Using Test X509 Certificates with BizTalk Web Services

post by : paul petrov

If you’re planning to use X509 digital certificates to secure communication between services then you would need to test all security features at some point. MakeCert.exe tool can help to generate self-signed certificates for development and integration testing. Here’s the quick process overview. We will need one Certification Authority Root certificate and one ore more (depending on application design and configuration) client and server certificates.

First, create root certification authority certificate. This certificate will be used to sign server and client certificates:

makecert -r -pe -cy authority -n "CN=Test Root Authority"  –sk “Test Root Authority”  -sr CurrentUser -ss My -a sha1 -sky signature TestRootAuthority.cer

This will create self-signed certificate and install it in the CurrentUser/Personal store. Copy this certificate into LocalMachine/ Trusted Root Certification Authorities.

We also need to import this certificate into LocalMachine/Trusted Root Certification Authorities store of all client and server boxes so they can validate certification path. This can be done through MMC Certificates snap-in or using certmgr.exe:

certmgr -add -all -c "TestRootAuthority.cer" -s -r LocalMachine Root

Create server certificate:

makecert -pe -cy end -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sy 12 –sp "Microsoft RSA SChannel Cryptographic Provider" –n "CN=HostName" -sr CurrentUser -ss My -in "Test Root Authority" -is My -ir CurrentUser TestServer.cer

Using MMC export just created certificate to the pfx file with private key to install it on servers. Note: when installing certificates make sure that account used has access to certificate private key. In case of BizTalk web service this is account for the host instance that runs BizTalk SOAP receive adapter.

Use MMC or certmgr.exe to import server’s public key TestServer.cer into LocalMachine/Other People store on client machines.

Create client certificate:

makecert -pe -cy end -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" -n "CN=Test Client" -sr LocalMachine -ss My -in "Test Root Authority" -is My -ir CurrentUser TestClient.cer

Install this certificate on the client in the Personal store of the service account that will be sending requests to BizTalk server. Make sure that service account has rights to access certificate private key. If you’re getting HTTP 403 Forbidden error when calling the service that may be the reason behind it. For example, when client makes web service request in context of ASP.NET web application it uses ASP.NET process identity (default, if impersonation disabled is Network Service or ASPNET). To grant certificate access for the specific account use this command:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s “Test Client” -a  Domain\Account

Command above grants access to the “Test Client” certificate private key located in the LocalMachine/Personal to the Network Service account. Command tool winhttpcertcfg.exe is part of Windows SDK and can be found here.

Finally, import client public key into the LocalMachine\Other People store on servers. Then you can enable certificates on the IIS, apply authorization rules, map BizTalk parties to certificates, etc.. This pretty much allows you to reproduce and test real world scenarios with authentication between services, operations authorization, and party resolution in staging environment.