Breadcrumbs

[MrAksel]

I know that makecert.exe is just for testing purposes, and to get a real one I have to purchase it. But im only going to do tests with it. So here is the situation:

• The client connects to the server and creates an SslStream for secure transfer.
• The server creates an SslStream on the connection so the two can communicate together.
• The client authenticates the server with SslStream.AuthenticateAsClient("store.i3c.be")
• The server tries to authenticate with SslStream.AuthenticateAsServer(new X509Certificate(System.IO.Directory.GetCurrentDirectory() + "\\data\\store.i3c.be.cer")) but fails with a NotSupportedException. The message was "The server mode SSL must use a certificate with the associated private key."

The certificate file was created by this command executed in CMD: makecert -n "CN=store.i3c.be" "C:\store.i3c.be.cer" and then moved to the \data directory of my program.

What is the problem? And how can I create a certificate so I can test my program???

[mandai]

If you want to create and use your own certificate in an SslStream then there will be a couple of things you need to do first.

On the server system you will need to run this command:

Code: Select all

makecert.exe -r -pe -n "CN=hostname" -ss my -sr currentuser -sky exchange C:\authority.cer

This will generate a certificate and import it into the current user's personal store (this is so the private key can be accessed).

Next you will need to import the certificate into the root of the client's certificate store. On the client's system you can either use the wizard or you can use this command:

Code: Select all

certmgr.exe -add C:\authority.cer -c -s -r localMachine Root

Once you have the certificates installed and recognized, you could use something like this for the server:

Code: Select all

'where ss is an SslStream

        Dim serverAuthority As X509Certificate2 = New X509Certificate2("authority.cer")

        Try
            ss.AuthenticateAsServer(serverAuthority)
        Catch ex As Exception
            MsgBox("server " & ex.Message)
        End Try

The client part would look like this:

Code: Select all

        Try
            ss.AuthenticateAsClient("hostname")
        Catch ex As Exception
            MsgBox("client " & ex.Message)
        End Try

[MrAksel]

It works perfect cooll; What is the advantages of a purchased cert than a certificate for testing? Doesn't the testing cert work over the Internet and only on the local network?

[mandai]

An advantage of purchasing a certificate from an existing authority is that you don't need to install the certificate into the root of each client, it should just work. Another advantage is you don't need to worry about keeping the private key safe.

There are no limits to the use of these generated certificates.

[MrAksel]

Thank you. Keeping the private key save is only on the server side right? Well it might not be a big problem. I can just run certmgr.exe to install the certificate on each new client machine.