netbios name, the proxy generation will fail, either by using svcutil.exe or the Visual Studio 2008.
  • -ic – Specifies the file containing the root CA certificate file generated in the previous step.
  • -sr – Specifies the store location where the certificate will be installed. The default location is Currentuser, but since the certificate needs to be available to all users, you should use the localmachine option.
  • -ss – Specifies the store name for the certificate. My is the personal store location of the certificate.
  • -sky – Specifies the key type, which could be either signature or exchange.** Using exchange makes the private key exportable, which is required for message security.
  • -pe – Specifies that the private key is exportable. This is useful if you want to export the key and use it in another machine for development or testing purposes.
  1. In the Enter Private Key Password dialog box, enter the password for the root CA privatekeyfile specified in STEP 2, and then click OK.

Step 4 – Configure Your Temporary Service Certificate in IIS to Support SSL

In this step, you configure the Web site to use the temporary certificate for Secure Sockets Layer (SSL) communication.
  1. Click Start and then click Run.**
  2. In the Run dialog box, type inetmgr and then click OK.
  3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
  4. Right-click Default Web Site and then click Properties.
  5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
  6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.
  7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.
  8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.
  9. On the SSL Port screen, keep the default port 443 and then click Next.
  10. Verify the information on the certificate summary screen, and then click Next.
  11. Click Finish to complete the certificate installation.
  12. In the Default Web Site Properties dialog box, click OK.

Deployment Considerations

Temporary certificates should only be used for development and testing purposes. For real-world production environments, use a certificate provided by a CA such as Microsoft Windows Server® 2003 Certificate Server or a third party.

Additional Resources

Contributors and Reviewers

  • External Contributors and Reviewers:
  • Microsoft Consulting Services and PSS Contributors and Reviewers:
  • Test team: Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.
  • Edit team: Dennis Rea.
  • SEO team: Rob Boucher.

Last edited Mar 28, 2008 at 11:30 PM by prashantbansode, version 5

Comments

manishtpatel Jun 8, 2008 at 6:00 AM 
Looks like step4 is targeted for ii6. Could you please add steps for iis7? IIS7 is asking for pfx file when try to import certificate which is also not created in this guide. I could be wrong as i am new to all this.