Cheat-sheet: How to create a PKI and a Certificate Request

Background

There's an API secured by a certificate. To access this API, you need to send a certificate request, based on a PKI.

Being a novice in configuring security (or accessing APIs secured by certificates), wrapping my mind around this one took a while! But now I get it, and this is what I learned:

First step - ask for your certificate ID and Shape/Subject 

The first thing you likely need to do, is to request your unique certificate ID. Depending on the target organization, you probably want to tell them who you are and why you need access to their API, so bring forth your best social engineering skills! ;-)



Obtaining OpenSSL

As you're waiting for your certificate ID, you need to get your hands on an SSL-implementation which you can utilize to create your private keys. OpenSSL is one such implementation and is distributed as a variety of binaries. If you're running Windows, I had the best luck with SL Pro Web's Win32OpenSSL_Light (donation ware).

This guide expects you to install these binaries into C:\OpenSsl. When given the option, choose to put the binaries into the bin folder (as opposed to the Windows System folder).


Creating a PKI key

With OpenSSL installed, it's time to fire up PowerShell as Administrator. Then:

cd c:\OpenSsl
$env:OPENSSL_CONF="C:\OpenSsl\bin\openssl.cfg"
md keys
./bin/openssl genrsa -out .\keys\MyKey.key 2048

First off, we make sure that OpenSSL will find its needed configuration to do anything useful. Then we create a convenience folder to put our generated artifacts in. Finally, we use OpenSSL to generate our key, aptly named MyKey.key.

Once this is done, it's time to create a certificate request.

Creating a Certificate Request (CSR)

With your PKI in hand, it's time to generate the certificate request! Using the same PowerShell instance as before (i.e. with the $env configured), run

./bin/openssl req -subj ShapeOrSubject -new -key .\keys\MyKey.key -out .\key\Certificate-Request.csr

Replace ShapeOrSubject with what you've been told when requesting your certificate ID. In my case, it was something like this /DC=countryFlag/DC=sourceSystemName/OU=partnerId/CN=certificateId

... where the highlighted fields were application specific.

Requesting your certificate

Opening your keys folder (ii keys), go ahead and attach the Certificate-Request.csr file into an e-mail and send it to the requesting agency (the same people whom you contacted to get the certificate Id, perhaps? ;-)). If all goes well, they should return you a certificate file, which you need to add to your certificate store.


Converting your certificate to something useful in Microsoft setting

If you receive something other than a .pfx file as a result, there is some post-processing you will have to do next. (In my case, I received a fileName.cer.txt and a fileNameCA.cer.pem. From these two, it's the fileName.cer.txt that contains my certificate.) Using the same PowerShell window, run

.\bin\openssl pkcs12 -export -out .\keys\Certificate.pfx -inkey .\keys\MyKey.key -in .\keys\fileName.cer.txt -in .\keys\fileNameCA.cer.pem

The tool will ask for a password to protect your .pfx file.


Using your certificate in your application

Your application will need read-access to the .pfx certificate file you obtain or created. If your app is a Web application, make sure that the app pool user identity for the app pool has permissions to read the folder in which the certificate reside.

More reading / what to do next

Comments

Post a Comment

Popular posts from this blog

Auto Mapper and Record Types - will they blend?

Image
TL;DR: Yes, they will. Thank you for your time. 😄 Background At Redgate, engineers enjoy a great benefit in that we get are expected to spend 10% of our time to improve on our craft.  Having suffered this week with manually having to copy a bunch of properties from a domain object to its HTTP representation, I decided to spend this week's 10% time to see if I could answer the following questions: Can use AutoMapper to simplify mapping between two types?  Does it also allow me to map between a regular type and a record type? What about the other way around? Can I use this to reduce the maintenance burden in my product? Mapping between two types [automapper fundamentals] To started and get a basic mapping done, created a .NET 5 ASP.NET Web API project, added the below package references and configured automapper : < PackageReference Include ="AutoMapper" Version ="10.1.1" /> < PackageReference Include ="AutoMapper.Extensions.Microsoft.DependencyInj
Read more

Unit testing your Azure functions - part 2: Queues and Blobs

In our last installment , we discovered how to start unit testing our Azure Functions, looking at the HTTP Trigger (and evaulating the function's HTTP response). This time, we'll take a look at using the QueueTrigger, getting supporting data from table storage and outputting Blobs. Yup, I'm tossing you into the deep end! What are we trying to accomplish? This time, we will test a function that performs some arbitrary business logic on bank accounts. The function responds to a storage queue request, logs each command and ensures that each received command is executed exactly once. Almost like a real-world function, huh? ;-) In the function above, we are introduced to three types that we need to deal with in our unit tests - the IQueryable interface, IAsyncCollector and the CloudBlockBlob concrete type. IQueryable is easy enough to work with: Introducing the Testable Async Collector When I first started exploring this topic, I figured I could just use my favourit
Read more

Testing WCF services with user credentials and binary endpoints

Image
This article discusses the following error messages that you might receive from a WCF service An error occurred when verifying security for the message HTTP/1.1 415 Cannot process the message because the content type 'application/soap+xml;charset=UTF-8;action="..."' was not the expected type 'application/soap+msbin1' When doing analysis work on existing services, invoking them in a safe test environment is a handy way of getting an understanding of their operations, especially if the documentation has gone missing (or was never written). SoapUI is a tool that can be used to test WCF Services, but did you know that Visual Studio also comes with its own set of tools? Let's start with SoapUI, which is available from  http://www.soapui.org/ . Its operations are quite straight-forward; however, you might run into issues when trying to access services that are protected by user credentials, or when accessing services with binary endpoints. I
Read more