This article explains how to use a certificate to connect to, for example, a web service. Do you know the floppies or USB Pens that some banks and IT Companies give to their employees or customers that permit them to connect to services via the internet using a security file and channel? Well, we will learn how to use a similar file in this article, which is divided into six parts:
- Environment Preparation
- Server Certificate Request
- Generate the Certificate
- Activate the SSL Security Channel Communication on the IIS Web Server
- Request and Obtain a User Certificate
- Use Certificate with Windows Form
For this article I used three different machines:
- A Windows 2000 Server with Certification Authority
- Two Windows XP Professional Edition machines, one with IIS Web Server
You can use only one Windows XP Professional machine; I use the second machine to ensure that the certification file and the software that I develop are the only two things that I must take away to connect to the web service. Good luck!
In this section we create the two projects that we will use to try our certification program. I won't explain the two projects in detail; I presume that you are expert enough to create two standard projects with Visual Studio 2005.
All right, start creating a new website project. Choose the ASP.NET Web Service template. Attention! It is important that you use a real web server and not the emulator. Therefore, if you don't have IIS Web Server or something similar installed, install it and then choose the
HTTP option from the combo location of the VS Project. For the name of the application, I chose
http://localhost/WebServSSL. Visual Studio takes care of most of what you need; you only have to configure the website appropriately. If you build the project you'll have just one method in the service, the classic "hello word" example. I suggest we use this for our test, but if you don't like it you can create another function that you prefer. The second project that you must now create is a Windows Application. Create it in the same solution as the Web Service; I called mine
testSSLWebServ. In the new project, add a Web Reference from the solution explorer and choose your web service. I called the namespace for the service
remoteWebServSSL. All right, the last pass is to add a button on the form and call the unique method of the Web Service that we have. Here 's some code:
remoteWebServSSL.Service srv = new remoteWebServSSL.Service();
MessageBox.Show("The Web Service say: " + srv.HelloWorld());
Important: Some problems can arise from the firewall settings of the machine. Be sure to turn off the firewall; you can configure it in a second time.
Now we can start.
Server certificate request
Next, to activate the secure channel on our web site, we must go to the properties of the root Web Server and set the Server Certificate. There's more than one mode to do this; you can choose ones you prefer. I chose to connect to the CA Web Server to ask for the Certificate. Therefore I must create a Certification Request and ask the CA a second time. Click on the Server Certificate button. The certificate wizard will then appear; click Next. In this dialog choose Create a New Certificate and click Next. The only option that you can choose now is "Prepare the request now, but send it later;" again click Next. In this form you must choose the name of the certificate that you will install on your web server. Leave the other parameter as it is and go on. Now write something for the organization and organization unit. Go on. This next step is important: the Common Name required is the name of your machine and is, therefore, the name of the web server that responds to your web server. For example, my machine name is
WorkStatio23 and the http address that I write when I navigate on my web server is
http://WorkStatio23/WebServSSL. The Common Name that I must choose is
WorkStatio23. Also insert the State/province and City/locality data and then go on. As a last step, save your Certification Request; choose a location and click Next. Read the Request File Summary, click Next and Finish. The Certification Request has now been created.
Generate the certificate
Open the generated Text file on your computer from the directory where you chose to save it. Select all the text in the file and copy it. Now it's time to use Windows 2000 Server with the CA. Ensure that your CA is configured to accept the request by the Web Server and that it releases the certificate immediately, without user participation. Connect to the CA Web Server using the related address. For example, my Windows 2000 Server machine is named
w2ksrw. Therefore the address to request the certification is
http://w2ksrw/CertSrv. Next, choose the second option "Request a certificate" and click Next. Choose the "Advanced request" option and click Next again. Choose the second available option: "Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file." Click Next. Since we already have the Text file code copied to memory, just paste it in the relevant textbox control (the first) and click Next. Now you are ready to download the certificate. Download the two certificates on the result page: "Download CA certificate" and "Download CA certification path."
Activate the SSL security channel communication on the IIS Web Server
Select the certificate file with the .p7b extension. For me, this is certnew.p7b. Double click on your file once you find it. Note that the certificate is not valid. Click the "Install certificate" button and then click Next until Finish; confirm the last message and the certificate is now installed. Now finish the activation of the SSL channel on the Web Server. Launch your IIS configuration tool, go on the root Web Server (Default Web Site), right click and select Properties. Return to the Directory Security and re-click the Server Certificate button. Click Next. Note that the options have changed. Choose the "Process the pending request and install the certificate" option and click Next. Browse for the other certificate that you obtain from the CA. Click Next two times and then Finish. Well, you are ready to use your https connection. Try your web server in https and enjoy. For this example, we must enforce the use of the SSL channel on our Web Services. Therefore, on the IIS, go to the properties of WebServSSL, choose the Directory Security tab and click the Edit button. Check the "Require secure channel (SSL)" checkbox and the "Require client certificates" option in the Client Certificates group. Close all windows and try your web services now using your browser.
Request and obtain a user certificate
This step will be fast and simple. Using your browser, go to the Web Server of the CA using the same address (
http://w2ksrw/CertSrv). Choose the "Request a certificate" option and click Next. Choose the "Advanced request" option and then Next. Leave the "Submit a certificate request to this CA using a form" option selected and click Next. Fill in the Name and the E-Mail fields under Identifying Information with whatever you want and leave the other field as is. For the Intended Purpose field, choose Client Authentication Certificate. For the last setting, set the "Mark keys as exportable" option. Bypass the other field and click Submit. Answer "yes" to the question and finally install the certificate.
Note: In this step, I have encountered problems using the Certification Authority website. The "Downloading ActiveX Control" message did not disappear. If you have the same problem, you can resolve it by installing a fix for the Windows 2000 Advanced Server. Refer to KB323172 of the Microsoft site and find the relative fix q323172_W2K_SP4_X86_EN.exe.
Use certificate with Windows form
You can try more tests with your example, if you'd like, before continuing with my instructions here. After you're satisfied, launch the Internet Explorer browser. Select Tools and go to Internet Options. Select the Content tab and click on the Certificates button. You can immediately see the Personal tab selected and, in the list control, you can see your personal certificate (Andy74 for me). Select the specified certificate and click on the Export button. In the wizard panel choose Next, choose the "Yes, export the private key" option and click Next again. Here you can export only in the PFX format; leave the default option and click Next. Insert a password. For simplicity, I chose a very simple password, "password." Then click Next. Choose where to export the certificate and click Next again. Click Finish and OK in the message box. Now, return to your project in Visual Studio and add this line after the creation of the web reference instance:
Obviously, change the path of the certificate where you have saved it. Now on the machine where you have the web services, go to the administrative tools section of the control panel and launch the Server Extensions Administrator. Select File -> Add/Remove Snap-in. On the next window click the Add button, select Certificates and finally click the Add button. Select the Computer Account option and click Next. Leave the "local computer" (the computer this console is running on) option selected and click Finish. Close the active window and finally the OK button. Open the Certificates (Local Computer) node in the tree view, then Trusted Root Certification Authorities and the Certificates node. Right click on the node: All Tasks -> Imports to import another wizard. Click Next. Remember the .p7b certificate that we download from the certification authority in the fourth step. Browse to that file and select it; then click Next. Choose "Place all certificates in the following store" and then the "Trusted Root Certification Authorities" folder; click Next and then Finish. All right, you are ready to try your final application. To really test your application, you can use other machines never used up to now. Copy your application and your .pfx file (certificate) to where you want, but remember to place the certification file in the same folder where you load from the application, or use a parameter to load it from whichever you'd prefer.
- May 8, 2007 - Original version posted