Difference between revisions of "HowTo:Create UBIK Web Service Certificates"
(→Configure IIS) |
m |
||
(50 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | An {{UBIK Client}} establishes a secure connection to the webservice, therefore a certificate has to be provided and installed on the [http://www.iis.net/ IIS] server running {{UBIK}}. If a genuine [https://en.wikipedia.org/wiki/Root_certificate Root Authority Certificate] is already available this can be used. Otherwise, a temporary developer certificate might be used for development and testing. | |
+ | {{Attention|In both cases the service itself needs a valid service certificate which refers to the root authority.}} | ||
+ | |||
== Prerequisites == | == Prerequisites == | ||
For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed: | For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed: | ||
− | + | [[File:WebserviceCertification_NetSDKINstallation.png|thumb|220 px|border|alt=Install Windows SDK|Install Windows SDK]] | |
− | * | + | * [http://www.microsoft.com/en-us/download/details.aspx?id=8279 Microsoft Windows SDK for Windows 7 and .NET Framework 4] (Save time and bandwidth by selecting ''.Net Development Tools'', which is sufficient for certification needs) |
+ | * [http://www.microsoft.com/de-at/download/details.aspx?id=40787 Microsoft Visual Studio Express 2013 für Windows Desktop] | ||
− | The binaries for | + | The binaries for '''makecert''' and '''pvk2pfx''' can be found here (can vary depending on the used packages): |
* C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin | * C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin | ||
* C:\Program Files\Windows Kits\7.1\bin | * C:\Program Files\Windows Kits\7.1\bin | ||
* C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86 | * C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86 | ||
− | To use the tools you basically need a windows command console window with admin-rights and the path | + | To use the tools you basically need a windows command console window with admin-rights and the path variable set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a ''Visual Studio Development Console'' out of the start menu. |
− | == Root Authority Certificate == | + | == Create Root Authority Certificate == |
+ | Create a self-signed root authority certificate, which has to be installed on the [[HowTo:Install_UBIK_Client_Certificate|Client]] and the [[HowTo:Configure_Microsoft_IIS_for_UBIK#Certificate|Server]], using the command | ||
− | + | <code>makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer</code> | |
− | + | where '''ROOTNAME''' ... self-signed root authority name (see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN]). | |
− | ROOTNAME ... self-signed root authority name | + | |
− | see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN] | + | |
− | + | {{Hint|This step can be ignored if there is already a valid root authority certificate installed on the server and the client!}} | |
− | + | ||
− | = | + | Example: <code>makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer</code> |
− | To create a specific service certificate, | + | |
+ | |||
+ | |||
+ | |||
+ | == Create Service Certificate == | ||
+ | To create a specific service certificate, define the site name (IP) of the service along with the service name. | ||
<code>makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/> | <code>makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/> | ||
− | |||
− | |||
− | |||
− | + | where '''SITENAME''' ... Name of the service, '''SITE-IP''' ... IP of the service (which should be accessed from the client) (see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN] for details). | |
− | + | ||
− | While creating the certificate | + | Example: <code>makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr currentuser -ss My</code><br/> |
+ | |||
+ | {{Attention|While creating the certificate the user is asked for a password to be entered: please remember this password as it it is used for further steps.}} | ||
== Convert Service Certificate for Import in IIS == | == Convert Service Certificate for Import in IIS == | ||
− | + | The created certificate has to be converted prior being imported on an IIS service. | |
− | The created certificate has to be converted | + | |
<code>pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD></code><br/> | <code>pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD></code><br/> | ||
− | + | (see [http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672%28v=vs.85%29.aspx MSDN] for details). | |
− | Example: | + | Example: <code>pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword</code><br/> |
− | <code>pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword</code><br/> | + | where '''PASSWORD''' ... the user-defined password used for creating the certificate in the previous step. |
− | + | The certificate is ready to be imported on the IIS now! | |
== Configure IIS == | == Configure IIS == | ||
− | + | How to configure the IIS using the created certificate(s) can be done as described [[HowTo:Configure_Microsoft_IIS_for_UBIK#Certificate|here]]. | |
− | How to configure the IIS using the created certificate(s) can be done as described | + | |
== See also == | == See also == | ||
− | * [[Install UBIK Web Service]] | + | * [[HowTo:Install UBIK Web Service]] |
− | * [http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development | + | * [http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development Using Makecert to Create Certificates for Development] |
− | [[Category:How-To]] | + | [[Category:How-To|Create UBIK Web Service Certificates]] |
+ | [[Category:Installing|Create UBIK Web Service Certificates]] | ||
+ | [[Category:Web service|Create UBIK Web Service Certificates]] |
Latest revision as of 12:51, 16 June 2016
An UBIK® Client establishes a secure connection to the webservice, therefore a certificate has to be provided and installed on the IIS server running UBIK®. If a genuine Root Authority Certificate is already available this can be used. Otherwise, a temporary developer certificate might be used for development and testing.
In both cases the service itself needs a valid service certificate which refers to the root authority. |
Contents
Prerequisites
For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:
- Microsoft Windows SDK for Windows 7 and .NET Framework 4 (Save time and bandwidth by selecting .Net Development Tools, which is sufficient for certification needs)
- Microsoft Visual Studio Express 2013 für Windows Desktop
The binaries for makecert and pvk2pfx can be found here (can vary depending on the used packages):
- C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
- C:\Program Files\Windows Kits\7.1\bin
- C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86
To use the tools you basically need a windows command console window with admin-rights and the path variable set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a Visual Studio Development Console out of the start menu.
Create Root Authority Certificate
Create a self-signed root authority certificate, which has to be installed on the Client and the Server, using the command
makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer
where ROOTNAME ... self-signed root authority name (see MSDN).
This step can be ignored if there is already a valid root authority certificate installed on the server and the client! |
Example: makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer
Create Service Certificate
To create a specific service certificate, define the site name (IP) of the service along with the service name.
makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My
where SITENAME ... Name of the service, SITE-IP ... IP of the service (which should be accessed from the client) (see MSDN for details).
Example: makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr currentuser -ss My
While creating the certificate the user is asked for a password to be entered: please remember this password as it it is used for further steps. |
Convert Service Certificate for Import in IIS
The created certificate has to be converted prior being imported on an IIS service.
pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD>
(see MSDN for details).
Example: pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword
where PASSWORD ... the user-defined password used for creating the certificate in the previous step.
The certificate is ready to be imported on the IIS now!
Configure IIS
How to configure the IIS using the created certificate(s) can be done as described here.