Secure Communication

...now browsing by tag

 
 

Request, Issue and Install a server-side certificate – Windows 2003 server/IIS6

Tuesday, September 6th, 2011

To use client certificates for authentication, first need to install a server-side certificate. The steps here were what I took to Request, Issue and Installed a server-side certificate for certificate auhtentication with Microsoft certificate Services and IIS6 in Windows 2003 environment:

  1. IIS6->Websites->Default website (at this point, verify the CertSrv is shown in as a Virtual directory under this site) – > Right click on Default website node and selected Properties ->Directory Security ->Server Certificate.
  2. If there is no certificate already installed on the server, click on Create New Certificate; as I already had certificates installed on my local machine, the only options at this point are “Renew the Current certificate”, “Remove the current certificate”,”Replace the current certificate”, “Export the current certificate to a .pfx file”, and “Copy or Move the current certificate to a remove server site”.
  3. For this project, I chose “Renew the current certificate“, and next
  4. Chose “Prepare the request now, but send it later” (default option) and next.
  5. Certificate request file name: leave as default at c:\certreq.txt
  6. Open the c:\certreq.txt file and copied the content to clipboard.The content is a big chunk of mumble-jumble ASCII letters like these: “—–BEGIN NEW CERTIFICATE REQUEST—–MIIDTDCCArUCAQAwcTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAM
    BgNVBAcTBVRhbXBhMRcwFQYDVQQKEw5CaXNrIEVkdWNhdGlvbjEQMA4GA1UECxMH…
    —–END NEW CERTIFICATE REQUEST—–“
  7. Now I went to http://localhost:8080/CertSrv and a page titled Microsoft Certificate Service came up (I had trouble to open this page from http://localhost/CertSrv initially but then realized my default website is not in http://localhost; rather my default website is configured to run from port 8080 instead of the default 80).
  8. Click on Request a certificate and select submit an advanced certificate request on next page
  9. There are two options on next page: “Create and submit a request to this CA.” and
    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. “, selected the second one.
  10. Now paste the content from clipboard to the Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) textarea or I could use the “Browse for a file to insert” feature. Then clicked Submit
  11. If submitted successfully, the next screen said, “Your certificate request has been received. However, you must wait for an administator to issue the certificate you requested..Please return to this web site in a day or two to retrieve your certificate.”
  12. Now I went to the CA MMC (Start – >Administrative Tools -> Certificate Authority) and I saw the request sitting under the “Pending Requests” folder. I right clicked on the request and Issued it (All Tasks -> Issue) and the request moved to Issued Certificates” folder
  13. Next step was to copy certifcate to a .cer file. To do that, double clicked on the Requested certificate to view it, clicked on Details tab and Copy to a file. On “Export File Format” selected the “Base-64 encoded X.509 (.Cer) and saved to “c:\ServerCertificate.cer”
  14. Now I went into IIS6 ->Default website->Properties ->Directory Security -> Server Certificate ->Next – > select “Process the pending request and install the certificate” and opend the “c:\ServerCertificate.cer” file from “Process a Pending reqeust” screen
  15. Next screen asking about “SSL” port, leave it as default 444 and clicked Next, Next and Finish.

To verify that the server-side certificate was installed successfully, I went back to IIS6, picked a virtual directory, for example, “WcfSecure” and open “Properties” window->Directory Security->Edit (Under Secure Communication) and checked “Required secure channel (SSL), and for client certificates, selected “Accept client certificates” for now; then I browsed to a .svc file without https, such as http://localhost:8080/WcfSecured/Demo.svc; at this point I got browser error message asking me to add https to the address; so I changed to https://localhost:8080/WcfSecured/Demo.svc (or can be demo.aspx or demo.ashx page), and as expected, now the page showed correctly. That confirmed that the server-side certificate had been installed correctly. Next is to request and issue a client certificate so we can authenticate WCF Service client.

Created a self-signed certificate for WCF development – Windows 2003

Tuesday, July 12th, 2011

During the development of a WCF app, I needed to issue a self-signed certificate to my local Windows 2003 server in order to test out ways to secure WCF server-client communication. For IIS6 this was a bit trickier than IIS7. I needed to download the IIS6 resource tool kit and then run selfssl.exe to create the certificate. IIS7 could do it right on its GUI. Here were the detail steps that I went through to create a SSL-enabled hosting environment (via certificate) on my local development machine (credited this very useful posting here):

  1. Downloaded IIS6 resource kit from here http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17275 and installed it.
  2. Start ->All Programs -> IIS Resources-> SelfSSL
  3. This launched into command line:C:\Program Files\IIS Resources\SelfSSL>selfssl /N:CN=localhost:8088 /K:1024 /V:365 /S:437690215 /T
    Explanations:

    • localhost:8088 – this is where the https site is to be hosted; as port 80 already taken by another web host, I used 8088 for the new site;
    • /K: is the key size – 2048 is recommended (but 1024 worked for my case);
    • /V: days of validity – 365 is recommended (I actually used 730 or 2 years for development convenience)
    • /S: number for your web site identifier in IIS (437690215 is site id for Wcfhost, default website usually is 1, found it under the root of the website property)
    • /T makes the certificated trusted
  4. Answered “Y” at the next prompt.
  5. The message:”The self signed certificate was successfully assigned to site 437690215″
    Go back to IIS6 and now there is a Certificate under the Directory Security

For creating a self-signed certificate in IIS7, follow this article at MSDN. http://msdn.microsoft.com/library/ff406125.aspx