WSE 3.0 with Microsoft Certificate Services
Mark Baldwin
used to generate X.509 certificates for use with WSE 3.0, I cannot get it to
work.
I can generate certificates and download them to the certificate store on
the client, but when I use the WSE 3.0 Settings Tool from within VS2005 and
specify the certificate I get the error...
"Select Certificate does not support Data Encryption"
I have searched high and low for answers to this problem and although there
are lots of people asking the same question, there are no answers!
Any help much appreciated...
--
Mark
Steven Cheng[MSFT]
From your description, you're wantting to use windows certificate service
to create some test certfifate that will be used in your WSE 3.0
application(client , server ...). However,you found that the issued
certificates can not work at runtime, correct?
As for windows certfiicate service, it can surely generate standard X509
certificates that can simulate realword certificate secured scenarios. I've
ever used this to create test certificates for WSE and WCF client server
applications.
Based on the error message you provided "Select Certificate does not
support Data Encryption", it indicate that the certificate's usage does not
support data encryption. I think it is likely that the certificate's type
is not correct when you submit the certificate creation request. How did
you generate the certificate request in the web page interface? Generally,
for WSE (or WCF) client server application that need to sign and encrypt
data, you can create the certificate request (in windows certificate
service's web interface) through the following steps:
1. navigate to web interface at http://servername/certsrv/
2. choose "request a certificate" task
3. choose "submit an advanced certificate" link
4. choose "Create and submit a request to this CA."
Then you will go to the advanced certificat request input page, you need to
input many parameters for your requested certificate. The below parameters
are important:
** "Type of certificate", you can choose " Server Authentication
certificate" (for your server application), and "Client Authentication
Certificate" for your client application
** Key usage remain "both" (encrypt and signing)
**check "mark key as exportable" so that you can export the entire
certificate with assocated private key later(arfter you've installed on
machine)
In addition, after you installed certificate on machine's certificate
store, when open it and view its properties, you should be able to see the
"key usage" properties which may indicate whether it can be used to encrypt
, sign data.....
If you have anything unclear, please feel free to let me know.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Mark Baldwin
The problem seems that I do not get the options you list below.
Once I get to the Advanced Certificate Request page, there is no option to
choose Client or Server certificate. I do have a list of templates that
include...
Administrator
Basic EFS
EFS Recovery Agent
User
Subordinate Certificate Authority
Web Server
Regardless of which template is selected, I do not get an option to select
Key Usage of Both - I either get Exchange or Signature but the option is
lowlightled (readonly)
Certificate Services is running on Windows 2003 SP2.
--
Best regards
Mark
Mark Baldwin
I have reinstalled Certificate Services and the options you describe now
appear. I no longer get the error message described on my initial message so
the problem is now resolved - thanks for you help.
--
Best regards
Mark
Steven Cheng[MSFT]
I'm glad that you've resolved the problem.
BTW, if you want to create test certificate for data encryption and
signing(digital signature) in your own code(use .NET or raw win32 ), you
can choose "Email Protection..." type certificate.
Have a nice day!
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
harinikondamudi
there are some test certificates generated by WSE sdk and i installed them using the MMC snapin. but however any certificate that am trying to select from the store is giving an error that it cannot support digital signatures.
I am trying and posting in many forums but couldnt get a reply. Please help me with this.
stchen wrote:
Re: WSE 3.0 with Microsoft Certificate Services
15-May-07
------=_NextPart_0001_135105D7
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Have a nice day!
Sincerely,
Steven Cheng
------=_NextPart_0001_135105D7
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your reply Mark,
\par
\par I'm glad that you've resolved the problem.
\par
\par BTW, if you want to create test certificate for data encryption and signing(digital signature) in your own code(use .NET or raw win32 ), you can choose "Email Protection..." type certificate.
\par
\par Have a nice day!
