It's a bit tricky to install certificates and keys, and harder still when you want to use the same certificate on both Windows and *NIX boxes. Most of us don't have to install certificates very often (!), but that doesn't make it any easier! If you're like me you forget at least one of the annoying little essential details.
So partly in light of questions I've been receiving, and partly so next time I encounter these problems I remember how I answered them, I'm putting together what I hope might be a useful “Practical Guide to Certificate Installation for the Disinterested“. In other words, I'm NOT discussing how to use certificates in production environments.
I'm kind of starting in the middle, but I've got three pieces ready so far. If you're not familiar with this area, OpenSSL is an open source tool for managing certificates and IIS is Microsoft's Internet Information Server (i.e. Web server). If you see problems with my instructions, please let me know.
Now for the pithy titles:
- Converting OpenSSL PEM certificates and keys into a P12 format for IIS
- Installing a machine certificate in the Windows certificate store
- Configuring IIS to use a machine certificate
I'm also going to tackle the issue of creating InfoCard-compatible certs for testing and developing purposes. If others want to add other sections let me know.
Kim,
In regards to you planning on tackling the issue of creating InfoCard-compatible certificates for testing and developing purposes, I am definitely very interested.
I would love to see a detailed guide/walk-through on how to generate/issue certificates from a Microsoft Certificate Authority (CA) server that have the RFC 3709 (logotype) extensions for my organization.
I plan on issuing CardSpace cards to my Active Directory users, but this is the missing piece before I can setup an STS for our organization.
I am looking forward to your post about CardSpace compatible certs for testing. I am currently implementing a P2P system (an app and a service) partially based on CardSpace and would love to get more info whenever I can. One of the most important issues before going live will definitely be getting a new high-insurance certificate (or whatever is the name).
Btw, I just used the newly released CardSpace plugin and logged in from Firefox 🙂