Jump to: navigation, search

Difference between revisions of "HowTo:Create UBIK Web Service Certificates"


(Configure IIS)
m
 
(50 intermediate revisions by 2 users not shown)
Line 1: Line 1:
To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed to the IIS server running UBIK. If there is not real Root Authority Certificate, a temporary developer certificate can be used for development and testing:
+
An {{UBIK Client}} establishes a secure connection to the webservice, therefore a certificate has to be provided and installed on the [http://www.iis.net/ IIS] server running {{UBIK}}. If a genuine [https://en.wikipedia.org/wiki/Root_certificate Root Authority Certificate] is already available this can be used. Otherwise, a temporary developer certificate might be used for development and testing.
 +
{{Attention|In both cases the service itself needs a valid service certificate which refers to the root authority.}}
 +
 
  
 
== Prerequisites ==
 
== Prerequisites ==
 
For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:
 
For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:
* Microsoft Windows SDK for Windows 7 and .NET Framework 4; To save time and bandwidth selecting ".Net Development Tools" is sufficient for certification needs.<br/>http://www.microsoft.com/en-us/download/details.aspx?id=8279<br/>[[File:WebserviceCertification_NetSDKINstallation.png‎|220 px|border|alt=Install Windows SDK]]<br/>
+
[[File:WebserviceCertification_NetSDKINstallation.png‎|thumb|220 px|border|alt=Install Windows SDK|Install Windows SDK]]
* Microsoft Visual Studio Express 2013 für Windows Desktop.<br/>http://www.microsoft.com/de-at/download/details.aspx?id=40787
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=8279 Microsoft Windows SDK for Windows 7 and .NET Framework 4] (Save time and bandwidth by selecting ''.Net Development Tools'', which is sufficient for certification needs)
 +
* [http://www.microsoft.com/de-at/download/details.aspx?id=40787 Microsoft Visual Studio Express 2013 für Windows Desktop]
  
The binaries for “makecert” and "pvk2pfx" can be found here (can vary depending on the used packages):
+
The binaries for '''makecert''' and '''pvk2pfx''' can be found here (can vary depending on the used packages):
 
* C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
 
* C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
 
* C:\Program Files\Windows Kits\7.1\bin
 
* C:\Program Files\Windows Kits\7.1\bin
 
* C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86
 
* C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86
  
To use the tools you basically need a windows command console window with admin-rights and the path varible set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a "Visual Studio Development Console" out of the start menu.
+
To use the tools you basically need a windows command console window with admin-rights and the path variable set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a ''Visual Studio Development Console'' out of the start menu.
  
== Root Authority Certificate ==
+
== Create Root Authority Certificate ==
 +
Create a self-signed root authority certificate, which has to be installed on the [[HowTo:Install_UBIK_Client_Certificate|Client]] and the [[HowTo:Configure_Microsoft_IIS_for_UBIK#Certificate|Server]], using the command
  
This step can be ignored if there is already a valid root authority certificate installed on the server and the client! If not, you can create a self-signed root authority certificate and install it on the server and the client as a trusted root authority certificate.
+
<code>makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer</code>
  
<code>makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer</code><br/>
+
where '''ROOTNAME''' ... self-signed root authority name (see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN]).
ROOTNAME ... self-signed root authority name<br/>
+
see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN]
+
  
Example:<br/>
+
{{Hint|This step can be ignored if there is already a valid root authority certificate installed on the server and the client!}}
<code>makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer</code>
+
  
== Create Service Certificate ==
+
Example: <code>makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer</code>
  
To create a specific service certificate, we define the site name (IP) of our sevice along with the service name.
+
 
 +
 
 +
 
 +
 
 +
== Create Service Certificate ==
 +
To create a specific service certificate, define the site name (IP) of the service along with the service name.
  
 
<code>makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/>
 
<code>makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/>
SITENAME ... Name of the service
 
SITE-IP ... IP of the service (which should be accessed from the client)
 
See [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN] for details.
 