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par }
------=_NextPart_0001_135105D7--
Previous Posts In This Thread:
On Monday, May 14, 2007 9:54 AM
Mark Baldwin wrote:
WSE 3.0 with Microsoft Certificate Services
Although the documentation states the Microsoft Certificate Services can be
used to generate X.509 certificates for use with WSE 3.0, I cannot get it to
work.
I can generate certificates and download them to the certificate store on
the client, but when I use the WSE 3.0 Settings Tool from within VS2005 and
specify the certificate I get the error...
"Select Certificate does not support Data Encryption"
I have searched high and low for answers to this problem and although there
are lots of people asking the same question, there are no answers!
Any help much appreciated...
--
Mark
On Monday, May 14, 2007 10:59 PM
stchen wrote:
RE: WSE 3.0 with Microsoft Certificate Services
------=_NextPart_0001_11F2FF56
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi Mark,
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_11F2FF56
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Mark,
\par
\par From your description, you're wantting to use windows certificate service to create some test certfifate that will be used in your WSE 3.0 application(client , server ...). However,you found that the issued certificates can not work at runtime, correct?
\par
\par As for windows certfiicate service, it can surely generate standard X509 certificates that can simulate realword certificate secured scenarios. I've ever used this to create test certificates for WSE and WCF client server applications.
\par
\par Based on the error message you provided "Select Certificate does not support Data Encryption", it indicate that the certificate's usage does not support data encryption. I think it is likely that the certificate's type is not correct when you submit the certificate creation request. How did you generate the certificate request in the web page interface? Generally, for WSE (or WCF) client server application that need to sign and encrypt data, you can create the certificate request (in windows certificate service's web interface) through the following steps:
\par
\par 1. navigate to web interface at http://servername/certsrv/
\par
\par 2. choose "request a certificate" task
\par
\par 3. choose "submit an advanced certificate" link
\par
\par 4. choose "Create and submit a request to this CA."
\par
\par Then you will go to the advanced certificat request input page, you need to input many parameters for your requested certificate. The below parameters are important:
\par
\par ** "Type of certificate", you can choose " Server Authentication certificate" (for your server application), and "Client Authentication Certificate" for your client application
\par
\par ** Key usage remain "both" (encrypt and signing)
\par
\par **check "mark key as exportable" so that you can export the entire certificate with assocated private key later(arfter you've installed on machine)
\par
\par In addition, after you installed certificate on machine's certificate store, when open it and view its properties, you should be able to see the "key usage" properties which may indicate whether it can be used to encrypt , sign data.....
\par
\par If you have anything unclear, please feel free to let me know.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par
\par ==================================================
\par
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par
\par ==================================================
\par
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par }
------=_NextPart_0001_11F2FF56--
On Tuesday, May 15, 2007 4:26 AM
Mark Baldwin wrote:
Re: WSE 3.0 with Microsoft Certificate Services
Steven,
--
Best regards
Mark
On Tuesday, May 15, 2007 4:48 AM
Mark Baldwin wrote:
Re: WSE 3.0 with Microsoft Certificate Services
Steven,
--
Best regards
Mark
On Tuesday, May 15, 2007 5:22 AM
stchen wrote:
Re: WSE 3.0 with Microsoft Certificate Services
------=_NextPart_0001_135105D7
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Have a nice day!
Sincerely,
Steven Cheng
------=_NextPart_0001_135105D7
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your reply Mark,
\par
\par I'm glad that you've resolved the problem.
\par
\par BTW, if you want to create test certificate for data encryption and signing(digital signature) in your own code(use .NET or raw win32 ), you can choose "Email Protection..." type certificate.
\par
\par Have a nice day!
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par }
------=_NextPart_0001_135105D7--
Submitted via EggHeadCafe - Software Developer Portal of Choice
Adding WCF Service References
http://www.eggheadcafe.com/tutorials/aspnet/a1647f10-9aa4-4b0c-bbd9-dfa51a9fab8e/adding-wcf-service-refere.aspx