Difference between revisions of "HowTo:Create UBIK Web Service Certificates"
(Created page with "To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed t...") |
|||
| Line 1: | Line 1: | ||
| − | To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed to the IIS server running UBIK. For demonstration and testing, a developer certificate can be used which bases on a self-signed root certificate. The creation and installation of a self-signed certificate can be done in the following way: | + | To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed to the IIS server running UBIK. For demonstration and testing, a temporary developer certificate can be used which bases on a self-signed root certificate. The creation and installation of a self-signed certificate can be done in the following way: |
== Prerequisites == | == Prerequisites == | ||
| Line 5: | Line 5: | ||
* Microsoft Windows SDK for Windows 7 and .NET Framework 4; To save time and bandwidth selecting ".Net Development Tools" is sufficient for certification needs.<br/>http://www.microsoft.com/en-us/download/details.aspx?id=8279<br/>[[File:WebserviceCertification_NetSDKINstallation.png|220 px|border|alt=Install Windows SDK]]<br/> | * Microsoft Windows SDK for Windows 7 and .NET Framework 4; To save time and bandwidth selecting ".Net Development Tools" is sufficient for certification needs.<br/>http://www.microsoft.com/en-us/download/details.aspx?id=8279<br/>[[File:WebserviceCertification_NetSDKINstallation.png|220 px|border|alt=Install Windows SDK]]<br/> | ||
* Microsoft Visual Studio Express 2013 für Windows Desktop.<br/>http://www.microsoft.com/de-at/download/details.aspx?id=40787 | * Microsoft Visual Studio Express 2013 für Windows Desktop.<br/>http://www.microsoft.com/de-at/download/details.aspx?id=40787 | ||
| + | |||
| + | The binaries for “makecert” and "pvk2pfx" can be found here (can vary depending on the used packages): | ||
| + | * C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin | ||
| + | * C:\Program Files\Windows Kits\7.1\bin | ||
| + | * C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86 | ||
| + | |||
| + | To use the tools you basically need a windows command console window with admin-rights and the path varible set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a "Visual Studio Development Console" out of the start menu. | ||
| + | |||
| + | == Create self-signed Root Authority Certificate == | ||
| + | |||
| + | This step can be ignored if there is already a root authority certificate installed to be used on the server and the client. If not, you can create a self-signed root authority certificate, provide this in the client's application package and use this as a basis for all webservices you want to acces with the client. | ||
| + | |||
| + | <code>makecert -n "CN=<SELFSIGNEDNAME>" -r -sv <SELFSIGNEDNAME>.pvk <SELFSIGNEDNAME>.cer</code><br/> | ||
| + | SELFSIGNEDNAME ... self-signed root authority name | ||
| + | |||
| + | Example:<br/> | ||
| + | <code>makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer</code> | ||
| + | |||
| + | == Create Temporary Service Certificate == | ||
| + | |||
| + | To create a specific service certificate, we define the site name (IP) of our sevice along with the service name. | ||
| + | |||
| + | <code>makecert -sky <SITENAME> -iv <SELFSIGNEDNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <SELFSIGNEDNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/> | ||
| + | SITENAME ... Name of the service | ||
| + | SITE-IP ... IP of the service (which should be accessed from the client) | ||
| + | |||
| + | Example:<br/> | ||
| + | <code>makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDamoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr curren-tuser -ss My</code><br/> | ||
| + | |||
| + | While creating the certificate, the user is asked for a password to be entered, please remember this password as it it is used for further steps. | ||
| + | |||
| + | == Convert Temporary Service Certificate for import in IIS == | ||
| + | |||
| + | The created certificate has to be converted for importing it on an IIS service. | ||
| + | |||
| + | <code>pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD></code><br/> | ||
| + | |||
| + | Example:<br/> | ||
| + | <code>pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword</code><br/> | ||
| + | |||
| + | Now the certificate is ready to be imported on the IIS. | ||
Revision as of 12:37, 2 June 2014
To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed to the IIS server running UBIK. For demonstration and testing, a temporary developer certificate can be used which bases on a self-signed root certificate. The creation and installation of a self-signed certificate can be done in the following way:
Contents
Prerequisites
For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:
- Microsoft Windows SDK for Windows 7 and .NET Framework 4; To save time and bandwidth selecting ".Net Development Tools" is sufficient for certification needs.
http://www.microsoft.com/en-us/download/details.aspx?id=8279
- Microsoft Visual Studio Express 2013 für Windows Desktop.
http://www.microsoft.com/de-at/download/details.aspx?id=40787
The binaries for “makecert” and "pvk2pfx" can be found here (can vary depending on the used packages):
- C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
- C:\Program Files\Windows Kits\7.1\bin
- C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86
To use the tools you basically need a windows command console window with admin-rights and the path varible set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a "Visual Studio Development Console" out of the start menu.
Create self-signed Root Authority Certificate
This step can be ignored if there is already a root authority certificate installed to be used on the server and the client. If not, you can create a self-signed root authority certificate, provide this in the client's application package and use this as a basis for all webservices you want to acces with the client.
makecert -n "CN=<SELFSIGNEDNAME>" -r -sv <SELFSIGNEDNAME>.pvk <SELFSIGNEDNAME>.cer
SELFSIGNEDNAME ... self-signed root authority name
Example:
makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer
Create Temporary Service Certificate
To create a specific service certificate, we define the site name (IP) of our sevice along with the service name.
makecert -sky <SITENAME> -iv <SELFSIGNEDNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <SELFSIGNEDNAME>.cer <SITENAME>.cer -sr currentuser -ss My
SITENAME ... Name of the service
SITE-IP ... IP of the service (which should be accessed from the client)
Example:
makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDamoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr curren-tuser -ss My
While creating the certificate, the user is asked for a password to be entered, please remember this password as it it is used for further steps.
Convert Temporary Service Certificate for import in IIS
The created certificate has to be converted for importing it on an IIS service.
pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD>
Example:
pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword
Now the certificate is ready to be imported on the IIS.
