How to: Create and Install Temporary Certificates in WCF for Transport Security During Development

Applies to

• Microsoft Windows Communication Foundation (WCF) 3.5
• Microsoft .NET Framework 3.5
• Microsoft Visual Studio 2008

Summary

This how-to article walks you through the process of creating and installing temporary certificates to be used during the development and testing of WCF services that implement transport security. The article explains the process of creating, configuring, and installing these temporary certificates to work with WCF.

Contents

• Objectives
• Overview
• Step 1: Create a Certificate to Act as Your Root Certificate Authority
• Step 2: Install Your Root Certificate Authority on the Server and Client Machines
• Step 3: Create and Install Your Temporary Service Certificate
• Step 4: Configure Your Temporary Service Certificate in IIS to Support SSL
• Deployment Considerations
• Additional Resources

Objectives

• Learn how to create a temporary root certificate authority (CA) to be used to sign your temporary service certificate.
• Learn how to create temporary certificates for transport security using the makecert.exe utility.
• Learn where to store temporary certificates to be used by WCF when utilizing transport security.

Overview

When developing a WCF service that uses X.509 certificates to provide transport security, it is necessary to work with temporary certificates. This is because production certificates are expensive and may not be readily available. There are two options for specifying trust on a certificate:

• Peer trust validates the certificate directly.
• Chain trust validates the certificate against the issuer of a certificate known as a root authority.

This how-to article discusses the chain trust option because it is the most commonly used approach in Business-to-Business (B2B) scenarios.

To use chain trust validation during development time, you create a self-signed root CA and place it in the Trusted Root Certification Authority store. The certificate used by WCF is then created and signed by the root self-signed certificate and installed in the LocalMachine store.

You will use makecert.exe to create a certificate to act as your root CA. You will then use your root CA certificate to sign additional certificates for your WCF services. Finally, you will configure IIS to use your temporary certificate.

Summary of Steps

• Step 1: Create a Certificate to Act as Your Root Certificate Authority
• Step 2: Install Your Root Certificate Authority on the Server and Client Machines
• Step 3: Create and Install Your Temporary Service Certificate
• Step 4: Configure Your Temporary Service Certificate in IIS to Support SSL

Step 1: Create a Certificate to Act as Your Root Certificate Authority

In this step, you use the makecert tool in the service host machine to create a root CA that will be used to sign your temporary certificate.

1. Open a Visual Studio command prompt and browse to the location where you want to save the certificate files.

2. Run the following command to create the root CA:

   makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer
   

   In this command:

   • -n specifies the subject name for the root CA. The convention is to prefix the subject name with "CN = " for "Common Name".
   • -r specifies that the certificate will be self-signed.
   • -sv specifies the file that contains the private key of the certificate.
   • RootCATest.cer specifies the name of the file containing the public key of the certificate.

3. In the Create Private Key Password dialog box, enter a password, confirm the password, and then click OK. Optionally, you can click None without entering the password, but this is not recommended for security reasons.

4. In the Enter Private Key Password dialog box, enter the password again and then click OK.

   This is the password needed to access the private key file RootCATest.pvk in order to generate the file RootCATest.cer containing the public key.

This step creates a certificate named RootCATest.cer and a private key file named RootCATest.pvk.

Step 2: Install Your Root Certificate Authority on the Server and Client Machines

In this step, you install the certificate in the Trusted Root Certification Authorities location on both the client and server machines. All certificates that are signed with this certificate will be trusted by the client and by the server.

Note

Important: Be sure to delete this certificate from the store after you have finished developing and testing for your application.

Repeat the following steps on both the client and the server machines:

1. Copy the RootCATest.cer file to the client and server machines.
2. Click Start and then click Run.
3. In the command line, type MMC and then click OK.
4. In the Microsoft Management Console (MMC), on the File menu, click Add/Remove Snap-in.
5. In the Add Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, select Certificates and then click Add.
7. In the Certificates snap-in dialog box, select the Computer account radio button because the certificate needs to be made available to all users, and then click Next.
8. In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
9. In the Add Standalone Snap-in dialog box, click Close.
10. In the Add/Remove Snap-in dialog box, click OK.
11. In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
12. Under Trusted Root Certification Authorities, right-click the Certificates subfolder, select All Tasks, and then click Import.
13. On the Certificate Import Wizard welcome screen, click Next.
14. On the File to Import screen, click Browse.
15. Browse to the location of the signed Root Certificate Authority RootCATest.cer file copied in Step 1, select the file, and then click Open.
16. On the File to Import screen, click Next.
17. On the Certificate Store screen, accept the default choice and then click Next.
18. On the Completing the Certificate Import Wizard screen, click Finish.