  
Example:<br/>
+
where '''SITENAME''' ... Name of the service, '''SITE-IP''' ... IP of the service (which should be accessed from the client) (see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN] for details).
<code>makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr curren-tuser -ss My</code><br/>
+
  
While creating the certificate, the user is asked for a password to be entered, please remember this password as it it is used for further steps.
+
Example: <code>makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr currentuser -ss My</code><br/>
 +
 
 +
{{Attention|While creating the certificate the user is asked for a password to be entered: please remember this password as it it is used for further steps.}}
  
 
== Convert Service Certificate for Import in IIS ==
 
== Convert Service Certificate for Import in IIS ==
 
+
The created certificate has to be converted prior being imported on an IIS service.
The created certificate has to be converted for importing it on an IIS service.
+
  
 
<code>pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD></code><br/>
 
<code>pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD></code><br/>
See [http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672%28v=vs.85%29.aspx MSDN] for details.
+
(see [http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672%28v=vs.85%29.aspx MSDN] for details).
  
Example:<br/>
+
Example: <code>pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword</code><br/>
<code>pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword</code><br/>
+
where '''PASSWORD''' ... the user-defined password used for creating the certificate in the previous step.
  
Now the certificate is ready to be imported on the IIS.
+
The certificate is ready to be imported on the IIS now!
  
 
== Configure IIS ==
 
== Configure IIS ==
 
+
How to configure the IIS using the created certificate(s) can be done as described [[HowTo:Configure_Microsoft_IIS_for_UBIK#Certificate|here]].
How to configure the IIS using the created certificate(s) can be done as described in section [UBIK Web Service].
+
  
 
== See also ==
 
== See also ==
* [[Install UBIK Web Service]]
+
* [[HowTo:Install UBIK Web Service]]
* [http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development external How-To]
+
* [http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development Using Makecert to Create Certificates for Development]
  
[[Category:How-To]]
+
[[Category:How-To|Create UBIK Web Service Certificates]]
 +
[[Category:Installing|Create UBIK Web Service Certificates]]
 +
[[Category:Web service|Create UBIK Web Service Certificates]]

Latest revision as of 12:51, 16 June 2016

An UBIK® Client establishes a secure connection to the webservice, therefore a certificate has to be provided and installed on the IIS server running UBIK®. If a genuine Root Authority Certificate is already available this can be used. Otherwise, a temporary developer certificate might be used for development and testing.

IC Attention.pngIn both cases the service itself needs a valid service certificate which refers to the root authority.


Prerequisites

For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:

Install Windows SDK
Install Windows SDK

The binaries for makecert and pvk2pfx can be found here (can vary depending on the used packages):

  • C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
  • C:\Program Files\Windows Kits\7.1\bin
  • C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86

To use the tools you basically need a windows command console window with admin-rights and the path variable set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a Visual Studio Development Console out of the start menu.

Create Root Authority Certificate

Create a self-signed root authority certificate, which has to be installed on the Client and the Server, using the command

makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer

where ROOTNAME ... self-signed root authority name (see MSDN).

IC Hint square.pngThis step can be ignored if there is already a valid root authority certificate installed on the server and the client!

Example: makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer



Create Service Certificate

To create a specific service certificate, define the site name (IP) of the service along with the service name.

makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My

where SITENAME ... Name of the service, SITE-IP ... IP of the service (which should be accessed from the client) (see MSDN for details).

Example: makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr currentuser -ss My

IC Attention.pngWhile creating the certificate the user is asked for a password to be entered: please remember this password as it it is used for further steps.

Convert Service Certificate for Import in IIS

The created certificate has to be converted prior being imported on an IIS service.

pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD>
(see MSDN for details).

Example: pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword
where PASSWORD ... the user-defined password used for creating the certificate in the previous step.

The certificate is ready to be imported on the IIS now!

Configure IIS

How to configure the IIS using the created certificate(s) can be done as described here.

See also