|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Announcements
Chapters
Services
Feature Zones
|
IntroductionThis article explains how to use a certificate to connect to, for example, a web service. Do you know the floppies or USB Pens that some banks and IT Companies give to their employees or customers that permit them to connect to services via the internet using a security file and channel? Well, we will learn how to use a similar file in this article, which is divided into six parts:
For this article I used three different machines:
You can use only one Windows XP Professional machine; I use the second machine to ensure that the certification file and the software that I develop are the only two things that I must take away to connect to the web service. Good luck! Environment PreparationIn this section we create the two projects that we will use to try our certification program. I won't explain the two projects in detail; I presume that you are expert enough to create two standard projects with Visual Studio 2005. All right, start creating a new website project. Choose the ASP.NET Web Service template. Attention! It is important that you use a real web server and not the emulator. Therefore, if you don't have IIS Web Server or something similar installed, install it and then choose the remoteWebServSSL.Service srv = new remoteWebServSSL.Service();
MessageBox.Show("The Web Service say: " + srv.HelloWorld());
Important: Some problems can arise from the firewall settings of the machine. Be sure to turn off the firewall; you can configure it in a second time. Now we can start. Server certificate requestNext, to activate the secure channel on our web site, we must go to the properties of the root Web Server and set the Server Certificate. There's more than one mode to do this; you can choose ones you prefer. I chose to connect to the CA Web Server to ask for the Certificate. Therefore I must create a Certification Request and ask the CA a second time. Click on the Server Certificate button. The certificate wizard will then appear; click Next. In this dialog choose Create a New Certificate and click Next. The only option that you can choose now is "Prepare the request now, but send it later;" again click Next. In this form you must choose the name of the certificate that you will install on your web server. Leave the other parameter as it is and go on. Now write something for the organization and organization unit. Go on. This next step is important: the Common Name required is the name of your machine and is, therefore, the name of the web server that responds to your web server. For example, my machine name is Generate the certificateOpen the generated Text file on your computer from the directory where you chose to save it. Select all the text in the file and copy it. Now it's time to use Windows 2000 Server with the CA. Ensure that your CA is configured to accept the request by the Web Server and that it releases the certificate immediately, without user participation. Connect to the CA Web Server using the related address. For example, my Windows 2000 Server machine is named Activate the SSL security channel communication on the IIS Web ServerSelect the certificate file with the .p7b extension. For me, this is certnew.p7b. Double click on your file once you find it. Note that the certificate is not valid. Click the "Install certificate" button and then click Next until Finish; confirm the last message and the certificate is now installed. Now finish the activation of the SSL channel on the Web Server. Launch your IIS configuration tool, go on the root Web Server (Default Web Site), right click and select Properties. Return to the Directory Security and re-click the Server Certificate button. Click Next. Note that the options have changed. Choose the "Process the pending request and install the certificate" option and click Next. Browse for the other certificate that you obtain from the CA. Click Next two times and then Finish. Well, you are ready to use your https connection. Try your web server in https and enjoy. For this example, we must enforce the use of the SSL channel on our Web Services. Therefore, on the IIS, go to the properties of WebServSSL, choose the Directory Security tab and click the Edit button. Check the "Require secure channel (SSL)" checkbox and the "Require client certificates" option in the Client Certificates group. Close all windows and try your web services now using your browser.
Request and obtain a user certificateThis step will be fast and simple. Using your browser, go to the Web Server of the CA using the same address ( Note: In this step, I have encountered problems using the Certification Authority website. The "Downloading ActiveX Control" message did not disappear. If you have the same problem, you can resolve it by installing a fix for the Windows 2000 Advanced Server. Refer to KB323172 of the Microsoft site and find the relative fix q323172_W2K_SP4_X86_EN.exe.
Use certificate with Windows formYou can try more tests with your example, if you'd like, before continuing with my instructions here. After you're satisfied, launch the Internet Explorer browser. Select Tools and go to Internet Options. Select the Content tab and click on the Certificates button. You can immediately see the Personal tab selected and, in the list control, you can see your personal certificate (Andy74 for me). Select the specified certificate and click on the Export button. In the wizard panel choose Next, choose the "Yes, export the private key" option and click Next again. Here you can export only in the PFX format; leave the default option and click Next. Insert a password. For simplicity, I chose a very simple password, "password." Then click Next. Choose where to export the certificate and click Next again. Click Finish and OK in the message box. Now, return to your project in Visual Studio and add this line after the creation of the web reference instance: srv.ClientCertificates.Add(
new System.Security.Cryptography.X509Certificates.X509Certificate2(
@"c:\Andy74cert.pfx", "password"));
Obviously, change the path of the certificate where you have saved it. Now on the machine where you have the web services, go to the administrative tools section of the control panel and launch the Server Extensions Administrator. Select File -> Add/Remove Snap-in. On the next window click the Add button, select Certificates and finally click the Add button. Select the Computer Account option and click Next. Leave the "local computer" (the computer this console is running on) option selected and click Finish. Close the active window and finally the OK button. Open the Certificates (Local Computer) node in the tree view, then Trusted Root Certification Authorities and the Certificates node. Right click on the node: All Tasks -> Imports to import another wizard. Click Next. Remember the .p7b certificate that we download from the certification authority in the fourth step. Browse to that file and select it; then click Next. Choose "Place all certificates in the following store" and then the "Trusted Root Certification Authorities" folder; click Next and then Finish. All right, you are ready to try your final application. To really test your application, you can use other machines never used up to now. Copy your application and your .pfx file (certificate) to where you want, but remember to place the certification file in the same folder where you load from the application, or use a parameter to load it from whichever you'd prefer. History
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
News 
Question 
Answer 
Joke 
Rant 
Admin