I frequently run into situations where I need to configure my laptop to support some technology, without having a lot of server resources to depend on. Most recently, I configured a local instance of ADAM to support SSL. While the information on how to configure this is available, it is scattered across multiple sources. I figured it might be helpful to somebody to bring all of the information together in one place.
First you will want to download the Platform SDK. This will include the tools that you need.
With the Platform SDK installed, go to start -> all programs -> Microsoft Platform SDK for Windows Server 2003 SP-1 -> Open Build Environment Window -> Windows XP 32-bit Build Environment -> Set Windows XP 32-bit Build Environment (Retail). This will open up a command prompt with all of the necessary path variables set.
Now, you want to create a new root certificate using the makecert.exe utility. At the command line, enter the following:
makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test and Dev Root Authority.cer"
This will create a root authority certificate, which you can use to sign new certificates. In fact, that's exactly what we are going to do. Generate a new certificate, signed by this root certificate, that is configured to support server authentication. At the command line, enter the following:
makecert -pe -n "CN=insert.fully.qualified.domain.name.here.com" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "Test and Dev SLL.cer"
Now, both of these certificates have been created and installed to the local machine store. We need to make our root certificate a trusted root certificate, so we will open the certificates MMC console. From the command line you have open, you can type mmc. Go to File -> Add/Remove Snap In -> Add -> Certificates. Press the Add button. Select Computer Account and click Next. Leave the default of Local computer and click finish. Click close and then click OK. If you drill down to Certificates (Local Computer) -> Personal -> Certificates, you should see both certificates. Move the root certificate to Trusted Root Certificate Authorities. Move the root authority to Trusted Root Certification Authorities. Now, you have a certificate that can be used for SSL with a trusted root authority.
mmc
Finally, you need to make sure the service account has read access to the certificate, which is stored in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys. You can use Windows Explorer, but if you don't want to leave your trusty command line, you can also use:
cacls "c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys" /e /t /c /g "NT AUTHORITY\NETWORK SERVICE":R
Note that this assumes that you accepted the default of Network Service when you installed ADAM. If not, then add read permissions to whichever account you did use.
Finally, you can restart the ADAM service from the services administrative tool.
Now, if you start up LDP, connect over port 636 with SSL selected (making sure you use the fully qualified domain name of your computer, which is required by the SSL standard), you should be connecting over a secured transport!
I get the same behavior whereby running the makecert.exe commands works the first time, but fails thereafter with the "Can't create the key of the subject ..." error.
I've uninstalled the two certificates (from the Certificates snapin) that were created and deleted the cert files in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
Error still occurs.
I've made a little headway with the "Can't create the key of the subject ..." error. From the command for Step 1, I removed the -ss and -sr options. This successfully created the CA certificate file which I then imported manually into Trusted Root Certificate Authorities of Local Computer with the Certificates snapin. I can see the imported cert and it appears to be fully trusted.
I then tried the same thing for the Step 2 command (removing -ss and -sr options). The cert file was created, but the issuing authority is called Root Agency so the cert isn't trusted.
My question now is how did it get issued by Root Agency?
Here are my two exact commands:
makecert -pe -n "CN=Test and Dev Root Authority" -a sha1 -sky signature -r "Test and Dev Root Authority.cer"
makecert -pe -n "CN=eci.pier1.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "Test and Dev SSL.cer"
I was able to produce both certificates, but got confused on which one was the root authority? The certificate created in Step1 or Step2. So I removed both certificates. I'm now getting the following error when I try to start over.
-n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signatu
re -r "Test and Dev Root Authority.cer"
Error: Can't create the key of the subject ('65b00bec-d7ee-4d38-84da-6d4ee95364e
b')
Failed
Also the certificate created in step2, I was unclear on if I should include my machine name like
jon.somedomain.somecompany.com
Any ideas on my issues.
Thanks a million!
Great and very usefull posting!
Sakito