Home
Creating a self signed SSL certificate for testing purposes Print E-mail

If you’re doing any kind of development work with ADAM (or IIS) it’s highly likely that your initial “sandpit” ADAM instance falls into one of three categories:
  • Local instance on your XP (or Vista) workstation
  • Instance(s) on a couple of stand-alone servers
  • Instance(s) on a couple of member servers in a very simple domain
The point being here is that there’s probably no Certification Authority (CA) to provide you with an SSL certificate. Now sure, you can test without SSL in the lab, but realistically at some point you find yourself needing SSL and not having a CA infrastructure is a pain.

So, what can we do about it? Well, the answer’s pretty simple really –create some self-signed [testing only] certificates and use SSL.

I’ll explain how to do this in a just a couple of minutes. Summarised the steps, using MAKECERT, are:

  • Create a trusted root cert and stick that in the Trusted Root Certification Authorities certificate store and the Trusted Publishers certificate store
  • Create your SSL cert and stick it in the ADAM instances machine’s personal store. To do this you require MAKECERT obviously, and preferably CERTMGR although you can move and copy the certificates using the certificates GUI (MMC snap-in) too.
  • Restart ADAM
The detailed steps are as follows:
  • Fire up a command prompt and, if you don’t have MAKECERT as part of your path variable, change the working directory to a directory that houses MAKECERT and CERTMGR
  • Create the root certificate in the Trusted Root Certification Authorities certificate store by typing the following command:
    makecert -pe -n "CN=msresource.net Dev CA" -ss Root -sr LocalMachine -a sha1 -sky signiture
    -r "c:\windows\adam\certs\msrDevCA.cer"
  • Install the certificate into the Trusted Publishers certificate store by typing the following command:
    certmgr -add %systemroot%\adam\certs\msrDevCA.cer -s -r localmachine trustedpublisher
  • Create the SSL certificate using the previously created trusted root certificate by typing either of the following commands:
    makecert -pe -n "CN=" -ss my -sr LocalMachine -a sha1 -sky exchange -eku
    1.3.6.1.5.5.7.3.1 -ic ".cer" -ir LocalMachine
    -is Root -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ".cer"
    For example, on my host adam-dev-01 in my domain r2.msresource.net, I will create the certificate in the same folder as the root – C:\Windows\adam\certs\ using the certificate file name of the root certificate I previously created C:\Windows\adam\certs\msrDevCA.cer.
    makecert -pe -n "CN=adam-dev-01.r2.msresource.net" -ss my -sr LocalMachine -a sha1 -sky exchange
    -eku 1.3.6.1.5.5.7.3.1 -ic " c:\windows\adam\certs\msrDevCA.cer" -ir LocalMachine -is Root
    -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 " c:\windows\adam\certs\msrDevSSL.cer"
    Or, instead of using the actual certificate file, I can look for the certificate in the root store by its common name, like so:
    makecert -pe -n "CN=" -ss my -sr LocalMachine -a sha1 -sky exchange -eku
    1.3.6.1.5.5.7.3.1 -in "" -ir LocalMachine -is Root -sp
    "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ".cer"
    For example, on my host adam-dev-01 in my domain r2.msresource.net, I will create the certificate in the same folder as the root – C:\Windows\adam\certs\ using the common name (CN) of the root certificate I previously created msresource.net Dev CA.
    makecert -pe -n "CN=adam-dev-01.r2.msresource.net" -ss my -sr LocalMachine -a sha1 -sky exchange
    -eku 1.3.6.1.5.5.7.3.1 -in "msresource.net Dev CA" -ir LocalMachine -is Root -sp
    "Microsoft RSA SChannel Cryptographic Provider" -sy 12 " c:\windows\adam\certs\msrDevSSL.cer"
  • Grant the NETWORK SERVICE security principal read permissions to the RSA machine keys by typing the following command:
    cacls "%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys" /e
    /g "NT AUTHORITY\NETWORK SERVICE":R /t /c
  • Restart ADAM, using whichever tool of your choice, e.g. net stop msresdev & net start msresdev and then attempt to connect to ADAM over SSL
That’s it. You can fine tune the certificates some more if you like, e.g. shorter expirery dates, etc. but that will get SSL working nicely. Before we end this post, I’ll ever so briefly cover some troubleshooting. The two main errors that I’ve seen MAKECERT provide when doing this are as follows.
  • Error: Can't create the key of the subject ('beb989af-f71c-494e-84f2-a8b846e8dbde')
  • Error: There is no matching certificate in the issuer's MY cert store
The first error in the list seems to be a permissions problem. When trying to work this out I had the first certificate (actually the second, if you include the root) work fine and subsequent attempts to create certificates fail, which was a real problem as I mistyped the name of the certificate on my first go so it wouldn’t work on my machine. I fixed this issue by granting the administrators group on the local machine, full control permissions over the following folder. I did this because I was using an administrative account to create the certificates.
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys\
Here’s the CACLS command line to do this (as it’s too much work to describe how to configure permissions via the UI).
cacls "%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys" /e /g "Builtin\Administrators":F /t /c
The second issue is usually down to a typo. If you specify the name of the issuing certificate (as opposed to specifying the file name of the issuing certificate) then you’ll get this error if the certificate can’t be found in the store you specify. In my case, I accidently pre-pended the CN= identifier to the CN of the root certificate, which was incorrect. I also used –is MY instead of –is Root. I got there eventually ;-)

A third error that you might encounter is having the usage display when you run the command. This is obviously because you’ve got a parameter wrong in one way or another. One to watch for is that you can’t specify –in and –ic together. Those options are mutually exclusive, which is why I provided both examples.




Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev