My First Tryst with Certificates
Authentication is done with certificates, which follows a three step process –
1. Create Certificate – using makecert utility or manually
2. Upload Certificate File(.cer) on Azure Portal
3. Attach Certificate with HTTP request – using .cer file or certificate thumbprint
The utility I created worked perfectly fine and one of my colleague also wanted to use it. I shared the executable and certificate (.cer file) with him. He installed the certificate and provided the thumbprint of the certificate to use the utility. When executed a request, it gave error "The remote server returned an error: (403) Forbidden".
On further investigation I found that this issue is because the other system did not have the private key of the certificate. When .cer file is installed in certificate store, it doesn't install the private key along. Therefore, when user attaches the thumbprint of this installed certificate or this .cer file with the request, the response is forbidden. Even though the certificate file (.cer) sent along with request is same as the certificate file uploaded on Azure, the user is not authorized to perform this operation in absence of private key. The below diagram explains both of the scenarios; first: when user has both public key and private key and second: when user has only public key –
So the problem is - how do I share my certificate with others such that they can authenticate their request to perform an operation; specifically in the distributed development scenarios.
The solution which we implemented is, exporting the certificate along with private key. Following are the steps performed for it –
1. Create the certificate with exportable private key. –pe option with makecert utility
2. While exporting the certificate, select export the private key option and select .pfx format
3. Provide the password and generate a .pfx file.
4. This .pfx file can be shared with the team along with the password.
5. They will have to provide the same password while installing this certificate.
Now they can also use the application using the same certificate; although programmatically using the certificate will by default prompt for the password for authorization. This prompt can be suppressed by modifying the local security policy of the machine called as “System Cryptography: Force strong key protection for user keys stored on the computer”. By default value of this policy is “User must enter a password each time they use a key”. It can be changed to “User input is not required when new keys are stored and used”; however this is not recommended.
