I've gotten my WCF webservice running with basic self-signed certificates generated by makecert (using some of the many online tutorials on the subject) but have found that there are certain capabilities that we require when generating certificates that makecert does not seem to handle. As such I'm trying to create my certificates using OpenSSL signing them with our own CA (also generated with OpenSSL). I seem to be creating and registering the certificate fine, but when I attempt to query the webservice I get the following:
The certificate '[Cert Details]' must have a private key. The process must have access rights for the private key.
Try though I might, I can't seem to get the system to recognize what I thought was the private key (maybe I'm totally wrong and I should be looking at another file entirely...) Can anyone offer some sage advice as to where I may be going wrong?
I'm generating the certificate like so:
# Generate key and certificate request openssl req -new -newkey rsa:1024 -nodes -keyout MyCompany.key -out MyCompany.csr # Generate certificate from certificate request openssl ca -batch -in MyCompany.csr -out MyCompany.cert
I can then register "Mycompany.cert" with the machines certificate store (in this case both server and client are running on localhost), but MyCompany.key (which I assume is the private key, yes?) will not import, always citing an unknown file format. Registration is being done through the "mmc" utility with the certificate snap-in.
In my Web.Config files for my client and server I then swap out the previous (working) certificate names with the name for my new certificate:
<!-- Client Web.config --> <clientCredentials> <serviceCertificate> <authentication certificateValidationMode="PeerOrChainTrust"/> </serviceCertificate> <clientCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" /> </clientCredentials> <!-- Server Web.config --> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="PeerOrChainTrust"/> </clientCertificate> <serviceCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" /> </serviceCredentials>
This, of course, yields the error I listed earlier. I know it's finding the certificate because the details it displays in the error are all correct, but I'm obviously missing something. So what more do I need to do to get WCF to work with my OpenSSL certificates?
I apologize if my question seems obvious, or if I'm leaving out some critical piece of information, but I'm fairly new to the certificate/SSL scene and so much of what I already have is me groping around in the dark. I'd be very appreciative of anyone who could enlighten me!
Windows doesn't understand OpenSSL's PEM key format. After generating your key pair, you'll need to cram them into a PKCS12 (.pfx) format to be able to import the whole key pair. Something like:
openssl pkcs12 -export -in yourcert.cer -inkey yourkey.pem -out output.pfx
Then import the .pfx using the Certificates snap-in as before. You should be prompted for the key password you supplied during the export, and then you should see the little key icon when you view the cert that says "You have a private key corresponding to this certificate".