ASU Web Community

Home :: Resources :: Code Repository :: Project Groups :: UTO Core Web Team

Creating and Installing Client Certificate on a Windows Machine for EDNA or OGATE

Posted October 30th, 2007 by
in

Summary

If you are using the ogate, edna or webauth web services, you are most likely using a client certificate to get authorization from edna to complete your call. This article describes how to create and install the client certificate on a windows machine (server or development box). To create a CSR file or create the PFX file from the certificate file you will get back, you will need OpenSSL, which is open-source software. A Windows binary distribution is available for download at: http://www.openssl.org/related/binaries.html.

Create a CSR (certificate request) file:

To generate a CSR file you will need to follow these steps:

  • Download and install OpenSSL, see the link above for where to download it from.
  • Open a command prompt window, and change your directory to the bin folder located in the OpenSSL install directory.
  • Generate a private key, to do this type the following at the command prompt.

openssl.exe genrsa -des2 -out example.key 1024

  • Where the example.key is replaced with the name you want your key file to have.
  • Once you have your private key file you can now generate a CSR file, to do this type the following at the command prompt.

openssl.exe req -new -subj "/DC=edu/DC=asu/OU=EDNA/CN=example_app" -key example.key -out example_app.csr

  • Where 'example_app' is replace with the name for your certificate, your certificate should end with '_app'.

Once you have the CSR file generated you will need to email it to ???, they will process your CSR and send you back a certificate file.

If the Certicate is NOT in .PFX/.P12 Format:

You must combine the certificate with your private key (which you have probably created when you first generated the Certificate Request file to get your certificate), and put both in a PKCS12 format file (also known as PFX). The following command will then create the PFX file for you:

openssl.exe pkcs12 -export -in mycert.crt -inkey mycert.key -out mycert.pfx

Load the Client Certificate to the Certificate Store

Open Microsoft Management Console (mmc.exe), and through the 'File' menu, add the 'Certificates' snap-in, selecting 'Computer' as the target. When the Certificates tree appears in console's root, navigate to 'Personal' , and from the 'Actions' menu, select 'Import...'. Using the wizard, import your PFX certificate file; it should then appear under the 'Personal' folder.

Load ASU's Root Certificate to the Certificate Store

In order for your applications and client certificates to work properly, you must also install ASU's root certificate. You should have been issues the ASU root certificate when you received your client certificate.

To install the ASU Root certificate, you can simply right-click on the file and choose 'Install Certificate' from the context menu.

Set Permissions to the Certificate for .NET Applications

Windows XP

Since the certificate will need to be accessed by an ASP.NET application pool it's running in, you will need to allow the user account running the pool to access the certificate's private key in the store. To do that, you will need to use WinHttpCertCfg.exe, a free tool from Microsoft, included in the Windows 2000/2003 Resource Kits. The utility is available at for download from Microsoft and documentation on how to use the utility is at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp.

Use the following command's format to set permissions:

C:\Program Files\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s "mycert" -a "USER_ACCOUNT"

Where 'LOCAL_MACHINE\My' is the Personal Certificate store in the local machine, 'mycert' is the name of your certificate, and USER_ACCOUNT is the account which will be given read permissions for the private key. For Windows XP/IIS 5.1, this account is by default '%COMPUTERNAME%\ASPNET'; for Windows 2003/IIS 6.0 and later this is 'NETWORK SERVICE'.

Restart IIS for changes to take effect.

Windows Vista

Vista was built with the ability to apply security permissions to certificates just like you do to folders and files. Open up the mmc console again like you did when you went to install the certificates and go to the client certificate under personal > certificates. Right click on the certificate name and select All Tasks > Manage Private Keys. Add the NETWORK SERVICE account and give it read rights.

Restart IIS for changes to take effect.

Load Certificate for Browsers

If you are planning on accessing a web page with the client certificate via a browser, you must also install the certificate into the browsers.

IE

  • Open IE and go to Tools > Internet Options
  • Click on the Content tab
  • Click the Certificates button
  • Click Import button and select the pfx/p12 version of your client certificate
  • Close the window

Mozilla/FireFox/Netscape

  • Open Browser and go to Tools > Options
  • Click on the Advanced tab
  • Click on the Encryption tab
  • Click the View Certificates button
  • Click Import button and select the pfx/p12 version of your client certificate
  • Close the window