In my current web project I’m using mutual ssl authentication and for testing purposes I had to create a self signed client certificate.
First introduction; mutual SSL authentication, also referred as client certificate authentication is a way of authenticating with digital certificates. Working with digital certificates provides you a way of passwordless authentication. However, it relies on one thing: TRUST. Trust isn’t a cheap thing and it comes with its cost. The cost is hidden in the digital certificate itself. You need an authority to trust this certificate. If the authority says this certificate is trustable then you can consider the certificate is really representing your correspondent.
For development getting a certificate signed by trust authorities can be very expensive. Here comes the self signed certificates which are widely used for testing purposes.
Creating a self signed certificate for client authentication is not very hard but when I started my project I couldn’t find good resources so I’ve decided to add my own notes.
In this post I will explain the following:
- How to use makecert tool? How to install makecert to windows if it is missing?
- How to create a root certificate and store in “Trusted Root CA” in windows certificate management console?
- How to create client certificates for local testing of two way authentication?
- How to configure IIS for client certificate authentication?
How to use makecert tool? How to install makecert to windows if it is missing?
After Windows 8, makecert is included in “Windows Software Development Kit (SDK)” and “Windows Driver Kit (WDK)”. So you need to install one of those first and then open the “Developer Command Prompt for VS2015” with Administrator privileges to use makecert. You can download Windows Software Development Kit (SDK) from Microsoft: https://developer.microsoft.com/en-us/windows/downloads/windows-8-1-sdk
How to create a root certificate and store in “Trusted Root CA” in windows certificate management console?
You can create the certificate which you will be using as the root certificate of your client certificates with the following command:
makecert -r -pe -ss my -sr LocalMachine -n "CN=MyRootCert" -sv "C:\Temp\MyRootCert.pvk" C:\Temp\MyRootCert.cer
(The order of parameters is not important!)
-r: Create a self signed certificate
-pe: Mark generated private key as exportable
-sr LocalMachine: Use LocalMachine certificate store location.
-ss my: Store the output certificate in Personal folder
-n <X509name>: Certificate subject X500 name
-sv <pvkFile>: Subject’s PVK file; To be created if not present
After executing this command you will be asked to set a password for the certificate. This password will be asked from you when you want sign new certificates using this certificate.
Finally two files are created under C:\Temp. MyRootCert.pvk stores the private key and MyRootCert.cer stores the public key. Also you can check that the certificate is imported in “Certificates (Local Computer) > Personal > Certificates” from certificate management console.
If you double click on the MyRootCert.cer file you will see that your self signed certificate is not trusted by the operating system.
To fix this we will copy and paste the certificate from “Certificates (Local Computer) > Personal > Certificates” to “Certificates (Local Computer) > Trusted Root Certificate Authorities > Certificates”. Now check your MyRootCert.cer file again and you should see this:
How to create client certificates for local testing of two way authentication?
Now we will use the root certificate (MyRootCert) we have created before to sign our client certificates. Execute the following command:
makecert -n "CN=MyClient" -ss my -pe -sv "C:\Temp\MyClient.pvk" -iv "C:\Temp\MyRootCert.pvk" -ic "C:\Temp\MyRootCert.cer" C:\Temp\MyClient.cer
(The order of parameters is not important!)
-n <X509name>: Certificate subject X500 name
-ss my: Store the output certificate in Personal folder
-pe: Mark generated private key as exportable
-sv <pvkFile>: Subject’s PVK file; To be created if not present
-iv <pvkFile>: Issuer’s PVK file
-ic <file>: Issuer’s certificate file
You will be asked to set a password for the certificate. Also the root certificate’s password will be asked as the “Issuer password”. Enter the password you set while creating the root certificate.
As a result two files are created under C:\Temp. MyClient.pvk stores the private key and MyClient.cer stores the public key. When you double click on the MyClient.cer file you will see that the certificate is trusted and signed by “MyRootCert”.
However this certificate has not been imported to the certificate store with the private key. In order to do that we have to import the certificate using a personal exchange format (pfx). To create the pfx document execute the following command:
pvk2pfx -pvk C:\Temp\MyClient.pvk -spc C:\Temp\MyClient.cer -pfx C:\Temp\MyClient.pfx
-pvk <pvk-file>: Input PVK file name.
-spc <spc-file>: Input SPC file name.
-pfx <pfx-file>: Output PFX file name.
Now import wizard will popup when you double click on the MyClient.pfx file which was created in C:\Temp. Finish the wizard without changing anything and your client certificate is ready for two way authentication. (In the import wizard you will be asked for a password. Leave it empty!)
How to configure IIS for client certificate authentication?
Now that we have the client certificate we need to configure our web application for mutual SSL from Internet Information Services (IIS)
In IIS click on your site and select the “SSL Settings” feature.
Change the SSL Settings for “Require SSL” and Client certificates as “Required”. Don’t forget to click “Apply” to store your changes.
After this your web application will request “Client Certificates” by opening a popup when you want to access the web page.
Hope it helps!
Originally published at https://www.weboideas.com on October 9, 2016.