Generate a certificate for Wcf service with windows server 2003

In the previous post, I showed how to setup authentication with membership in wsHttpBinding for a Wcf server, and in that post I showed how to use the utility makecert.exe to generate temporary certificates. In production environment you should generate certificates with a Certification Authority.

If you search in the internet how to generate a certificate with windows server 2003 CA, you find very little information, here is how I did it.

First of all install a CA in your server using this tutorial. If you have already a CA in your computer or domain you can skip this phase.

Now you need to generate the certificate, browse to the web page that is used to interact with the certification authority, it is usually installed in the default application, on a virtual application called certsrv. In my server I have the default application in port 8000 because port 80 is in use so my address is. http://localhost:8000/certsrv, you can check IIS to find where it is installed. When you access the home page you should press request a certificate


Then in the next page you must select advanced certificate request and in the next page Create and submit a request to this CA. Now you have a similar form.


The name part must be the dns name of your service, if you want to host in you must specify The type of certificate is Server Authentication Certificate and key usage must be Exchange, and finally you ask to store certificate in the local computer certificate store. Now press ok, and you will be redirect to  a page that tells you that a request was issued to this certification authority, and you need to wait for the request to be approved.

Now open mmc.exe, choose certification authority snap in, goes to the pending requests section, and issue the certificate.


Now the certificate is issued, return to the browser, go to initial page of the CA and press View the status of a pending certificate request you will be presented a  list of all request that are pending, you should see your previous request, if you select it you will find a page with a link install this certificate. You need to be an administrator to do it, and after you select that link you will find the certificate in the local computer/personal/certificates. Now install the wse 3.0 extension from microsoft, open the certificate tool and you will be presented a similar page


Choose local computer, and personal, press the open certificate button, select the new issued certificate and press ok. Now you see the detail of the certificate, press View private key file properties and give permission to read the private key to the user that is used to run the application pool. Now configure the wcf service as explained in the previous post and verify that everything is ok. To generate certificates for the clients, you can simply export the current certificate from the mmc certificate snap in.


Tags: WCF Certification Authority