RE Problem with my makecert certificates for WSE RE by FoxxyBrwn

VIEWS: 27 PAGES: 2

									                     RE: Problem with my x509 makecert certificates for WSE 3.0

RE: Problem with my x509 makecert certificates for
WSE 3.0

Source:
http://www.tech−archive.net/Archive/DotNet/microsoft.public.dotnet.framework.webservices.enhancements/2006−09/



      • From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
      • Date: Mon, 11 Sep 2006 03:37:05 GMT

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Chris,
\par
\par From your description, you're using the <mutualCertificate10Security> policy assertion to do mutual
x509 certification authentication, however, you found the service call works when using the WSE built−in test
certificates , but failed when using your custom test certifricates, correct?
\par
\par Based on the configuration fragment and the certificate creation command yo pasted, here are something
I think you can have a further check and test:
\par
\par 1. in the <extension> setting section, you use <extension name="mutualCertificate10Security" , however,
in the below policy assertion section, you use<mutualCertificate11Security ...>, I would suggest you make
them consistent. Generally, if you do not want to make use of those new WS sedurity 1.1 features, you can
just uncheck the "Enable WS−Security 1.1 extensions" option if you're using the VS 2005 WSE 3.0
configuration wizard to configure the policy file.
\par
\par 2. Currently you're using the following command to create the test certificates:
\par
\par ==========================
\par makecert −sk DevServer −pe −ss my −sr LocalMachine −n CN=DevServer"
\par
\par makecert −sk DevClient −pe −ss my −sr LocalMachine −n CN=DevClient"
\par ==========================
\par
\par I've checked the WSE 3.0's test certificate creation script, there are some difference between that
command and yours:
\par
\par ** you need to specify the signature algorithm as "sha1" through −a option since WSE setting use
Sha1Thumbprint by default
\par ** mark the certificate's type as exchange
\par
\par Here is the modified command to create the certificates(I've tested them on my local machine without any
problem).
\par
\par ===================
\par makecert.exe −sr LocalMachine −ss MY −a sha1 −n CN=DevServer −sky exchange −pe
\par

RE: Problem with my x509 makecert certificates for WSE 3.0                                                 1
                      RE: Problem with my x509 makecert certificates for WSE 3.0
\par makecert.exe −sr LocalMachine −ss My −a sha1 −n CN=DevClient −sky exchange −pe
\par ===================
\par
\par #Certificate Creation Tool (Makecert.exe)
\par http://msdn2.microsoft.com/en−us/library/bfsktky3.aspx
\par
\par The above things can makesure the test certificates are created correctly. And you still need to make sure
your service or application's security account has sufficient to access the certificate's private key. The
WinHttpCertCfg.exe" tool can help grant access permission for certificates, you can find it in the WSE 3.0
SDK's installation folder.
\par
\par Please have a look at the above things to see whether they help for you. I've also a local test solution
which use the above mentioned settings and certificates and work well. If you feel necessary, I can send it to
you also.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par
\par ==================================================
\par
\par Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par
\par
\par Note: The MSDN Managed Newsgroup support offering is for non−urgent issues where an initial
response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please
note that each follow up response may take approximately 2 business days as the support professional
working with you may need further investigation to reach the most efficient resolution. The offering is not
appropriate for situations that require urgent, real−time or phone−based interactions or complex project
analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft
Support Engineer by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par
\par ==================================================
\par
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par
\par
\par
\par }

RE: Problem with my x509 makecert certificates for WSE 3.0                                                    2

								
To top