This version of the Ed-Fi Dashboards is no longer supported. See the Ed-Fi Technology Version Index for a link to the latest version.

 

How To: Create a Self-Signed Certificate

Owned by Kistel Hazel
Aug 07, 2015
2 min read

Overview

The Ed-Fi Dashboards require a secure network connection between client and server. Developers can create a self-signed certificate to work with the Ed-Fi Dashboards securely on a development machine. This documentation provides a step-by-step setup guide.

A summary of the steps is as follows:

The detail for each step is outlined below.

Step 1: Create a Certificate using the Visual Studio Command Prompt

Launch a Visual Studio command prompt, and issue the commands below (found at Start > Microsoft Visual Studio 2010 > Visual Studio Tools > Visual Studio Command Prompt).

Enter a password to protect the certificate. In the command lines below, it is assumed that a password of "p@ssw0rd" was used (substitute it accordingly in the pvk2pfx command below).

D:\Projects>makecert -r -n CN=STSTestCert -sv STSTestCert.pvk STSTestCert.cer
Succeeded

D:\Projects>cert2spc STSTestCert.cer STSTestCert.spc
Succeeded

D:\Projects>pvk2pfx -spc STSTestCert.spc -pvk STSTestCert.pvk -pfx STSTestCert.pfx -pi p@ssw0rd -po p@ssw0rd

Step 2: Import and Configure the Certificate

Once the .pfx file has been created:

  • Click on Start > Run..., and then type "mmc" and hit Enter.
  • Add the "Certificates" plugin. When prompted, choose "Local Machine".
  • Expand Certificates > Personal
  • Right click > All Tasks > Import... and select the *.pfx file that was created above.
  • Right click on the newly added certificate, select All Tasks > Manage Private Keys... > and add Read permissions for the IIS_IUSRS group.
  • Expand Trusted Root Certification Authorities and import the certificate here as well. No special permissions need to be applied.

 

This step is appropriate for development machines, but not for a production server. Trusting this certificate means that any certificates created with this certificate will be trusted by the system, and represents a potential security vulnerability.

Step 3: Update the Web Project Configuration File

As a final step, you need to get the newly created/imported certificate's fingerprint. Issue the following commands:

certmgr -s -r localMachine my > MyCerts.txt
notepad MyCerts.txt


You should see content that looks like the following:

==============Certificate # 1 ==========
Subject::
  [0,0] 2.5.4.3 (CN) STSTestCert
Issuer::
  [0,0] 2.5.4.3 (CN) STSTestCert
SerialNumber::
   55 42 B9 30 13 A7 26 A5 44 B9 BA 0A 55 ED C9 14
SHA1 Thumbprint:: 
      FAA98C88 4BF16333 76F23847 3BD12DCC 9C405975 
MD5 Thumbprint:: 
      02237355 382AC699 BAB8604E B1E45AE6 
Key MD5 Thumbprint:: 
      E6657045 ECB6DDF2 FEB1706D 4E0BD8CA 
Provider Type:: 1 Provider Name:: Microsoft Strong Cryptographic Provider Flags: 0x20 Container: {C79847BD-32C6-49BB-B859-41744501394E} KeySpec: 2
NotBefore:: 
  Sat Oct 27 23:54:26 2012
NotAfter:: 
  Sat Dec 31 18:59:59 2039


Update the STS web project's config file with the SHA1 Thumbprint value, as follows (removing spaces):

        <trustedIssuers>
          <add thumbprint="FAA98C884BF1633376F238473BD12DCC9C405975" name="https://localhost/EdFiDashboardDev_STS/" />
        </trustedIssuers>