A step by step guide to create the SSL and client certificates
INTRO
To test client certificates with https, it’s necessary to create them all under a trusted root certification authority (directly or chained).
This step by step guide will take you through all the necessary steps:
create a root certification authority
trust the just made CA on server and client side
create the SSL certificate
install the SSL certificate under IIS and configure it
create one or more client certificates
use the client certificate(s)
Create the Root TEST CA
You need a Test Certification Authority, eg ACME
Acme will release the SSL certificate for the web server and the client certificates.
You also need to create an empty revocation list.
CA Certificate:
makecert.exe -n "CN=ACMERootCA" -r -sv ACMERootCA.pvk ACMERootCA.cer
CA revocation list:
makecert.exe -crl -n "CN=ACMERootCA" -r -sv ACMERootCA.pvk ACMERootCA.crl
Install the Root CA certificate
You need to Install the ACME certificate on the server and on the client machines. Put the public part (ACMERootCA.cer) under the Certificates (Local Computer) \ Trusted Root Certification Authorities:
Create one or more Client Certificates
You have two options:
create the certificate and store it directly in the Windows certificate repository
create the certificate, sae it on a file and import it in the Windows certificate repository
Create + Store:
makecert.exe -iv ACMERootCA.pvk -n "CN=ACMEclient001" -ic ACMERootCA.cer -sr currentuser -ss my -sky signature -pe
Create and save it on a file (at the end, import the pfx file):
makecert.exe -iv ACMERootCA.pvk -n "CN=ACMEclient002" -ic ACMERootCA.cer -sky signature -pe -sv ACMEclient002.pvk ACMEclient002.cer
pvk2pfx.exe -pvk ACMEclient002.pvk -spc ACMEclient002.cer -pfx ACMEclient002.pfx
Create and install the server SSL certificate
Create the SSL certificate as pfx file:
makecert.exe -pe -n "CN=myserver.local" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic ACMERootCA.cer -iv ACMERootCA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv SSLserver.pvk SSLserver.cer
pvk2pfx.exe -pvk SSLserver.pvk -spc SSLserver.cer -pfx SSLserver.pfx
Set the SSL certificate on your web site:
import the pfx certificate under “Certificates (Local Computer) \ Personal”
open IIS management, under web site - directory security - server certificates - “assign an existing certificate”, and then select your imported certificate.
WARNING on IIS6 + win2003 (perhaps also on Win 2008): Microsoft bug!
Too many certificates in “Trusted Root Certification Authorities”
Force IIS to request the client certificate
By default, IIS does not ask client to send a certificate, so you have to change it by yourself as follow:
Test
IE will ask you to select which client certificate to use
If no error message appears, the connection is established
Another CA for client certificates?
SSL and client certificates do not need to be created under the same certification authority.
You can have more than one client certificate installed on your machine. In such a case, IE will ask you which certificate to use.
Steps to create a client certificate under another CA:
create another root CA:
makecert.exe -n "CN=FOOBAR-CA" -r -sv FOOBAR_CA.pvk FOOBAR_CA.cer
create a client certificate under the new CA:
makecert.exe -iv FOOBAR_CA.pvk -n "CN=FooBar_Client1" -ic FOOBAR_CA.cer -sr currentuser -ss my -sky signature -pe
install the public part of the new root CA certificate both on client and server
