Re: Obtaining X.509 Certifcates

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: andrea (a.canade_at_retis.it)
Date: 10/16/04 

Date: 16 Oct 2004 12:49:52 -0700

Hello

i tell you how certmgr work ... take 10 minutes of your time :)

Certmgr.exe works with two types of certificate stores:
StoreFile and system store. It is not necessary to specify the type of
certificate store;
Certmgr.exe can identify the store type and perform the appropriate
operations. Running Certmgr.exe without specifying any options
launches a GUI that helps with the certificate management tasks that
are also available from the command line.
The GUI provides an import wizard, which copies certificates, CTLs,
and CRLs from your disk to a certificate store.
To run Certmgr.exe in GUI mode, simply do Start/Run, enter "C:\Program
Files\Microsoft Visual Studio .NET\FrameworkSDK\Bin\certmgr.exe", and
hit the enter key:

The Certificate Creation tool generates X.509 certificates for testing
purposes only.
It creates a public and private key pair for digital signatures and
stores it in a certificate file.
This tool also associates the key pair with a specified publisher's
name and creates an X.509 certificate that binds a user-specified name
to the public part of the key pair.

NOTE: Only the Makecert from the .NET Framework 1.1 has the capability
to create test certificates that can be used successfully with the
WSE!

Makecert.exe includes basic and extended options. Basic options are
those most commonly used to create a certificate. Extended options
provide more flexibility.

makecert [options] outputCertificateFile

The following command creates a test certificate and writes it to
testPAB.cer, using the subject's key container and the certificate
subject's X.500 name, and writes it to the root store:

makecert -sk TEST -n "CN=AndreaCanade" -ss root -sr localmachine
acTest.cer

In order for WSE to obtain the X.509 private key from the local
computer certificate store, it must have permission to do so.
By default, only the owner and the System account can access the
private key of a certificate.
Also by default, the ASP.NET service runs under the ASPNET account,
and that account does not have access to the private key.

To give the ASPNET account access to the private key, give the account
under which ASP.NET is running Full Control access to the files
containing the keys the WSE will need to retrieve in the following
folder:
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

The account the ASP.NET worker process runs under is controlled by the
<processModel> element in the Machine.config file.
Set the userName attribute of the <processModel> element to specify
the account ASP.NET runs under.
By default, the userName attribute is set to the special machine
account, which maps to the low-privileged ASPNET user account created
when the .NET Framework SDK is installed.

Open Windows Explorer.
Navigate to the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys folder.
Select the files containing the keys that the WSE will need to
retrieve.
>From the File menu, select Properties.
On the Security tab, add the ASPNET account and select the Full
Control option.

Note: Determining which key file in the MachineKeys folder is
associated with a certificate can be difficult.
One easy method is to note the creation date and time when creating a
new certificate. When you view the files in the MachineKeys directory,
check the Date Modified field for the corresponding date and time.

hope that's clear :)
bye

Relevant Pages

  • Re: Obtaining X.509 Certifcates
    ... > Certmgr.exe works with two types of certificate stores: ... > and CRLs from your disk to a certificate store. ... > In order for WSE to obtain the X.509 private key from the local ... > Also by default, the ASP.NET service runs under the ASPNET account, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Deploying Root Cert via GPO
    ... certificate store, and by mmc, you are accessing current computer's ... Windows Server - Directory Services ... > certificate issued by the above root cert. ...
    (microsoft.public.windows.group_policy)
  • Re: Shared Certificate Store in Active Directory
    ... the case, how do you set up a "Shared Certificate Store", ... When configuring Active Directory based IPSec policy to ...
    (microsoft.public.win2000.security)
  • Re: Publishing Versus Mail for CSR on SBS 2003 Premium
    ... publishing rule in ISA, not in IIS like in the blog post. ... install a third party certificate. ... AddressBook // The X.509 certificate store for other users. ... TrustedPublisher // The X.509 certificate store for directly trusted ...
    (microsoft.public.windows.server.sbs)
  • Re: Import Sec Certificate using script
    ... I noticed that you have opened a new post in other newsgroup. ... -addstore Adds a certificate to a certificate store. ... -enterprise Uses the local computer Enterprise registry certificate store. ... CertificateStoreName Specifies one of the following store names: ...
    (microsoft.public.windows.inetexplorer.ie6.browser)