X.509 Certificates

  • Article

patterns & practices Developer Center

  • How to: Create a Temporary X.509 Certificate for Transport Security
  • How to: Create a Temporary X.509 Certificate for Message Security
  • How to: Create a Temporary X.509 Certificate for Certificate Authentication

How to: Create a Temporary X.509 Certificate for Transport Security

Perform the following steps to create a temporary X.509 certificate for transport security:

  1. Create a certificate to act as your root Certificate Authority (CA):

    makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

  2. Install your root CA on both the server and client machines. Use the Microsoft Management Console (MMC) to install RootCATes.cer on the client and server machines in the Trusted Root Certification Authorities store.

  3. Create and install your temporary service certificate:

    makecert -sk keyName -iv RootCATest.pvk -n "CN=MachineName.domain.com" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe

  4. Use Inetmgr to configure the Web site and virtual directory to use the certificate and to require Secure Sockets Layer (SSL) to secure communication.

Additional Resources

How to: Create a Temporary X.509 Certificate for Message Security

Perform the following steps to create a temporary X.509 certificate for message security:

  1. Create a certificate to act as your root Certificate Authority (CA):

    makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

  2. Create a Certificate Revocation List (CRL) file from the root certificate:

    makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl

  3. Install your root CA on both the server and client machines. Use the Microsoft Management Console (MMC) to install RootCATes.cer on the client and server machines in the Trusted Root Certification Authorities store.

  4. Install the CRL file on both the server and client machines. Use MMC to install RootCATes.crl on the client and server machines in the Trusted Root Certification Authorities store.

  5. Create and install your temporary service certificate:

    makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe

  6. Give the WCF process identity access to the temporary certificate's private key:

    FindPrivateKey.exe My LocalMachine -n "CN=tempCert"
cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" /E /G "NT AUTHORITY\NETWORK SERVICE":R

    The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey.

Additional Resources

How to: Create a Temporary X.509 Certificate for Certificate Authentication

Perform the following steps to create a temporary X.509 certificate for certificate authentication:

  1. Create a certificate to act as your root Certificate Authority (CA):

    makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

  2. Create a Certificate Revocation List (CRL) file from the root certificate:

    makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl

  3. Install your root CA on both the server and client machines. Use the Microsoft Management Console (MMC) to install the RootCATes.cer on the client and server machines in the Trusted Root Certification Authorities store.

  4. Install the CRL file on both the server and client machines. Use MMC to install RootCATes.crl on the client and server machines in the Trusted Root Certification Authorities store.

  5. Create and install your temporary service certificate:

    makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr currentuser -ss my -sky signature —pe

Additional Resources