Sunday, September 17, 2006
Great FAQ on managing X509 Certs

On Thursday evening I gave a talk on WS Security Fundamentals in Dayton Ohio. One of the resources I point to is the PAG Guide on Securing Web Services. On the way home the next day, while sitting on the runway in PHL for 2 hours before taking off (uggh), I was reading the latest ASPNET Pro and Michele Leroux Bustamante's Under the Hood column was all about X509 cert management. It's great advice and I highly recommend it. It's the October 2006 issue which does not have all of its articles online.

Many developers who are starting up with programming message level security (eg with WSE or WCF) definitely have a learning curve when it comes to having to grok all of these bits and pieces of security tools that we have to work with - encryption, hashing, signing, certificates. I don't know how many times I have seen the question "where do I get a certificate" in the wse newsgroups. Heck, I had the same question myself once. And it was a lot of work to wrap my head around all of this crypto stuff.

So.... if you get ASPNET Pro or you can grab a copy at your local user group, check it out.

I'm going to send this to the sysadmin that works with one of my clients. I spent three months trying to explain to him why I needed a server certificate that was not going to be used for SSL. Aargh. Message level security seems to be a bit of an oxymoron to IT Pros.

WSE
Sunday, September 17, 2006 7:56:49 PM (Eastern Standard Time, UTC-05:00)  #     |  Comments [9]  | 
Wednesday, September 20, 2006 3:46:57 PM (Eastern Standard Time, UTC-05:00)
How long has ASP.NET been around?
Kathy
Thursday, September 21, 2006 3:37:00 PM (Eastern Standard Time, UTC-05:00)
2001
Vijay
Thursday, September 28, 2006 11:11:56 AM (Eastern Standard Time, UTC-05:00)
A good article, but I was having problems trying to export the private key of a cert I generated with the -pe parameter. I've just started hunting around for an answer, so it may be an obvious problem.

Anyway, any thoughts on why the private key doesn't get included if I execute the command like this?

makecert.exe -r -pe -n "CN=RPKey" -ss -my -sr currentuser -sky exchange
-sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\Test.cer

After installing the cert, I was unable to create a .pfx as described in the article.
Peter
Thursday, September 28, 2006 12:06:50 PM (Eastern Standard Time, UTC-05:00)
Well, I found the syntax error: -my should my (it's a value for the -ss parameter indicating the certificate should be installed in the Personal logical store). I point this out because makecert did not object to my error and happily created a new logical store called "-my".
Peter
Wednesday, October 04, 2006 4:16:47 PM (Eastern Standard Time, UTC-05:00)
So which CA did you go with to obtain your certificates? When I talk to VeriSign they are clueless about what I need or tell me they don't issue this type of cert. You probably already know that their normal SSL certs don't work for WSE. I am interested in what CA people are using and what cert type (client, server, code signing, etc.) they are buying and what additional options they specify.
Foo
Wednesday, October 04, 2006 4:54:36 PM (Eastern Standard Time, UTC-05:00)
You just need to be careful WHICH cert you get. Here's some help.
http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-WSE-or-WCF.aspx
Julie
Wednesday, October 04, 2006 11:03:05 PM (Eastern Standard Time, UTC-05:00)
Thanks, I saw this article before, but when I talk to anyone in VeriSign they just tell me they don’t sell this type of cert. Can you tell me who you talked to (which group, 800 number), and which product you requested? I went as far as setting up my own CA on a Windows 2003 Server and creating a client authentication cert. But when I talk to VeriSign I sometimes feel like I know more about x509 than they do. I think I am not talking to the right people. Thanks for your help.
Foo
Wednesday, October 04, 2006 11:18:30 PM (Eastern Standard Time, UTC-05:00)
Foo, I personally gave up after debating with our sysadmin for three months and not being able to find anybody to tell him what he needed to hear and just went with an IIS created certificate. So I can't say. Therefore, I have created a blog post asking the same question becuase nobody ever seems to know the answer. So watch this space: http://www.thedatafarm.com/blog/PermaLink,guid,037b2d22-dbd1-4dc9-af1d-61882192a6c2.aspx
Julie
Thursday, October 05, 2006 7:12:06 PM (Eastern Standard Time, UTC-05:00)
Thanks, Julie. I will post a response if I find out something of value.
Foo
Comments are closed.