Cheat-sheet: How to create a PKI and a Certificate Request
Background
There's an API secured by a certificate. To access this API, you need to send a certificate request, based on a PKI.Being a novice in configuring security (or accessing APIs secured by certificates), wrapping my mind around this one took a while! But now I get it, and this is what I learned:
First step - ask for your certificate ID and Shape/Subject
The first thing you likely need to do, is to request your unique certificate ID. Depending on the target organization, you probably want to tell them who you are and why you need access to their API, so bring forth your best social engineering skills! ;-)Obtaining OpenSSL
As you're waiting for your certificate ID, you need to get your hands on an SSL-implementation which you can utilize to create your private keys. OpenSSL is one such implementation and is distributed as a variety of binaries. If you're running Windows, I had the best luck with SL Pro Web's Win32OpenSSL_Light (donation ware).This guide expects you to install these binaries into C:\OpenSsl. When given the option, choose to put the binaries into the bin folder (as opposed to the Windows System folder).
Creating a PKI key
With OpenSSL installed, it's time to fire up PowerShell as Administrator. Then:cd c:\OpenSsl
$env:OPENSSL_CONF="C:\OpenSsl\bin\openssl.cfg"
md keys
./bin/openssl genrsa -out .\keys\MyKey.key 2048
First off, we make sure that OpenSSL will find its needed configuration to do anything useful. Then we create a convenience folder to put our generated artifacts in. Finally, we use OpenSSL to generate our key, aptly named MyKey.key.
Once this is done, it's time to create a certificate request.
Creating a Certificate Request (CSR)
With your PKI in hand, it's time to generate the certificate request! Using the same PowerShell instance as before (i.e. with the $env configured), run./bin/openssl req -subj ShapeOrSubject -new -key .\keys\MyKey.key -out .\key\Certificate-Request.csr
Replace ShapeOrSubject with what you've been told when requesting your certificate ID. In my case, it was something like this /DC=countryFlag/DC=sourceSystemName/OU=partnerId/CN=certificateId
... where the highlighted fields were application specific.
Requesting your certificate
Opening your keys folder (ii keys), go ahead and attach the Certificate-Request.csr file into an e-mail and send it to the requesting agency (the same people whom you contacted to get the certificate Id, perhaps? ;-)). If all goes well, they should return you a certificate file, which you need to add to your certificate store.Converting your certificate to something useful in Microsoft setting
If you receive something other than a .pfx file as a result, there is some post-processing you will have to do next. (In my case, I received a fileName.cer.txt and a fileNameCA.cer.pem. From these two, it's the fileName.cer.txt that contains my certificate.) Using the same PowerShell window, run.\bin\openssl pkcs12 -export -out .\keys\Certificate.pfx -inkey .\keys\MyKey.key -in .\keys\fileName.cer.txt -in .\keys\fileNameCA.cer.pem
The tool will ask for a password to protect your .pfx file.
Using your certificate in your application
Your application will need read-access to the .pfx certificate file you obtain or created. If your app is a Web application, make sure that the app pool user identity for the app pool has permissions to read the folder in which the certificate reside.More reading / what to do next
- Working with SSL in Web API
- Cross Platform Authentication With ASP.NET Web API
- SelfCert: Create a Self-Signed Certificate Interactively (GUI) or Programmatically in .NET
- How to call a Web service by using a client certificate for authentication in an ASP.NET Web application
- Generating SSH keys
- OpenSSL PKI Tutorial v1.1
- MVC web app (https) calling a WCF Service (https) that also requires a SSL certificate for authentication
- Using client certificate not in certificate store
- How do I make a Request to a REST API, with a certificate, in C#?
- What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
- How do I view the contents of a PFX file on Windows?
Comments