HealthVault and certificates

  • Article

One of the confusing parts about HealthVault development has to do with certificates. If you've never worked with certificates, you might want to read this.

Under HealthVault, information is controlled based on three keys

  • The user id
  • The record id
  • The application id

The user id is determined by who is logged into HealthVault. The record id identifies a specific health record, and is necessary because HealthVault allows "custodial" access (my mother might grant me access to her record, for example).

The application id uniquely identifies an application to the HealthVault server, but the application id isn't enough for the server to know that the application id *really* came from the application that we think it was.

That authentication is provided using a certificate that is registered by the server. Through a bit of public/private key magic, the HealthVault server can authenticate that the request really is coming from the proper application.

That has a few consequences for application development.

First, it means that you need to use an application id and certificate that the server recognizes to do your development. The development server recognizes the application id and certificates for the sample apps, so you are free to use those during your initial development.

That certificate must be registered and accessible to the web server process that's running on the machine. If you look in the 'cert' directory of the samples, you'll find a readme that explains this. Note that if you are developing with the VS web server, you need to grant NETWORK_SERVICE the access, while if you're using IIS, you need to grant access to ASPNET.

Using one of the sample certificates is what we call the "anonymous development scenario".

I omitted many details, but that's the basic idea.