Friday, June 03, 2011

WIF : Generating self-signed certificates

If you work with WIF (Windows Identity Foundation), you'll soon find that you need lots of self-signed certificates. These are used for securing the top level SSL connection and signing and encrypting the token.

Potentially, you need three certificates. The SSL certificate is mandatory as is the token signing certificate but the token encryption certificate is optional. You could use the same certificate for all three - not that that is recommended!

In IIS 7.5, in IIS manager, click on the very top level on the LHS. In the middle pane, under IIS, click on "Server Certificates". Then in the RHS, click on "Create Self-Signed Certificate". After creating one, click on "Default Web Site" on the LHS. On the RHS, click on "Bindings" and you can associate this certificate with the HTTPS port 443 connection.

The problem with this certificate is that the cn (common name) is the machine name of your IIS server, not the URL of the web site. Also, the certificate is not added to the "Trusted Root Certificate Authorities" section of the browser certificate store. You need to do this manually. All this results in browser certificate errors.

SElfSSL7 overcomes these problems and this is the utility I generally use to resolve this. There are options to automatically add the new certificate to the certificate store and to update the IIS binding. (See a previous blog entry for more info.)

There are many other ways to create certificates e.g.:

Makecert.exe (Certificate Creation Tool)

or the

Win32 version of OpenSSL. There's a good article on how to use it here.

You can also do this in PowerShell - refer: Creating Self Signed Certificates with PowerShell.

DeployManager is a neat tool to create and display certificates (coming largely from the WCF viewpoint). Unlike the mmc snap-in which shows the Windows names (Personal), this shows the .NET names (My):


To look at the certificates, use:


or OpenSSL

or the Certificate snap-in to mmc : How to: View Certificates with the MMC Snap-in. The same article also shows you how to view certificates with Internet Explorer.

The Certmgr.exe (Certificate Manager Tool) is also useful.


No comments: