Secure your private keys more easily with Vista

In my latest screencast on Channel9 on configuring your IIS7 sites to support Widows CardSpace, I presented a couple of ways that you could find and change the security rights on your SSL certificate's private key in order to grant read-only access to the NetworkService account under which the default website normally runs.

Dominick Baier (blog: http://www.leastprivilege.com), who recently joined the guys over at thinktecture as their security guru, mailed me last night to point out a couple of things:

1. Vista offers a really easy way to access the security settings on a certificate's private key
2. I hadn't made it sufficiently clear that one should take a great deal of care when altering access to your SSL Certificate's private keys

So I said I'd post a blog entry discussing these two things:

Managing permissions on a certificate's private key

As I pointed out in the screencast, getting access to a certificate's private key in order to change its security settings has (in the past) been tricky. It turns out that Windows Vista has a cool new feature in the Certificate Manager MMC snap-in that lets you directly manage the security of your certificates' private keys.

1. Click your start button (or Windows key on your keyboard)
2. Type "mmc" (sans quotes) and hit return. Microsoft Management Console should open.
3. Select "File | Add/Remove Snap-in"
4. Select "Certificates" from "available snap-ins" and click the "Add" button
5. Select "Computer Account" and hit "Finish"
6. Select "Local Computer" and hit "Finish"
7. Select "Ok" on the "Add or Remove Snap-ins" dialog
8. Expand out your local computer's certificate root
9. Expand "Personal" and select "Certificates"
10. You should now see the certificates installed for your machine
11. Right click the certificate you created within IIS – you can see from the screenshot below that the second certificate is the one I created in IIS with the friendly name of "Rich Test"

1. Now select the "Manage Private Keys" item. You will see a familiar dialog appear allowing you to review and modify the permissions applied to this certificate's private key.

While this gives us a simpler way of accessing a certificate's private key's security settings from the UI, to simplify configuring complex or production deployments, you'll still need to use something like Powershell and/or your favorite scripting environment and tools.

But that's not all, read-on for important thoughts on securing access to your private keys:

Caution regarding Private Keys

Dominic has posted several articles on his blog related to Windows CardSpace and certificates, but I'd like to highlight two:

1. In this post, he suggests re-factoring the token helper into a separate assembly and hosting it in a locked down process running under a restricted user account. This process could then be called by your website passing in the token presented by the user, returning a set of decrypted claims.
2. He also suggests such an assembly could be (modified slightly and) run as full-trust within a partially-trusted site. He's even done the work and published the source for such an assembly! J

I agree with both Dominic's points and commend and thank him for contributing to the betterment of all CardSpace adopters. One should ALWAYS guard one's private keys like they are the Crown Jewels. How far one goes, however, to protect one's jewels is another matter. The purpose of the screencast was to illustrate how to setup a development environment to enable you to explore, build and test CardSpace support within your own sites. In production environments, however, you need to protect yourself from many forms of sabotage and penetration from others who willfully set about to do you wrong.

Dominic's first suggestion is a good approach in large, complex, well managed environments with the resources necessary to support a 24x7, 5x9's token-helper service; however, it's not for everyone. His second suggested approach will indeed add an extra level of shielding and requires simpler infrastructure & deployment.

When it comes to preparing for real-life deployment of sites supporting CardSpace, I urge you to consider the points Dominic makes on his blog and, if necessary, hire a specialist with the skills to help you make sure that your business is as safe as can be.