Geeks With Blogs
Jamie Kurtz Promoting architectural simplicty

When developing WCF services that interact with a custom Security Token Service (STS), you will need to create at least one X.509 certificate. If you have access to a trusted certificate authority – e.g. a Windows Active Directory domain – then this task is pretty simple. But if you don’t, or maybe you would just rather create a set of self-signed certificates, here is an approach that works well for me.

This particular scenario utilizes three separate certificates. The first one is named “localhost” and is used to create an HTTPS binding in IIS 7.5. The other two certificates are used to sign and encrypt the security token created by our custom STS. Note that the certificate used for the HTTPS binding is called “localhost” so that running the sites on our laptops will always be valid – since the host name of the local development sites will always be “localhost”.

The PowerShell script below essentially uses MakeCert to create the issuer certificate – which is the one called “localhost”. Then we import that certificate into the LocalMachine Trusted Root store, so that we can use it as a trusted issuer and signer of the other two certificates. When using MakeCert to create the other two certificates, we use the –in, –ir, and –is arguments to tell MakeCert to sign them with the “localhost” certificate we created (and that is now fully trusted since we imported it into the Trusted Root store).



   2:  $issuerCertificate = "localhost"
   3:  $tokenCertificates = "TokenSigningCert", "TokenEncryptingCert"
   6:  $makecert = 'C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\makecert.exe'
   7:  $certmgr = 'C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\certmgr.exe'
   9:  function CreateIssuerCertificate {
  10:      param($certificateSubjectName)
  12:      $exists= ls cert:\LocalMachine\My | select subject | select-string "cn=$certificateSubjectName"
  13:      if($exists -ne $null)
  14:      {
  15:          echo "$certificateSubjectName certificate already exists"
  16:      }
  17:      else
  18:      {
  19:          ls $env:temp\$certificateSubjectName.* | del
  20:          & $makecert -r -pe -n "cn=$certificateSubjectName" -ss My -sr LocalMachine -sky exchange -sy 12 "$env:temp\$certificateSubjectName.cer"
  21:          & $certmgr -add -c "$env:temp\$certificateSubjectName.cer" -s -r localmachine root
  22:      }
  23:  }
  25:  function CreateTokenCertificate {
  26:      param($certificateSubjectName, $issuerCertificateSubjectName)
  28:      $exists= ls cert:\LocalMachine\My | select subject | select-string "cn=$certificateSubjectName"
  29:      if($exists -ne $null)
  30:      {
  31:          echo "$certificateSubjectName certificate already exists"
  32:      }
  33:      else
  34:      {
  35:          & $makecert -pe -n "cn=$certificateSubjectName" -ss My -sr LocalMachine -sky exchange -sy 12 -in "$issuerCertificateSubjectName" -ir LocalMachine -is My "$env:temp\$certificateSubjectName.cer"
  36:      }
  37:  }
  41:  CreateIssuerCertificate $issuerCertificate
  43:  foreach($cert in $tokenCertificates)
  44:  {
  45:      write-host "Creating certificate $cert (signed by $issuerCertificate)"
  46:      CreateTokenCertificate $cert "$issuerCertificate"
  47:  }
Posted on Sunday, September 4, 2011 11:40 PM | Back to top

Comments on this post: Creating Development Certificates for WCF Token and Transport Security (with PowerShell)

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Jamie Kurtz | Powered by: