SSL MakeCert / pvk2pfx & Client & Server Certificate Generation

Hey All,

Hope we’re all well!  Been a while since I blogged anything as life has been pretty hectic.  Anyway, I’m working on a fairly intense little project at the moment centred around building a complete system infrastucture around the AdventureWorks demo database from Microsoft.

The demo system may well end up being another Code Project article as it’s covering a LOT of terriroty.  WPF, PRISM, WCF, WIF, SQL but mainly focussing on security aspect of the implementation using the Windows Identity Foundation.

In order to make the implementation as real world as possible the idea behind WIF makes use of SSL certificates for authentication purposes.  Whilst not wanting to go buying commercial certificates and seeing this is only development we need to use the makecert tool that is part of the Windows SDK.

To make a test CA (Certificate Authority) you can use the following command:

makecert -r -pe -n “CN=AdventureWorksTestCA” -sr CurrentUser -a sha1 -sky signature -cy authority -sv AdventureWorksTestCA.pvk AdventureWorksTestCA.cer

To make a test server authentication certificate:

makecert -pe -n “CN=AdventureWorksTestServer” -a sha1 -sky exchange -eku -ic AdventureWorksTestCA.cer -iv AdventureWorksTestCA.pvk -sv AdventureWorksTestServer.pvk AdventureWorksTestServer.cer

To make a test client authentication certificate:

makecert -pe -n “CN=AdventureWorksTestClient” -a sha1 -sky exchange -eku -ic AdventureWorksTestCA.cer -iv AdventureWorksTestCA.pvk -sv AdventureWorksTestClient.pvk AdventureWorksTestClient.cer

Then to export the PFX files for both certificates:

pvk2pfx -pvk AdventureWorksTestServer.pvk -spc AdventureWorksTestServer.cer -pfx AdventureWorksTestServer.pfx

pvk2pfx -pvk AdventureWorksTestClient.pvk -spc AdventureWorksTestClient.cer -pfx AdventureWorksTestClient.pfx

Now once you have your certificates created you need to import them into your certificate store.  Start with the CA certificate, double click the .cer file and click on the [install certificate] button.  Once the dialog box opens make sure you import this certificate into the “Trusted Root Certification Authorities” store.  This is critical to ensure the other certificates are correctly chained up to trusted root.

Once this CA is installed you can simply go through the same process with the client and server certificates and allow them to simply import into their default location (don’t manually specify the store during import).  The client/server certs will import themselves into the Current User – Personal certificate store.

Now you should be all set-up with a CA/Server/Client certs ready for dev work.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.