How to create a certificate for playing with your STS projects (Security Token Services)
August 27th, 2008
To sign, encrypt, decrypt or verify your Security Tokens, you will need certificates. Here I will explain how to create a certificate that can be used for this purpose. The command prompt shown below has been started from the Visual Studio Command Prompt, as it lets you access to these commands from any working directory. If you don’t have Visual Studio you can get this tools from the Windows SDK also.
Lets create a self-signed certificate, issued by localhost for itself.
| Switch | Meaning |
| -r | Create a self-signed certificate. |
| -sky exchange | The type of the subject key is intended to be used for exchange. |
| -a sha1 | The algorithm that will be used to sign messages with this certificate will be SHA1. |
| -n CN=localhost | Set the certificate subject name. At least one CN= must be set (various can be set). This should be the same as the network name of the host that will use it.
CN means Canonical Name. |
| -sv localhost.pvk | Where we store the private key file. If this file does not exists, a new one will be created. |
| localhost.cer | The name of the output file (our certificate). |
A dialog will appear where it will ask us for a password to secure the private key file. If we don’t want to enter a password, we can simply click ‘None’.
Now, we will convert our standard X.509 certificate into a SPC (Software Publisher Certificate). With real certificates, the SPC must be get from a valid CA (Certification Authority) such as Verisign. In order to do this, we will call the cert2spc tool.
This SPC file will be used in our next and last step to generate the PFX (Personal Information Exchange) file. This PFX file will contain our certificate and its private key, ready to be imported on our target machine. This will be done by the pvk2pfx command as shown below.
Now we are ready to import the certificate (CER file) or the certificate plus its private key (PFX file).
Notes
- In case that you want to generate a certificate for another host, simply replace ‘localhost’ in every place it is mentioned in this steps.
- There are several certificate repositories. If we are going to use this certificate to decrypt or sign, it should be stored in the ‘Personal’ repository (its alias for commands is ‘My’).
- As this is a self-signed certificate (signed by itself), to make a computer trust in its certification path, it should also be imported in the ‘Trusted root Certification Authorities’ repository (the CER file, as we only need the public key to validate signing).
- Remember that to use a internet-exposed STS you will need to get (buy) a valid certificate from a root authority. But for development or internal network or your domain you can create your own certificates.
Leave a Reply
You must be logged in to post a comment.