On Thursday evening I gave a talk on WS Security Fundamentals in Dayton Ohio. One of the resources I point to is the PAG Guide on Securing Web Services. On the way home the next day, while sitting on the runway in PHL for 2 hours before taking off (uggh), I was reading the latest ASPNET Pro and Michele Leroux Bustamante’s Under the Hood column was all about X509 cert management. It’s great advice and I highly recommend it. It’s the October 2006 issue which does not have all of its articles online.
Many developers who are starting up with programming message level security (eg with WSE or WCF) definitely have a learning curve when it comes to having to grok all of these bits and pieces of security tools that we have to work with – encryption, hashing, signing, certificates. I don’t know how many times I have seen the question “where do I get a certificate” in the wse newsgroups. Heck, I had the same question myself once. And it was a lot of work to wrap my head around all of this crypto stuff.
So…. if you get ASPNET Pro or you can grab a copy at your local user group, check it out.
I’m going to send this to the sysadmin that works with one of my clients. I spent three months trying to explain to him why I needed a server certificate that was not going to be used for SSL. Aargh. Message level security seems to be a bit of an oxymoron to IT Pros.
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!
9 thoughts on “Great FAQ on managing X509 Certs”
How long has ASP.NET been around?
A good article, but I was having problems trying to export the private key of a cert I generated with the -pe parameter. I’ve just started hunting around for an answer, so it may be an obvious problem. Anyway, any thoughts on why the private key doesn’t get included if I execute the command like this?makecert.exe -r -pe -n "CN=RPKey" -ss -my -sr currentuser -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\Test.cerAfter installing the cert, I was unable to create a .pfx as described in the article.
Well, I found the syntax error: -my should my (it’s a value for the -ss parameter indicating the certificate should be installed in the Personal logical store). I point this out because makecert did not object to my error and happily created a new logical store called "-my".
So which CA did you go with to obtain your certificates? When I talk to VeriSign they are clueless about what I need or tell me they don’t issue this type of cert. You probably already know that their normal SSL certs don’t work for WSE. I am interested in what CA people are using and what cert type (client, server, code signing, etc.) they are buying and what additional options they specify.
You just need to be careful WHICH cert you get. Here’s some help.http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-WSE-or-WCF.aspx
Thanks, I saw this article before, but when I talk to anyone in VeriSign they just tell me they don’t sell this type of cert. Can you tell me who you talked to (which group, 800 number), and which product you requested? I went as far as setting up my own CA on a Windows 2003 Server and creating a client authentication cert. But when I talk to VeriSign I sometimes feel like I know more about x509 than they do. I think I am not talking to the right people. Thanks for your help.
Foo, I personally gave up after debating with our sysadmin for three months and not being able to find anybody to tell him what he needed to hear and just went with an IIS created certificate. So I can’t say. Therefore, I have created a blog post asking the same question becuase nobody ever seems to know the answer. So watch this space: http://www.thedatafarm.com/…/PermaLink,guid,
Thanks, Julie. I will post a response if I find out something of value.