Access Control Lists Permissions and Generating Personal Information Exchange x.509 certificates

I was fighting with the issue of generating a self-signed certificate for deployment to the Local Computer Certificate Store and getting the Access Control List (ACL) changed to permit the local ASPNET user account over the last two days. The problems I was facing seem to be fairly common as, when I  google the topic, I see many references to others experiencing the same problem. This prompted me to spend the $245 and get Microsoft’s support on the issue. Now that I have resolved the issue (I resolved it prior to completing the 8 hours of phone and email support I was getting) I figured I’d share the knowledge to try and help others who have been experiencing the same issue.
 
The problem is not the generation of the certificate or the creation of the Personal Information Exchange (PKCS #12 or pfx) file but with setting the ACL access permission. There seems to be a bug in the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) tool used to set the permission set.
 
Some might ask why I’m doing this? The answer; I am implementing Brokered Security for my web services using WSE 3.0 and need to generate a server certificate for my web services that I can send to the broker to have installed (even though, for now, I control the broker). I have most of the other bits all put together but this one piece was causing me grief.
 
Anyway, let’s get to it. Here’s the work-around to how you can generate the x.509 certificate (pfx) for distribution and then register it and set the ACL.
 
*** NOTE: These steps are being performed from a Visual Studio 2005 Command Prompt ***
 
Step 1: Generate the PFX (You will be prompted for the private key password)
 
a) makecert -r -pe -n "CN=My Company" -sr localMachine -ss My
 
The above step will install the certificate into the personal store of the localmachine certificates
 
b) Manually export the certificate (This is the only manual method of the process and since it generates the distributable file it’s not such a pain to do this one time)
     i)   Open the Certificates MMC Plug-in for the Computer Account
     ii)   Navigate to the Peronal > Certificates folder.
     iii)  Right click on the certificate and select All Tasks > Export
     iv) Click Next, select "Yes, export the private key", click Next, check the "Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)" and "Delete the private key if the export is successful" checkboxes, click Next, enter your private key password, click Next, enter the name of the file name you want to export the certificate as (it will append .pfx to the end), click Next, click Finish.
 
Now you can delete the certificate (to test the import performed in, the more automated, step 2) by right clicking it and selecting Delete
 
 
Step 2: Import the certificate and set access permission to the ASPNET user account (this is the automated part that you can script into a batch for deployment as you now have the generated pfx)
 
a) certutil -p password -importPFX MyCompany.pfx
b) winhttpcertcfg.exe -g -c LOCAL_MACHINEMy -s "My Company" -a ASPNET
 
 
I tried many ways to automate the export (if step 1a created the file in the certificate store) or generate the pfx (from .cer and .pvk files if step 1a was used to generate a file) but they were unsuccessful. The only method i was able to get working properly was to manually run the export through the mmc plug-in. I am sure I ran a tool to do the export at some point last night but it was late and I forget what the tool’s name was and…. whatever. If I remember the tool’s name or can figure out a method of completely automating the creation of the pfx file I’ll post an update to this posting.
 
Advertisements

3 thoughts on “Access Control Lists Permissions and Generating Personal Information Exchange x.509 certificates

  1. Would you have an idea on how to grant permission to a certificate that has private key marked as not exportable? The certificate in question resides on a USB ActivKey and I am unable to grant permission to it using winhttpcertcfg. It says "Error: Failed to obtain security descriptor for private key"

  2. I’m sorry. I haven’t been able to find the information you are looking for.

  3. I literally just figured this out myself about 10 minutes ago. This, after struggling with this for many many hours!!! I wish I had found this article sooner. Some related info: http://geekswithblogs.net/lorint/archive/2005/12/30/64516.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s