Configuring ADAM for SSL on Windows XP without a certificate server using makecert.exe


I frequently run into situations where I need to configure my laptop to support some technology, without having a lot of server resources to depend on. Most recently, I configured a local instance of ADAM to support SSL. While the information on how to configure this is available, it is scattered across multiple sources. I figured it might be helpful to somebody to bring all of the information together in one place.

First you will want to download the Platform SDK. This will include the tools that you need.

With the Platform SDK installed, go to start -> all programs -> Microsoft Platform SDK for Windows Server 2003 SP-1 -> Open Build Environment Window -> Windows XP 32-bit Build Environment -> Set Windows XP 32-bit Build Environment (Retail). This will open up a command prompt with all of the necessary path variables set.

Now, you want to create a new root certificate using the makecert.exe utility. At the command line, enter the following:

makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test and Dev Root Authority.cer"

This will create a root authority certificate, which you can use to sign new certificates. In fact, that’s exactly what we are going to do. Generate a new certificate, signed by this root certificate, that is configured to support server authentication. At the command line, enter the following:

makecert -pe -n "CN=insert.fully.qualified.domain.name.here.com" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "Test and Dev SLL.cer"

Now, both of these certificates have been created and installed to the local machine store. We need to make our root certificate a trusted root certificate, so we will open the certificates MMC console. From the command line you have open, you can type mmc. Go to File -> Add/Remove Snap In -> Add -> Certificates. Press the Add button. Select Computer Account and click Next. Leave the default of Local computer and click finish. Click close and then click OK. If you drill down to Certificates (Local Computer) -> Personal -> Certificates, you should see both certificates. Move the root certificate to Trusted Root Certificate Authorities. Move the root authority to Trusted Root Certification Authorities. Now, you have a certificate that can be used for SSL with a trusted root authority.

Finally, you need to make sure the service account has read access to the certificate, which is stored in c:documents and settingsall usersapplication datamicrosoftcryptorsamachinekeys. You can use Windows Explorer, but if you don’t want to leave your trusty command line, you can also use:

cacls "c:documents and settingsall usersapplication datamicrosoftcryptorsamachinekeys" /e /t /c /g "NT AUTHORITYNETWORK SERVICE":R

Note that this assumes that you accepted the default of Network Service when you installed ADAM. If not, then add read permissions to whichever account you did use.

Finally, you can restart the ADAM service from the services administrative tool.

Now, if you start up LDP, connect over port 636 with SSL selected (making sure you use the fully qualified domain name of your computer, which is required by the SSL standard), you should be connecting over a secured transport!

Comments (25)

  1. Anthony Yott says:

    Chris,

    I need to test SSL on ADAM locally as well. In trying to follow your posting, I’m getting an error when executing the second command line (e.g., makecert -pe -n "CN=" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA Channel Cryptographic Provider" -sy 12 "Test and Dev SLL.cer")

    The error is:

    Error: Can’t create the key of the subject (‘09850575-88d4-46fa-a8ed-0ea20583f1e

    9′)

    Failed

    Any ideas?

    Thank you for the blog post.

    Anthony

  2. cjacks says:

    Hi Anthony,

    I had one typo (should be -sp "Microsoft RSA SChannel Cryptographic Provider) and I had put in the fact that -n "CN=" should contain the fully qualified domain name inside of XML angle brackets, which apparently were stripped out. If you put the fully qualified domain name of the machine here, that should get things working.

  3. First of all – nice post – very helpful and well written!

    I got through all the steps without errors – but when I used ldp over 636 – I get a message "Cannot Connect"

    Also the statement "Move the root certificate to Trusted Root Certificate Authorities. Move the root authority to Trusted Root Certification Authorities" is confusing. I could only find a TR Certification Authorities folder – but not a TR Certificate Authorities folder. Any ideas? I put both certs into the TR Certification Authorities Folder.

    I’ll try the steps again and see if something’s different…

  4. Looks like it’s working now… I got confuzzled on the statement "Move the root certificate to Trusted Root Certificate Authorities. Move the root authority to Trusted Root Certification Authorities"

    When I moved only the root certificate to Trusted Root Certificate Authorities cert store – and left the other as-is in the Personal cert store – it worked fine and connected over SSL.

    Thanks for the post – it was extremely helpful!

  5. Jesse says:

    Chris, Thank you so much for posting this.  I’d been pulling my hair out for two days trying to use selfssl.exe and couldn’t get it to work.  Beautiful instructions with all the parameters.

