« Previous Next »

• 03-04-2008, 9:56 PM

  mark_richman Joined on 05-07-2003, 9:01 AM Parkland, FL Posts 33

  X.509 Client Cert on IIS5 XP Reply Contact Hi...I'm looking for a HOWTO on setting up not only a self-signed server cert (for development and QA) but also a client cert to test web service calls. Most of what I've seen involves OpenSSL, so I was wondering if there were a good tutorial out there...between openssl, selfssl, makecert, and winhttpcertconfig it can be a bit confusing, especially when I'm stuck with IIS5 on XP! Thanks, Mark   http://www.markrichman.com/

  Tags: ssl cert security iis5 xp

• 03-05-2008, 11:03 AM

  In reply to

  mark_richman Joined on 05-07-2003, 9:01 AM Parkland, FL Posts 33

  Re: X.509 Client Cert on IIS5 XP Reply Contact I cobbled together this HOWTO and it seems to work for everything except the .NET web service client....do I need to use winhttpcertcfg to get past HTTP 403 on the client??? 1.    Install Win32 OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html. Use C:\OpenSSL as the install directory. 2.    Create directories to hold your CA keys, your server keys, and your client keys. Name these C:\OpenSSL\ca, C:\OpenSSL\server, and C:\OpenSSL\client. 3.    Create a private key and certificate request for your own CA in C:\OpenSSL: openssl req -new -newkey rsa:1024 -nodes -out ca/my_ca.csr –keyout ca/my_ca.key 4.    Create your CA's self-signed certificate: openssl x509 -trustout -signkey ca/my_ca.key -days 365 -req –in ca/my_ca.csr –out ca/my_ca.pem 5.    Copy the my_ca.pem file to my_ca.crt and edit the .crt file so that the strings "TRUSTED CERTIFICATE" read "CERTIFICATE". This enables importing of the CA certificate into your trusted root certificates store. To do this, double-click my_ca.crt to open it and click “Install Certificate…” 6.    Create a certificate request using IIS manager and save it as C:\OpenSSL\ server \my_iis.csr. 7.    Have your CA sign your certificate request: openssl x509 -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -req -in server/my_iis.csr –out server/my_server.crt -days 365 8.    Complete the pending certificate request in IIS using C:\OpenSSL\server\ my_server.crt. 9.    Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client/my_client.req –keyout client/my_client.key 10.    Have your CA sign your client certificate: openssl x509 -CA ca/my_ca.pem -CAkey ca/my_ca.key –CAserial ca/my_ca.srl -req -in client/my_client.req –out client/my_client.pem -days 365 11.    Generate a PKCS12 file containing your server key and server certificate: openssl pkcs12 -export –clcerts -in client/my_client.pem –inkey client/my_client.key –certfile ca/my_ca.pem -out client/my_client.p12 –name "my_client_certificate" 12.    Import the client cert client/my_client.p12 into Internet Explorer, marking it as exportable. 13.    Convert the PKCS#12 client cert to DER format for use with C# web service client code: openssl x509 -in client/my_client.pem -inform PEM -out client/my_client.der –outform DER Thanks, Mark    http://www.markrichman.com/

• 03-07-2008, 10:00 PM

  In reply to

  skok Joined on 03-08-2008, 1:18 AM Posts 3	Re: X.509 Client Cert on IIS5 XP Reply Contact Try to install your own Certification Authority on Windows 2003  Read this  First  Certificate Services How To...   Set Up a Certification Authority HOW TO: Obtain a Test Certificate or a Test Client Authentication Certificate Thanks Skok MCSE MCP

• 03-08-2008, 7:21 AM

  In reply to

  mark_richman Joined on 05-07-2003, 9:01 AM Parkland, FL Posts 33	Re: X.509 Client Cert on IIS5 XP Reply Contact  Thanks, but this does not apply to Windows XP, which is where we do our development. http://www.markrichman.com/