I created the wrong folder using makecert and you can't remove it using "mmc".
Then I found this post.
void Main()
{
int CERT_SYSTEM_STORE_LOCATION_SHIFT = 16;
uint CERT_SYSTEM_STORE_CURRENT_USER_ID = 1;
uint CERT_SYSTEM_STORE_LOCAL_MACHINE_ID = 2;
uint CERT_STORE_DELETE_FLAG = 0x10;
uint CERT_SYSTEM_STORE_CURRENT_USER = CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT;
uint CERT_SYSTEM_STORE_LOCAL_MACHINE = CERT_SYSTEM_STORE_LOCAL_MACHINE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT;
CertUnregisterSystemStore("makecert", CERT_STORE_DELETE_FLAG | CERT_SYSTEM_STORE_CURRENT_USER);
}
[DllImport("crypt32.dll", CharSet = CharSet.Unicode)]
public static extern bool CertUnregisterSystemStore(string systemStore, uint flags);
Also need to add:
using System.Runtime.InteropServices;
and run in LINQPad as a "C# program".
Works for "Current User" but doesn't seem to work for "Local Computer".
Enjoy!
Ideas and thoughts about Microsoft Identity, C# development, cabbages and kings and random flotsam on the incoming tide
Thursday, March 29, 2018
Tuesday, March 20, 2018
Certificates : Getting the thumbprint via OpenSSL
I've been looking at AWS Cognito and keep coming across interesting snippets of how to do things.
Let's say you wanted the ADFS thumbprint for the SSL certificate.
You could do this via mmc or via the ADFS wizard or via the IIS binding.
You could also do:
openssl s_client -showcerts -connect my-adfs:443
Note: You just use the top-level ADFS URL - don't add /adfs/ls etc.
This displays:
Loading 'screen' into random state - done
CONNECTED(000005DC)
depth=0 CN = my-adfs
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = my-adfs
verify return:1
---
Certificate chain
0 s:/CN=my-adfs
i:/CN=my-adfs
-----BEGIN CERTIFICATE-----
MIIExD...vLMng0
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=my-adfs
issuer=/CN=my-adfs
---
No client certificate CA names sent
---
SSL handshake has read 1964 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 29140000...E4D79A337F1F0BBC9
Session-ID-ctx:
Master-Key: 91E8...DE30CD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1521150875
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=10054
Copy / paste this section:
-----BEGIN CERTIFICATE-----
MIIExD...vLMng0
-----END CERTIFICATE-----
into a file called e.g. adfs.cer
Then:
openssl x509 -in c:\xxx\adfs.cer -fingerprint -noout
SHA1 Fingerprint=24:F8:...:9A:21:2B:35
Enjoy!
Let's say you wanted the ADFS thumbprint for the SSL certificate.
You could do this via mmc or via the ADFS wizard or via the IIS binding.
You could also do:
openssl s_client -showcerts -connect my-adfs:443
Note: You just use the top-level ADFS URL - don't add /adfs/ls etc.
This displays:
Loading 'screen' into random state - done
CONNECTED(000005DC)
depth=0 CN = my-adfs
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = my-adfs
verify return:1
---
Certificate chain
0 s:/CN=my-adfs
i:/CN=my-adfs
-----BEGIN CERTIFICATE-----
MIIExD...vLMng0
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=my-adfs
issuer=/CN=my-adfs
---
No client certificate CA names sent
---
SSL handshake has read 1964 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 29140000...E4D79A337F1F0BBC9
Session-ID-ctx:
Master-Key: 91E8...DE30CD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1521150875
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=10054
Copy / paste this section:
-----BEGIN CERTIFICATE-----
MIIExD...vLMng0
-----END CERTIFICATE-----
into a file called e.g. adfs.cer
Then:
openssl x509 -in c:\xxx\adfs.cer -fingerprint -noout
SHA1 Fingerprint=24:F8:...:9A:21:2B:35
Enjoy!
Tuesday, March 13, 2018
SAML : Decoding the SAML response
I've blogged before about this and I normally use the SAML Tracer running under Firefox.
Someone asked me about AWS Cognito and while I was having a look at this and doing some troubleshooting, I came across a page that also showed you how you can do this with PowerShell.
Basically, in your trace find the "SAML Response".
Then copy / paste it into:
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("base64encodedtext"))
so something like:
PS C:\> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Strin
g("PHNhbWxwO2...c2FtbHA6UmVzcG9uc2U+"))
Neat!
Enjoy!
Someone asked me about AWS Cognito and while I was having a look at this and doing some troubleshooting, I came across a page that also showed you how you can do this with PowerShell.
Basically, in your trace find the "SAML Response".
Then copy / paste it into:
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("base64encodedtext"))
so something like:
PS C:\> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Strin
g("PHNhbWxwO2...c2FtbHA6UmVzcG9uc2U+"))
<samlp:Response ID="_f560b...9cf8c7d" Version="2.0" IssueIn
stant="2018-03-13T02:13:05.625Z" Destination="https://signin.aws.amazon.com/saml
" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oas
is:names:tc:SAML:2.0:protocol">...</Assertion></samlp:Response>
Neat!
Enjoy!
Subscribe to:
Posts (Atom)