Saturday, August 09, 2014

Creating a certificate chain of self-signed certificates for development / testing / private environments

As anybody who's ever tried to develop secure services with SSL knows, it's expensive to buy trusted certificates from a certification authority. This is especially true if you're an independent developer who doesn't have a lot of resources. Therefore, we need to be able to generate self-signed certificates in order to develop and test our code before we actually go buy a Trusted Certificate for production. This tutorial will show you how to create a chain of trust and start generating certificates from a self-signing authority. The information here is based off of Microsoft's documentation on MSDN about the matter.

  1. Create a signing authority certificate:
    • makecert -n "CN=My Signing Authority" -r -sv MySigningCert.pvk MySigningCert.cer
    You'll be prompted for passwords for securing the private key. Ensure that you remember them, you'll need them to create the merged file.

  2. Merge the private key file and public key file into an encrypted key (this isn't mentioned in the MSDN article linked above, but you can find the documentation here):
    • pvk2pfx /pvk MySigningCert.pvk /spc MySigningCert.cer /pfx MySigningCert.pfx /pi mycertpassword /po mycertpassword /f
    This step isn't necessary for signing site certificates, but does make things more convenient for storing the certificate and installing it on different machines. Be careful: you should never leave keys laying around file systems on machines, they should always either: a) be stored in an encrypted store like that provided by Windows, or b) be stored on separate storage media that can be physically locked away with access only available to trusted personnel.

  3. Start creating site certificates with your signing certificate:
    • makecert -iv MySigningCert.pvk -n "" -ic MySigningCert.cer -sv sitekey.pvk sitekey.cer -pe
    Now, as above, I recommend that you merge the .pvk and .cer into a .pfx for easy transport and storage.

No comments: