Creating a TLS Server Certificate

This article discusses the purpose of SSL/TLS server certificates and how to create a certificate that can be used for testing purposes on your own development system.

More Information

Certificates are used to establish a level of trust between servers and clients. There are two types of certificate, those used on the server side, and those which are used by the client to authenticate the session. SocketTools supports both server and client certificates, by setting the CertificateStore and CertificateName properties in the .NET and ActiveX components, or by using the CreateSecurityCredentials function in the libraries.

When establishing a secure connection, the SocketTools components will ask the server for its certificate and validate it. If the certificate cannot be validated, SocketTools treats this as a soft error and the application decides whether the secure session should be established or the connection terminated.

You can either create a self-signed certificate or purchase one from a Certificate Authority (CA) such as Verisign and Thawte. These companies have root certificates that are installed as part of the base operating system and will be recognized on all Windows platforms. Alternatively, you can create your own root and server certificates for testing purposes on your own local network.

Creating a Self-Signed Root Certificate

To create a certificate for testing purposes, there are two steps. First, create a self-signed certificate which establishes you as your own Certification Authority (CA). Next, you use that root certificate to sign a test server certificate which will be placed in your personal certificate store. Because you’re functioning as your own certification authority, any other systems that would attempt to connect to your server would return an error indicating that the certificate was not trusted until your test root certificate was installed on their system.

Included in Microsoft’s Platform SDK is a utility called MakeCert which will allow you to easily create digital certificates. Current versions of Visual Studio include a shortcut to the command prompt which sets the environment for that toolset. To create a self-signed certificate, open an administrative command prompt and enter the following:

MakeCert -pe -n "CN=TestCA" -b 01/01/2015 -e 01/01/2025 -ss my -sr currentuser -a sha256 -sky signature -len 2048 -r "TestCA.cer"

Note: If you get an error indicating the CryptCertStrToNameW failed, this can happen when cutting and pasting this command from the browser into the command window. Try entering the command as shown manually.

This will create a file named TestCA.cer which contains the self-signed root certificate with a name of “TestCA”. The certificate will automatically installed in your own personal certificate store, however you also need to install it as a trusted root certificate. To do this, use the Management Console to manage your certificate store. This can be done from the command line by entering the command:

CertMgr.msc

Right-click on Trusted Root Certification Authorities and select All Tasks and Import to start the Certificate Import Wizard. Select the TestCA.cer file, and then choose the option to place the certificate in a specified store (do not have it automatically select the store). Press the Browse button and select Trusted Root Certification Authorities. A confirmation dialog will make sure that you want to install it; once complete, your new test root certificate has been installed.

Creating the Server Certificate

The second step is to create a server certificate. To do this, enter the following command at the command prompt:

MakeCert -pe -n "CN=localhost" -b 01/01/2015 -e 01/01/2025 -eku 1.3.6.1.5.5.7.3.1 -in "TestCA" -is my -ir currentuser -ss my -sr currentuser -a sha256 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 "Localhost.cer"

This will create a file named Localhost.cer in the current directory, and will install your certificate in your personal store. Now, with your new server certificate, you should be able to connect to your server securely. Remember, if you want a different system to connect to your server, you need to copy the TestCA.cer to that system and install it in the trusted root certificate store, otherwise the server certificate will be considered invalid.

See Also

Microsoft Windows SDK for Windows 7 and .NET Framework 4