Recently, I needed to secure the communication between a .NET server application running on a Windows PC and a client application running on an embedded device. The solution was to use SSL to secure the communication and .NET provides SslStream class for that purpose. SslStream instance takes an X.509 certificate file to provide two aspects of SSL security. These two aspects of security are:
- Identification
- Encryption
For my use case, the .NET server was running at a known IP address in a local network. There wasn’t a need to validate the identity of the server. My only need was to encrypt the communication. This justified the use of X.509 self-signed certificate and this is how I generated it.
File Extensions Explained
.cer: X.509 Certificate file. The certificate associates a public key to identifying information of the entity.
.pvk: Stores the private key of the X.509 certificate.
.spc: Software publisher’s certificate. A public certificate file that encapsulates multiple X.509 certificates.
.pfx: Personal Information Exchange file. Stores the public certificates and private keys in a single file.
Tools
Makecert : X.509 certificate (.cer) creation tool. It is available as part of Windows SDK.
Cert2Spc : Encapsulates X.509 certificates (.cer) in a Software publisher’s certificate (.spc) file. It is availble as part of Windows SDK.
Pvkimprt : Imports the private keys into public SPC certificate and creates a single Personal Exchange file. Available as download from Microsoft.
Procedure
Here is how we can generate a self signed certificate:
Step 1. Generate X.509 Self Signed Certificate
First we are going to generate the certificate that contains the public information and the corresponding private key to be used for encryption.
makecert -r -pe -n “CN=MyName” -b 01/01/2012 -e 01/01/2015 -sky exchange -sv TestCer.pvk TestCer.cer
-r | Generates a self signed certificate |
-pe | Generates an exportable private key |
-n | Certificate name. Make sure to start the name with CN= |
-b | Specifies the start of certificate validity period. |
-e | Specifies the end of certificate validity period. |
-sky | Specifies the key type. Exchange/Signature |
-sv | Private key file name. |
For .pvk and .cer files, you might want to provide absolute file names, otherwise these files are created in the same location as makecert.exe.
When the command executes, a prompt will appear asking to create the password for private key. Not only you should create a password but also take care to store the generated .pvk file in secure place with limited access.
Step 2. Generate Software Publisher’s Certificate
In this step we will convert the .cer format public certificate to .spc format public certificate. The reason for doing this conversion is that the Pvkimprt utility that we are going to use next only works with .spc format public certificate.
cert2spc TestCer.cer TestCer.spc
Step 3. Generate Personal Information Exchange
Now we combine the public certificate and the private key in a single .pfx file. Various encryption routines in .NET require public and private key to be in Personal Information Exchange (.pfx) format.
Pvkimprt –pfx TestCer.spc TestCer.pvk
At this stage, a wizard will start. First we will be prompted to enter the password for private key. Enter the same password that we created while generating the X.509 certificate in the first step. After that select the option to export the private key with the certificate. Because we have chosen to export the private key, we will be prompted to protect it with the password. Then specify where we want to store the generated PFX file and we are all done.