WCF Service with OpenSSL Certificates

I got my WCF webservice with basic self-signed certificates generated by makecert (using some of the many online tutorials on the subject), but found that there are certain capabilities we need when creating certificates that makecert doesn't seem to handle. So I am trying to create my certificates using OpenSSL, signing them with our own CA (also created with OpenSSL). I seem to generate and register the certificate fine, but when I try to make a request to the webservice I get this:

The certificate '[Certification Details]' must have a private key. The process must have access rights for the private key.

Try it, although I can, I can't get the system to recognize what I thought was the private key (maybe I'm completely wrong and I have to look at another file entirely). Can anyone suggest some sage advice on where I might go wrong?

I am generating the certificate like this:

# Generate key and certificate request
openssl req -new -newkey rsa:1024 -nodes -keyout MyCompany.key -out MyCompany.csr

# Generate certificate from certificate request
openssl ca -batch -in MyCompany.csr -out MyCompany.cert

      

Then I can register "Mycompany.cert" in the machine certificate store (in this case, the server and client are running on localhost), but MyCompany.key (which I assume is the private key, huh?) Won't import, always referring to unknown file format. Registration is performed using the "mmc" utility with the certificates snap-in.

In my Web.Config files for my client and server, I then replace the previous (working) certificate names with a name for my new certificate:

<!-- Client Web.config -->
<clientCredentials>
    <serviceCertificate>
        <authentication certificateValidationMode="PeerOrChainTrust"/>
    </serviceCertificate>
    <clientCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</clientCredentials>

<!-- Server Web.config -->
<serviceCredentials>
    <clientCertificate>
        <authentication certificateValidationMode="PeerOrChainTrust"/>
    </clientCertificate>
    <serviceCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>

      

This, of course, gives the error I listed earlier. I know he found the certificate because the details it displays in the error are correct, but I am obviously missing something. So what else do I need to do to get WCF to work with my OpenSSL certificates?

I apologize if my question seems obvious or if I'm leaving some important information, but I'm pretty new to the certificate / SSL scenario and a lot of what I already have is dark. I would be very grateful to anyone who could enlighten me!

+2


source to share


1 answer


Windows does not understand the OpenSSL PEM key format. After creating your key pair, you will need to paste them in PKCS12 format (.pfx) to be able to import the entire key pair. Something like:

openssl pkcs12 -export -in yourcert.cer -inkey yourkey.pem -out output.pfx

      



Then import the .pfx using the Certificates snap-in as before. You will be prompted for the key password that you provided during export, and then you will see a small key icon when you view the certificate, which says, "You have a private key corresponding to this certificate."

+9


source







All Articles