Using client certificates in .NET part 2: creating self signed client certificates

Introduction

In the previous post we went through a short introduction on client side certificates. We said that client certificates are used by web clients to strongly authenticate themselves. Client certificates can provide an extra step in the authentication process to tighten security.

In this post we’ll see how to create self-signed client certificates for testing using a tool called makecert.exe.

The process of creating client certificates on your local machine is almost identical to how we generated server side certificates in the series in this series.

Before we go on let’s consider the idea of root certificates.

Root certificates

A root certificate is the top certificate in a chain of certificates. It ultimately identifies a Certificate Authority (CA). Each CA, like Big Daddy, has a root certificate which they in turn use to create other certificates. We can trust their certificates because they are signed with the CA’s root certificate. Such a trusted certificate will be digitally signed by the CA.

It’s possible to set up your own root certificate that in turn can be used to create other certificates for different purposes.

Next let’s see what the purpose of the makecert.exe tool is.

Makecert.exe

Makecert is a tool that’s installed with Visual Studio. It is a command line tool that can create all sorts of digital certificates for your private testing purposes. If you open a Visual Studio command prompt, type “makecert” and press Enter you’ll get some basic usage information:

The tool comes with a long list of options that you can view on MSDN here. We’ll see some of those options in action soon. Here’s a list of the most important options that you’ll need to create your own certificates:

• -n: certificate name, or “common name”, abbreviated to “CN”
• -sv: name of the private key file (.pvk)
• -b: valid from
• -e: valid to
• -cy: certificate type, such as root (“authority”) or “end” for the derived certificates
• -pe: make the certificate exportable, meaning that it will include the private key as well
• -len: the key length in bytes such as 1024 or 2048 with 2048 being the most frequent setting
• -r: self-signed
• -a: the signature algorithm such as SHA1 or
• -iv: name of the private key file (.pvk) of the root certificate in case you use it to create other certificates
• -ic: the file name of the root certificate with the extension .cer . -iv and -ic will indicate that you want to sign the new certificate with the digital signature of the root
• -sky: specifies the key type with two possible values which are “exchange” and “signature”
• -eku: a comma-separated list of extended key usage object identifiers (OIDs). They look vaguely like invalid IP addresses. This list specifies the purpose of the certificate such as “1.3.6.1.5.5.7.3.1” which stands for “SSL server certificate”, and “1.3.6.1.5.5.7.3.2” stands for client certificates. This latter is the one we need in this series. Note that the SSL and client certificate OIDs only differ in the last digit.

We’ll also provide a file name to the certificate which will get the extension “.cer”. Note that both the root and child certificates will have their own private key files of course.

With makecert.exe you can mimic what a real CA would do. You can first create a root certificate which will subsequently be used to create other certificates. Due to the chain of trust – see Wikipedia link above – you can then simply trust the root certificate and implicitly trust all other certificates created with the root due to its digital signature present on the “child” certificates.

Another tool available from the VS command prompt is a packaging tool called pvk2pfx.exe. It packages the .cer and .pvk files into a single file with the extension “.pfx”. Pfx stands for “personal information exchange file”. It will help us later on when exporting files to and from the Windows certificate store.

Creating the root and client certificates

Create a dedicated folder where you’ll save the certificates and private key files, e.g. under c:\certificates.

Open a Visual Studio command line tool. Make sure you run it as an Administrator otherwise the file creation steps may fail. Feel free to change the file names along the way for your own testing purposes. Initially the command prompt will probably point to the c:\windows\system32 folder. Navigate to the dedicated certificates folder created above so that the makecert commands will save the files there.

Note: if you simply copy and paste the below commands into the command window you might get a strange exception saying something like “Error: CryptCertStrToNameW failed”. It’s due to WordPress transforming the double-quotes in some way. It’s best if you type in the command by hand. Alternatively you can paste the commands into a word processor and check whether the double quotes look fine.

The following command will create a root certificate called “RootCertificate”:

makecert.exe -r -n “CN=RootCertificate” -pe -sv RootCertificate.pvk -a sha1 -len 2048 -b 01/01/2015 -e 01/01/2030 -cy authority RootCertificate.cer

It’s imperative that you denote the certificate name with “CN=” in the command. The private key file RootCertificate.pvk will be created by the command if it doesn’t exist. The final “RootCertificate.cer” will save the certificate under that file name. You’ll understand the other parameters based on the above list.

When you run the above command you’ll be prompted for a password which will protect our private key. If your root certificate private key is compromised then it is still protected by a password so that no new child certificates can be created from it. It’s OK to provide some easy password that you can remember in this case as this is only a test. It’s equally fine to provide no certificate at all by clicking “None” as this is only a test certificate.

If everything goes well you’ll see “succeeded” printed in the command window.

Next let’s package the .pvk and .cer files into a .pfx file using the pvk2pfx.exe tool mentioned above:

pvk2pfx.exe -pvk RootCertificate.pvk -spc RootCertificate.cer -pfx RootCertificate.pfx

You’ll be prompted for the private key password. The RootCertificate.pfx file will be created.

Let’s now create a client certificate using our root. The following command will create a child certificate named localtestclientcert:

makecert.exe -ic RootCertificate.cer -iv RootCertificate.pvk -pe -sv localtestclientcert.pvk -a sha1 -n “CN=localtestclientcert” -len 2048 -b 01/01/2015 -e 01/01/2030 -sky exchange localtestclientcert.cer -eku 1.3.6.1.5.5.7.3.2

If all goes well then you’ll get the same “succeeded” message as above. Let’s also package this derived certificate into a pfx file:

pvk2pfx.exe -pvk localtestclientcert.pvk -spc localtestclientcert.cer -pfx localtestclientcert.pfx

OK, great, we have the necessary certificates to start with. Check the contents of the certificates folder and you should have 6 files in it:

localtestclientcert.cer
localtestclientcert.pfx
localtestclientcert.pvk
RootCertificate.cer
RootCertificate.pfx
RootCertificate.pvk

What do we do with these then? We’ll see that in the next post where we’ll install the certificate into the certificate store.

You can view the list of posts on Security and Cryptography here.