Jump to: navigation, search

Difference between revisions of "HowTo:Create UBIK Web Service Certificates"


Line 17: Line 17:
 
This step can be ignored if there is already a valid root authority certificate installed on the server and the client! If not, you can create a self-signed root authority certificate and install it on the server and the client as a trusted root authority certificate.
 
This step can be ignored if there is already a valid root authority certificate installed on the server and the client! If not, you can create a self-signed root authority certificate and install it on the server and the client as a trusted root authority certificate.
  
<code>makecert -n "CN=<SELFSIGNEDNAME>" -r -sv <SELFSIGNEDNAME>.pvk <SELFSIGNEDNAME>.cer</code><br/>
+
<code>makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer</code><br/>
SELFSIGNEDNAME ... self-signed root authority name<br/>
+
ROOTNAME ... self-signed root authority name<br/>
 
see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN]
 
see [http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.110%29.aspx MSDN]
  
Line 28: Line 28:
 
To create a specific service certificate, we define the site name (IP) of our sevice along with the service name.
 
To create a specific service certificate, we define the site name (IP) of our sevice along with the service name.
  
<code>makecert -sky <SITENAME> -iv <SELFSIGNEDNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <SELFSIGNEDNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/>
+
<code>makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My</code><br/>
 
SITENAME ... Name of the service
 
SITENAME ... Name of the service
 
SITE-IP ... IP of the service (which should be accessed from the client)
 
SITE-IP ... IP of the service (which should be accessed from the client)

Revision as of 13:05, 2 June 2014

To make the webservice accessible from a client, the client has to establish a secure connection to the webservice. Therefore, a certificate has to be provided and installed to the IIS server running UBIK. If there is not real Root Authority Certificate, a temporary developer certificate can be used for development and testing:

Prerequisites

For the creation of development certificates either a visual studio development environment or a .NET framework SDK containing the certification tools is needed. For example, one of these packes can be installed:

The binaries for “makecert” and "pvk2pfx" can be found here (can vary depending on the used packages):

  • C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin
  • C:\Program Files\Windows Kits\7.1\bin
  • C:\Program Files (x86)\Windows Kits\8.1\bin\x64 or .\x86

To use the tools you basically need a windows command console window with admin-rights and the path varible set to the directory contaning the certification binaries. If a visual studio development environment is installed, you alternatively can start a "Visual Studio Development Console" out of the start menu.

Root Authority Certificate

This step can be ignored if there is already a valid root authority certificate installed on the server and the client! If not, you can create a self-signed root authority certificate and install it on the server and the client as a trusted root authority certificate.

makecert -n "CN=<ROOTNAME>" -r -sv <ROOTNAME>.pvk <ROOTNAME>.cer
ROOTNAME ... self-signed root authority name
see MSDN

Example:
makecert -n "CN=Augmensys" -r -sv AugmensysCA.pvk AugmensysCA.cer

Create Service Certificate

To create a specific service certificate, we define the site name (IP) of our sevice along with the service name.

makecert -sky <SITENAME> -iv <ROOTNAME>.pvk -n "CN=<SITE-IP>" -sv "<SITENAME>.pvk" -ic <ROOTNAME>.cer <SITENAME>.cer -sr currentuser -ss My
SITENAME ... Name of the service SITE-IP ... IP of the service (which should be accessed from the client) See MSDN for details.

Example:
makecert -sky AugDemoIIS01 -iv AugmensysCA.pvk -n "CN=137.135.200.180" -sv "AugDemoIIS01.pvk" -ic AugmensysCA.cer AugDemoIIS01.cer -sr curren-tuser -ss My

While creating the certificate, the user is asked for a password to be entered, please remember this password as it it is used for further steps.

Convert Service Certificate for Import in IIS

The created certificate has to be converted for importing it on an IIS service.

pvk2pfx -pvk "<SITENAME>.pvk" -spc "<SITENAME>.cer" -pfx "<SITENAME>.pfx" -pi <PASSWORD>
See MSDN for details.

Example:
pvk2pfx -pvk "AugDemoIIS01.pvk" -spc "AugDemoIIS01.cer" -pfx "AugDemoIIS01.pfx" -pi mysecretpassword

Now the certificate is ready to be imported on the IIS.

Configure IIS

  • Import Root Authority Certificate
  • Import the created PFX of the Service certificate
  • Bind the used service certificate to the used https port number
  • Ensure that the used https port is not blocked by the firewall
  • Ensure that the https port is forwarded to the server if needed

See also