Creating and using development certificates for use with a self-hosted WCF Service.

Friday, November 20, 2009 8:49
Posted in category Web, Windows
No Comments

This quick how-to shows you how to create and use certificates in a development environment for use with a self-hosted WCF service. This means that the WCF service is not hosted with IIS, but runs, for example, as a Windows Service.

We will use the makecert.exe tool that ships with the Microsoft Windows SDK. The Windows SDK is available as a free download from Microsoft.

First, we create a root certificate that we can use to ‘sign’ our development certificate. To do so, we use makecert.exe. After installing the Windows SDK, makecert.exe should be available in a directory like C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin. (Depending on the version installed.)

Use the following command to create the certificate;

makecert -n “CN=RootCATest” -r -sv RootCATest.pvk RootCATest.cer

image

I won’t be using a password in this development environment, but your free to do so. I’m clicking ‘None’ here.

You should see this notice;

Succeeded

After the certificate has been created, you can create the certificate revocation list by using this command;

makecert -crl -n “CN=RootCATest” -r -sv RootCATest.pvk RootCATest.crl

Again, you should see this notice;

Succeeded

Now you have to import the 2 certificates you just created in the certificate store of your computer;

  1. Click Start and then click Run. In the command line, type MMC and then click OK.
  2. In the Microsoft Management Console, on the File menu, click Add/Remove Snap-in.
  3. In the Add Remove Snap-in dialog box, click Add.
  4. In the Add Standalone Snap-in dialog box, select Certificates and then click Add.
  5. In the Certificates snap-in dialog box, select the Computer account radio button because the certificate needs to be made available to all users, and then click Next.
  6. In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
  7. In the Add Standalone Snap-in dialog box, click Close.
  8. In the Add/Remove Snap-in dialog box, click OK.
  9. In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
  10. Under Trusted Root Certification Authorities, right-click the Certificates subfolder, select All Tasks, and then click Import.
  11. On the Certificate Import Wizard welcome screen, click Next.
  12. On the File to Import screen, click Browse.
  13. Browse to the location of the signed Root Certificate Authority RootCATest.cer file created earlier, select the file, and then click Open.
  14. On the File to Import screen, click Next.
  15. On the Certificate Store screen, accept the default choice and then click Next.
  16. On the Completing the Certificate Import Wizard screen, click Finish.
  17. Under Trusted Root Certification Authorities, right-click the Certificates subfolder, select All Tasks, and then click Import.
  18. On the Certificate Import Wizard welcome screen, click Next.
  19. On the File to Import screen, click Browse.
  20. In Files of Type, select Certificate Revocation List.
  21. Browse to the location of the signed Root Certificate Authority RootCATest.crl created earlier, select the file, and then click Open.
  22. On the File to Import screen, click Next.
  23. On the Certificate Store screen, accept the default choice and then click Next.
  24. On the Completing the Certificate Import Wizard screen, click Finish.

The root certificate and the revocation list are now installed on your computer. You can now create a ‘normal’ certificate that your WCF service can use;

makecert -sk MyKeyName -iv RootCATest.pvk -n “CN=tempCert” -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe

After the certificate is created, you should see “Succeeded”.

Now, locate the thumbprint of this certificate through the MMC you used to import the root certificates. Open Certificates, Personal, Certificates and locate the created certificate on the right side;

image

Double-click on the certificate to open it and select the tab ‘Details’.

In the Details tab, under ‘Field’ select the ‘Thumbprint’ (at the bottom).

image

Copy the Thumbprint value to notepad or something and remove all the spaces.

So my “a4 c5 de 1d 2f f4 90 a4 e3 01 51 f2 fb da 0e 0c 6d c5 84 b8” becomes “a4c5de1d2ff490a4e30151f2fbda0e0c6dc584b8”.

Now we can bind the certificate to the port that our service uses. Since my service uses port 8000, i will bind the certificate to port 8000 on all interfaces of my machine by using this command;

netsh http add sslcert ipport=0.0.0.0:8000 certhash=a4c5de1d2ff490a4e30151f2fbda0e0c6dc584b8 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

Replace the certhash value with the Thumbprint value you just extracted. The appid isn’t used in this scenario, leave it as in the example.

Now, the certificate has been bound to the port, and you can start using an SSL encrypted connection to your service.

You can configure your binding and behavior as such in the app.config of your service; (other stuff omitted)

 

 

 < baseAddresses>
<add baseAddress=https://localhost:8000/Service />
</baseAddresses><

behaviors><

serviceBehaviors>
<behavior name=ServiceBehavior>
<serviceMetadata httpGetEnabled=false httpsGetEnabled=true />
<serviceCredentials>
<serviceCertificate findValue=CN=tempCert />
</serviceCredentials>
</behavior>
</serviceBehaviors>Good luck.

 

 

You can leave a response, or trackback from your own site.
Tags: ,

Leave a Reply

You must be logged in to post a comment.

«
»