This post is part of a series on using client certificates in Windows Phone 7. I expect there to be 3 parts involved:
- Setting Up IIS Express
- Client Certificates on the Browser
- Client Certificates on the Emulator
- Client Certificates on the Phone
Setting Up IIS Express to Accept Client Certificates
First, lets tell IIS Express that we want to accept client certificates. To do this, lets open up the IIS Express application host configuration file located at:
C:\Users\{Your User Name}\Documents\IISExpress\config\applicationhost.config
and as always, make a backup before modifying this file! Make a notice of your site configuration located around line 161:
<site name="WebSecurity" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="D:\Scratchpad\WebSecurity\WebSecurity" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:5382:localhost" />
<binding protocol="https" bindingInformation="*:44300:localhost" />
</bindings>
</site>
Go to about line 330 and change the enabled attribute of the iisClientCertificateMappingAuthentication element to enabled:
<iisClientCertificateMappingAuthentication enabled="false">
And if you go to around line 314, replace the access element to the following block:
<!-- If the user is using SSL and has a client certificate, use it -->
<access sslFlags="SslNegotiateCert" />
<!--Require SSL *AND* use a client certificate if there is one -->
<!--<access sslFlags="Ssl, SslNegotiateCert" />-->
<!--Require SSL *AND* require a client certificate -->
<!--<access sslFlags="Ssl, SslRequireCert" />-->
You will see that there are 3 options in the above block. For the sake of debugging, lets leave the first option, SslNegotiateCert, as the uncommented one.
Save the file, run your web application and you will now find that it asks you to select a client certificate. In my case, working at Microsoft, I have lots:
Create a Client Certificate and Trust Chain
But, I don’t want to use a certificate from work, I want to create my own certificate. To do that, we really need to create two certificates, a ‘localhost’ certificate to act as our client certificate, and a root certificate that we can place in our trusted root store.
To do this, click Start and type ‘cmd’, right click on the ‘cmd.exe’ and select Run as Administrator. Type “cd “\program files (x86)\Microsoft SDKs\Windows\v7.0A\bin” or wherever you may have a copy of makecert.exe installed.
First, lets create a new root certificate:
makecert -n "CN=localhost" -r -sv localhostCA.pvk localhostCA.cer
When you do this, you will be asked for a password to protect the private key. You can choose none if you wish. Now we need to use our new localhostCA certificate to issue a new client certificate:
makecert -pe -ss My -sr CurrentUser -a sha1 -sky exchange -n CN=localhost -sk SignedByLocalHostCA -ic localhostCA.cer -iv localhostCA.pvk
Now, before we can use that certificate, we need to ‘trust’ our LocalhostCA certificate. Type the following into our command prompt:
and click Install Certificate:
And select “Place all certificates in the following store” and select Browse…
Click the Show physical stores checkbox and select Trusted Root Certification Authorities and Local Computer.
And than OK, Next, and Finish. You should be greeted by a friendly “The import was successful.” dialog.
Now, lets go back to our web application created in Part 1 and hit F5.
Boom, now select the “localhost” certificate and you should be good to go.
Using the Client Certificate
So, now that we have a client certificate, how do we use it? In our web project, go to Views\Home\Index.cshtml and add the following:
@{
ViewBag.Title = "Home Page";
}
@if (Request.ClientCertificate.IsPresent == false)
{
<p>
Client Certificate is not present.
</p>
}
else {
<p>
Client Certificate is found.<br /><br />
User: <span>@User.Identity.Name</span> <br /><br />
Certificate Details: <br />
Issuer: <span>@Request.ClientCertificate["ISSUER"]</span><br />
Subject: <span>@Request.ClientCertificate["SUBJECT"]</span><br />
Serial Number: <span>@Request.ClientCertificate["SERIALNUMBER"]</span><br />
Valid From: <span>@Request.ClientCertificate["VALIDFROM"]</span><br />
Valid Till: <span>@Request.ClientCertificate["VALIDUNTIL"]</span><br />
</p>
}
F5 your application, select your client certificate and you should see something like the below:
Congratulations, in the next article, we will connect all this with a Windows Phone 7 project.
Subscribe