Re: WSE2.0--need valid X.509 certs created with Makecert

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Make sure you use the wse certificate tool to assign Read permission to
ASPNET on the certificate's private key file.


"Andy Bocz via .NET 247" <anonymous@xxxxxxxxxxxxx> wrote in message
news:eI1gUALXFHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
I'm finishing up a web service that uses WSE2.0 to sign the request and
encrypt the SOAP body (both request and response). I'm using the code
approach (not policy). Everything works fine with the QuickStart Sample
X.509 certs supplied with the WSE2.0 SP2 SDK.

I'd like to use self signed certs for the following reasons:
--the web service will be consumed internally (no need for CA traceability)
--it won't see a tremendous load (minor performance hit from self-signed
verts should be fine)
--I don't want to have to worry about expiring certs

The problem I'm having is that the certs I've created so far with Makecert
don't work. I either get a "Bad Key" or "The security token could not be
authenticated or authorized" errors during the creation of the web service
request on the client side. I've double-checked the cert imports and private
key ACL rights and everything is fine.

The makecert approaches I've used to get two certs with private keys are
(where xxx = "WSClient" and "WSServer"):

makecert -r -n "CN=xxx" -sv xxx.pvk xxx.cer
cert2spc xxx.cer xxx.spc
pvkimprt -pfx xxx.spc xxx.pvk

AND

makecert -cy authority -r -n "CN=demos1.Softwaremaker.NET" -sr
localmachine -ss "Trust"

makecert -cy end -n "CN=demos1.Softwaremaker.NET SERVER" -sky exchange -sk
"demos1.Softwaremaker.NET Server" -ss "My" -sr localmachine -in
"demos1.Softwaremaker.NET" -ir localmachine -is "Trust"

makecert -cy end -n "CN=demos1.Softwaremaker.NET CLIENT" -sky exchange -sk
"demos1.Softwaremaker.NET Client" -ss "My" -sr localmachine -in
"demos1.Softwaremaker.NET" -ir localmachine -is "Trust"


Can anyone provide me with makecert command lines for self signed
private-key certs that they know work with WSE2.0? Or, are there any MVPs
out there that know how the Quickstart sample certs were created?

Thanks in advance,
Andy

-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)

<Id>Fm3bVbdJ9Umj57S3cPAYag==</Id>


.

Relevant Pages

  • Re: WSE2.0--need valid X.509 certs created with Makecert
    ... The makecert tool that shipped with vs.net 2003 is old. ... >> ASPNET on the certificate's private key file. ... >> I'd like to use self signed certs for the following reasons: ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: How do you associate private key with import cert?
    ... IE certificates panel and Certs snapin use. ... panel is that the IE display is filtered (i.e. in MY store, ... and select to include the private key (only possible if the private key has ...
    (microsoft.public.dotnet.security)
  • Signed XML Private Key X509 Certificate WSE 2.0 IssueErrors
    ... XML downstream to their server. ... certificate private key and then send a version of that certificate ... downstream with the public key so that the client can validate the signature. ... All certs ...
    (microsoft.public.dotnet.security)
  • Re: Signed XML Private Key X509 Certificate WSE 2.0 IssueErrors
    ... I might not even use certs. ... Why not load your private key via your private ... .snk file and sign the xml with that. ... The client can grab the public key ...
    (microsoft.public.dotnet.security)
  • Re: UsernameOverTransportSecurity+SSL Confusion, please help
    ... But when I go to my web service: ... I have under IIS settings for my WebService? ... I will have a private key on the server, and I will give the private key to ... The client will automatically get the public key and negotiate a key to ...
    (microsoft.public.dotnet.framework.webservices.enhancements)