  6. dino says:

    for the first time i run these two is ok

    makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test and Dev Root Authority.cer"

    makecert -pe -n "CN=insert.fully.qualified.domain.name.here.com" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "Test and Dev SLL.cer"

    but when i try to run this command line again like:

    makecert -pe -n "CN=CA root" -ss my -sr LocalMachine -a sha1 -sky signature -r "CA root.cer"

    the prompt likes below

    Error: Can’t create the key of the subject (’37cfe831-acf7-4506-acad-6a03f7de7d4

    a’)

    Failed

    what’s wrong???

    thank you for  your help~!

  7. dino says:

    my OS:windows XP SP2

  8. cjacks says:

    I am not sure what the issue is. I copied and pasted that exact command into an elevated command prompt, and it succeeded. Have you checked to ensure that you don’t already have a certificate with that name?

  9. dino says:

    ya, i tried some different names, nomatter what name i used, the issue still same. I guess something wrong with my OS. I wanna know that where could be changed after implement of makecert.exe, if you know, then i think i could reset those changes to default.

  10. cjacks says:

    Unfortunately I learned just enough about makecert.exe to provide me with a self-signed certificate while I was on the road. Using Certificate Services is much easier! Have you tried the newsgroups? microsoft.public.platformsdk.tools might be a place to start. I wish I knew more about what might be causing this particular issue…

  11. dino says:

    hehe, thanks anyway, cheers mate

  12. Craig Boland says:

    I get the same behavior whereby running the makecert.exe commands works the first time, but fails thereafter with the "Can’t create the key of the subject …" error.

    I’ve uninstalled the two certificates (from the Certificates snapin) that were created and deleted the cert files in C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys.

    Error still occurs.

  13. Craig Boland says:

    I’ve made a little headway with the "Can’t create the key of the subject …" error. From the command for Step 1, I removed the -ss and -sr options. This successfully created the CA certificate file which I then imported manually into Trusted Root Certificate Authorities of Local Computer with the Certificates snapin. I can see the imported cert and it appears to be fully trusted.

    I then tried the same thing for the Step 2 command (removing -ss and -sr options). The cert file was created, but the issuing authority is called Root Agency so the cert isn’t trusted.

    My question now is how did it get issued by Root Agency?

    Here are my two exact commands:

    makecert -pe -n "CN=Test and Dev Root Authority" -a sha1 -sky signature -r "Test and Dev Root Authority.cer"

    makecert -pe -n "CN=eci.pier1.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "Test and Dev SSL.cer"

  14. jondb says:

    I was able to produce both certificates, but got confused on which one was the root authority?  The certificate created in Step1 or Step2.  So I removed both certificates.  I’m now getting the following error when I try to start over.

    -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signatu

    re -r "Test and Dev Root Authority.cer"

    Error: Can’t create the key of the subject (’65b00bec-d7ee-4d38-84da-6d4ee95364e

    b’)

    Failed

    Also the certificate created in step2, I was unclear on if I should include my machine name like

    jon.somedomain.somecompany.com

    Any ideas on my issues.

  15. sakito says:

    Thanks a million!

    Great and very usefull posting!

    Sakito

  16. Joseph says:

    Excellent information! Thanks much!

  17. Scott Anderson says:

    We encountered the "Error: Can’t create the key of the subject" error and was able to resolve it by fixing the permissions on the C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSA folder.  Somehow the Administrators group privileges had been reduced to Special Permissions only.  Adding back Full Control resolved the situation.

  18. Vincent TARDIF says:

    I did all that was described in the blog post.

    Certificates were well generated and well imported, permissions on the MachineKeys directory were well set but I still can’t connect on the 636 port with SSL.

    I use my machine FQDM to connect : machinename.domain.com.

    I’m running on Windows XP Pro SP2 in French, so network service account is called "SERVICE RÉSEAU" instead of "NT AUTHORITYNETWORK SERVICE"

    Does anyone had the same problem ?

  19. PeBo says:

    Anyone know how to do this if the web server and ADAm server is not the same physical machine?

    The example above seem to install ssl for a local machine.

  20. Erlend says:

    You should use the free microsoft tool winhttpcertcfg.exe to set certificate permissions instead of setting it on all files in the directory with cacls.

  21. seree says:

    Can I use command line to move "Root Agency" into Trusted Certificate Authority folder?

    Thanks!

    Seree W.