Self-signed Certificate

Full Definition or Meme

An Authority Root of Trust is a Self-signed Certificate.

Context

• Federation or public chain of trust is rooted in a Self-signed Certificate.
• Development on a personal computer or staging computer.

Problem

• Self-signed certificates are not trusted by client computer's browsers until they are placed in the Trusted Root of either the Current User or Local Computer.
• Just to further confuse the issue the names of the folders in Windows APIs or Powershell DO NOT MATCH the names used in the Certificates Snap-in.
  • The "Personal" folder is "My"; This is where a certificate and key must be to be trusted by the server.
  • The "Trusted Root Certificate Authorities" folder is "Root"; This is where a certificate must be to be trusted by a client, like the browser. For mutual trust this cert may include the key.

Solution

It is important is most cases that you understand the location where the cert will be installed.

on Windows Powershell

• Context - you should run powershell with admin credentials. New-SelfSignedCertificate documentation

1. Navigate to targeted directory. for example PS C:\WINDOWS\system32> cd cert:\currentUser\my
2. A directory listing of that particular directory will show all of the certs used create a root of trust.
3. PS Cert:\currentUser\my> New-SelfsinedCertificate -DnsName "trustregistry.us" -KeyUsage DigitalSignature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 2048
4. This command does not specify the NotAfter parameter. Therefore, the certificate expires in one year.

PS Cert:\currentUser\my> dir D4* | select -property *


PSPath                   : Microsoft.PowerShell.Security\Certificate::currentUser\my\D48B2564777B0769C2E000E0745CB694FC2682F8
PSParentPath             : Microsoft.PowerShell.Security\Certificate::currentUser\my
PSChildName              : D48B2564777B0769C2E000E0745CB694FC2682F8
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList              : {trustregistry.us}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 2021-05-20 10:22:22 AM
NotBefore                : 2020-05-20 10:02:22 AM
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 45...}
SerialNumber             : 2C85075BA270549C4E819F275880F6DC
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : D48B2564777B0769C2E000E0745CB694FC2682F8
Version                  : 3
Handle                   : 2166495813200
Issuer                   : CN=trustregistry.us
Subject                  : CN=trustregistry.us

On Windows with IIS

• Context Windows IIS 7 that contains the service that needs a SSL certificate (will go to localmachine\my}

1. Click on the Windows icon in the taskbar, Search for IIS, and open Internet Information Services (IIS) Manager.
2. Click on the name of the server in the Connections column on the left. Double click the Server Certificates icon.
3. In the Actions column on the right hand side, click on Create Self Signed Certificate.
4. Enter the friendly name you wish to use to identify the certificate, and then click OK.
5. You now have an IIS Self Signed Certificate, valid for one year, which will be listed under Server Certificates. The common name, is the server name.
6. PS Cert:\currentUser\my> New-SelfsinedCertificate -DnsName "trustregistry.us" -KeyUsage DigitalSignature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 2048
   1. This command does not specify the NotAfter parameter. Therefore, the certificate expires in one year unless other values are included.

On IIS Express

• How to trust the IIS Express Self-Signed Certificate

On Windows for ASP.NET

• create with dotnet dev-cert https -ep .\filename.pfx -p $pwd
• export

$SecPwd = ConvertTo-SecureString $pwd -Force -AsPlainText
$cert = dir cert:\CurrentUser\My\43*
Export-PfxCertificate $cert .\local2019.pfx -password $SecPwd

Moving a cert from My to Root

This can be done when the code runs client as well a server applications. (NOTE LAST STEP REQUIRES ADMIN PRIVLEDGE.)

• For computer wide certificates => cd Cert:\LocalMachine\My
• To determine which certificate to move => dir
• To Verify that you will get the cert you want select the first few char of the Thrumbrint => dir c1d7*
• Copy the cert to a local variable => $cert = (dir c1d7*)
• Export the cert => Export-Certificate -Cert $cert -FilePath c:\certs\user.p7b -Type p7b
• Navigate the location to store the cert => cd Cert:\LocalMachine\Root\
• import the cert => (dir c:\certs\user.p7b) | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root

Examine a pfx

certutil -dumpPFX .\local2019.pfx

References

• Some content is from Sophos