Jaa


Creating Certificates

Hi all,

Certificates are part of the Windows environment and provide for better messaging security. I decided to write a blog about how to create a self-signing certificate because I do this only infrequently and it's a good memory exercise to write something down.  ;p

To quickly review why certificates are a good thing:

  1. you can send and receive data that is trusted
  2. the data that you process is secure
  3. ensure that only authorized parties receive your messages/data
  4. ensure that you receive messages/data only from authorized parties

The first thing you are going to need is a Microsoft SDK. The Visual Studio 2008 SDK can be found here: https://www.microsoft.com/downloads/details.aspx?FamilyID=59ec6ec3-4273-48a3-ba25-dc925a45584d&DisplayLang=en

Once installed you will have to locate the MakeCert.exe application. In my case I found it under: C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin folder. If you start up this application in a command prompt you can do>MakeCert /? to see which switches are available. There is a complete description to be found here: https://msdn.microsoft.com/en-us/library/aa386968(vs.85).aspx

Typically* you will need to do something similiar to the following:

STEP #1, "makecert -r -pe -n CN=NOGICERT -b 01/01/2009 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss My -sr currentuser". This will install the certificate to the current user account personal store and will have a personal key with it. You will need to create a password here and don't lose it.

STEP #2. export the private key. I ended up saving it to C:\projects\NoGi.com.pfx. don't forget your password!

STEP #3. you can export the public key as well (this you would give to customers and clients). This was C:\projects\NoGi.com.pfx for me.

STEP #4. in the MMC go to the Local Computer Other People store and import the .cer file (the public file that you just exported). When I was setting up a Dev box for doing ESB 2.0 I had to do some a problem with developing itineraries. When you try to make an itinerary it demands that there be a certificate. I ended up importing my NoGi.com.cer also into the Current User > Trusted Root Certificates. Once I did this Visual Studio was happy again and I could compile my projects. This kind of information is vital and I wish Microsoft did a better job of documenting it. This issue was a real show stopper and I found it to be quite frustrating sifting through blogs to figure out how to create a selfsigning certificate and export etc. etc.
*Remember I set this up for a Dev box to give me self signing functionality, your setup may be different.

Where you need to install this self-signing certificate is dependant upon what you wish to use it for. BizTalk for example uses 2 Windows certificate stores:
    1) Other People certificate store (Local Computer Folder), the public keys are stored here.
    2) Personal certificate store (Current User Folder), private keys are stored here.

Other People Certificate Store.  
Public key certificates are "public" and as their name implies are accessible to anyone with access to the computer on which they are stored. BizTalk for example will retrieve public key certificates from this store to encrypt messages and verify the digital signature of incoming messages. All users can read and use any certificates saved in this store.

Personal Certificate Store.
BizTalk (for example) uses the private key certificates saved in this store to decrypt incoming messages and sign outgoing messages. Windows accounts that are allowed to log on interactively will have a personal certificate store that only they can access. BizTalk server uses the personal store for the service account of each host instance in order to access the private key certificates belonging to that service account. Therefore every host instance that requires the certificate for decryption or signing of outbound messages must that that certificate saved in its' Personal Certificate store.

Certificates can be viewed via the MMC snap-ins > Certificate Console:

Certificate purpose Certificate type Certificate store
Signing Own private key Personal store for each service account of a host instance that has a send pipeline with a MIME/SMIME Encoder pipeline component configured to sign messages (Add Signing Cert To Message property set to True).
Verifying signature Partner's public key Other People store on each computer that has a host instance that has a receive pipeline with a MIME/SMIME Decoder pipeline component.
Decrypting Own private key Personal store for each service account of a host instance that has a receive pipeline with a MIME/SMIME Decoder pipeline component.
Encrypting Partner's public key Other People store on each computer that has a host instance that has a send pipeline with a MIME/SMIME Encoder pipeline component configured to encrypt messages (Enable encryption property set to True) .
Party resolution Partner's public key Other People store on the administration computer from which you are configuring party resolution.