Re: Clientzertifikat

From: Carsten Kinder [MSFT] (ckinder_at_online.microsoft.com)
Date: 09/09/04 

Date: Thu, 9 Sep 2004 07:59:45 +0200

Hallo Martin,

zum Erzeugen von Self-Signed Zertifikaten empfehle ich makecert.exe
(Beschreibung unter
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/makecert.asp).
Besonders sicher sind self-signed Zertifikate zwar nicht, aber technisch
geht's zu implementieren.

Nachfolgende eine kurze Anleitung die ich mal zusammengeschrieben habe, wie
es gehen sollte.

The following procedure creates two types of certificates. First, you will
create a "Root" certificate that can sign the SSL certificates. Once the
"Root" certificate has been created, you can create as many "End-entity"
certificates as you like. Finally, you must distribute the "Root"
certificate (but not its private key) to the computers that will connect to
your SSL server.

1. Download the most recent version of makecert.exe from
http://download.microsoft.com/download/platformsdk/update/5.131.3617.0/nt45xp/en-us/makecert.exe

2. Make makecert.exe available to the computer where you want to create
the certificates. This computer is not necessarily the computer that will
use the SSL certificate at a later stage.

3. At a command-line, run the following command as a single line to
create the "Root" certificate and the corresponding key material:

makecert -pe -n "CN=MyRoot" -ss MY -sr LocalMachine -a sha1 -sky signature
-r MyRoot.cer

In the command above, "MyRoot" is just a sample-name of the Root CA name. At
this stage, you have created the "Root" certificate and its private key. The
"Root" certificate was added to the computers personal certificate store and
is available as file "MyRoot.cer".

4. To add the "Root" certificate to the trusted root certificates of
the local computer, open the Certificates MMC Snap-In. Open the "local
computer" certificate store.

5. The "MyRoot" certificate is available in the "Personal" certificate
store. Press the <Ctrl> key and drag/drop the certificate into the "Trusted
Root Certification authorities". A warning dialog appears. Accept to add the
certificate to the trusted root store.

6. Once you have created the "Root" certificate properly, you can
create the SSL certificate and the corresponding key-material. At a
command-line, run the following command as a single line:

makecert -pe -n "CN=[DNSnameOfsslServer]" -ss MY -sr LocalMachine -a
sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in MyRoot -is MY -ir
LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
MySSL.cer

In the command above, [DNSnameOfsslServer] is to be replaced withthe the
fully qualified computer name of the server that owns the certificate. Also
MyRoot is a sample name but the value of the -in parameter must match with
the name of your Root certificate as created in the previous step.

7. If you had created the certificates on a computer that does not
provide SSL, you must copy the "Root" certificate file MyRoot.cer to the SSL
computer. Then, export the SSL certificate and its key into a PFX-file and
transfer both files to the SSL computer.

8. Install the "Root" certificate into the "Trusted Root Certification
authorities" store and install the PFX file into the local machines personal
certificates store.

9. Distribute and install the "Root" certificate to all computers that
will establish secure SSL connections with this certificate.

10. If you require more SSL-certificates you don't have to create
additional Root certificates. Start at step 6 to create additional SSL
certificates.

Gruss
C-:

"Martin Kimm" <MK@LCS-Eschwege.de> wrote in message
news:d22901c48aa8$da33c060$a601280a@phx.gbl...
Habe folgendes Problem:

möchte eine Identitätsprüfung für Clients durchführen auf
einer SSL-gesicherten Website, in dem ich Zertifikate
(oder auch immer das selbe) ausgebe, auf den Clients
installiere und im IIS hinterlege. Diese müssen "self-
signed" sein. Wie um himmels willen kriege ich jetzt so
ein Zertifikat erstellt, wenn ich kein Active Directory
habe und auch keine eigene Zertifizierungsstelle? Ich
habe ein kleines Freeware-Tool gefunden und mir ein self-
signed-Zertifikat erstellt, aber der IIS ignoriert es,
evtl. genügt es irgendwelchen Anforderungen oder
Standards nicht (ich habs in die TrustList eingetragen
und der Schalter steht auf "Clientzertifikat
voraussetzen").

Für euren Beitrag schon im Voraus besten Dank

Relevant Pages

  • Re: Outlook 2003 - RPC over HTTP
    ... > to connect to my exchance server without needing to VPN in. ... > I need a SSL certificate and we plan to use our own CA to issue the ... > certificates and therefore, I have installed certificate services on the ... > install a copy of the Root CA certificate on your machines. ...
    (microsoft.public.outlook.general)
  • Re: Configuring a certificate server across different forests
    ... I either can't browse the AD via SSL when I can do it fine over port ... different forests I can't get them to trust each other. ... >> subs with no luck. ... And I tried switching the root and subs between the ...
    (microsoft.public.win2000.security)
  • Re: On Open Source
    ... > server certificate against root certificates when used for client side ... Client side authentication of the remote host identity is THE ... I put them side by side and make SSL keys. ...
    (sci.crypt)
  • How intermediate Certificates work with CE Web server and SSL
    ... web server working with SSL. ... The operator of the device has his own certificate - CertB. ... CertB root CA to the ROOT. ... Now CertC is a little different that the previous, ...
    (microsoft.public.windowsce.embedded)
  • Re: Verschlüsselung mit PGP oder GnuPG
    ... natuerlich das Problem das Du nur alle 3-10 Sekunden eine Signatur erstellen ... Bitte verzichte auf akkreditierte Zertifikate. ... BNetzA Root CAs aufbauen. ...
    (microsoft.public.de.german.exchange2000.general)