The signed root CA certificate is now installed in the Trusted Root Certification Authorities store. You can expand the Certificates subfolder under Trusted Root Certification Authorities to see the RootCATest certificate installed properly.

Note

Important: If you do not install the self-signed root CA on the client machine, proxy generation (either from the UI or from the command prompt using svcutil) will fail with the following error message:
“There was an error downloading 'https://MachineName/servicefolder/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.”

Note

Unless the root certificate is present in the certificate authority store, the HTTP layer raises an exception when a client communicates over HTTPS: “the remote server returned an error (403) forbidden”.

Step 3: Create and Install Your Temporary Service Certificate

In this step, you create and install the temporary certificate on the server machine from the signed root CA created in the previous step.

1. Open a Visual Studio command prompt and browse to the location where you have the root CA certificate and private key file installed. The files will be named RootCATest.cer and RootCATest.pvk.

2. Run the following command for creating a certificate signed by the root CA certificate:

   makecert -sk <<UniqueKeyName>> -iv RootCATest.pvk -n "CN=<<MachineName>>" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe 
   

   In this command:

   • -sk specifies the key container name for the certificate. This name needs to be unique for each certificate you create.
   • -iv specifies the private key file from which the temporary certificate will be created. You need to specify the root certificate private key file name and make sure that it is available in the current directory.
   • -n specifies the key subject name for the temporary certificate. If the name of the certificate does not match the DNS or NetBIOS name, later proxy generation will fail.
   • -ic specifies the file containing the root CA certificate file generated in the previous step.
   • -sr specifies the store location where the certificate will be installed. The default location is Currentuser, but since the certificate needs to be available to all users, you should use the localmachine option.
   • -ss specifies the store name for the certificate. Specify My as the personal store location of the certificate.
   • -sky specifies the key type, which could be either signature or exchange. Using exchange makes the private key exportable, which is required for message security.
   • -pe specifies that the private key is exportable. This is useful if you want to export the key and use it in another machine for development or testing purposes.

3. In the Enter Private Key Password dialog box, enter the password for the root CA private key file specified in Step 2, and then click OK.

Note

Important: The subject name and key file name must match the name of the machine on which you are installing this certificate. If the name does not match, you will see a certificate security error when accessing the service.

Step 4: Configure Your Temporary Service Certificate in IIS to Support SSL

In this step, you configure the Web site in IIS to use the temporary certificate for Secure Sockets Layer (SSL) communication. This will enable SSL for the transport communication. These instructions pertain to IIS version 6.0. IIS 7.0 requires different steps.

1. Click Start and then click Run.
2. In the Run dialog box, type inetmgr and then click OK.
3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
4. Right-click Default Web Site and then click Properties.
5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
6. On the Web Server Certificate Wizard welcome screen, , click Next to continue.
7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next. If you have a preexisting certificate that you can remove, first remove the certificate by using the Remove the current certificate option, and then proceed with Step 5.
8. On the Available Certificates screen, select the certificate you created and installed in the previous step, and then click Next.
9. Verify the information on the certificate summary screen, and then click Next.
10. Click Finish to complete the certificate installation.
11. In the Default Web Site Properties dialog box, click OK.

Deployment Considerations

Temporary certificates should only be used for development and testing purposes. For real-world production environments, use a certificate provided by a CA such as Microsoft Windows Server 2003 Certificate Services or a third party.

Additional Resources

• For more information on how to work with temporary certificates, see How to: Create Temporary Certificates for Use During Development.
• For more information on how to view certificates by using the MMC snap in, see How to: View Certificates with the MMC Snap-in.
• For more information on differences in certificate validation between Microsoft Internet Explorer and WCF, see Differences Between Service Certificate Validation Done by Internet Explorer and WCF.
• For more information on differences in certificate validation between protocols, see Certificate Validation Differences Between HTTPS, SSL over TCP, and SOAP Security.
• For more information on how to obtain a certificate, see How to: Obtain a Certificate (WCF).
• For more information on Windows Communication Foundation command-line tools, see Windows Communication Foundation Tools.