One-time set up for WWSAPI security examples

Nikola asked me to write a post on how to set up machine to run our security examples. Here it goes.


To run WWSAPI security examples (like the one doing Basic authentication over SSL), you need to set up the client and server certificates for SSL and a local user account for HTTP header authentication. Before you start, you’ll need to get these tools:

1.       MakeCert.exe: available in Windows 7 SDK.

2.       CertUtil.exe or CertMgr.exe: CertUtil.exe comes with the Windows Server 2003 and above; CertMgr.exe is available in Windows 7 SDK. You only need one of them.

3.       HttpCfg.exe: You only need this if you are using Windows 2003 or XP. This tool is available in Windows XP SP2 Support Tools and also comes with the Windows Server 2003 Resource Kit Tools CD.

If you get the WWSAPI examples by installing Windows 7 SDK, you can find the MakeCert.exe and CertMgr.exe under %ProgramFiles%\Microsoft SDKs\Windows\v7.0\bin.


Step-by-step setup in 5 steps from a command prompt (elevated if you are using Windows Vista and above):

1.       Generate a self-signed certificate to be the certificate authority (CA) or issuer:

MakeCert.exe -ss Root -sr LocalMachine -n “CN=Fake-Test-CA” -cy authority -r -sk “CAKeyContainer”


2.       Generate a server certificate using the previous certificate as the issuer:

MakeCert.exe -ss My -sr LocalMachine -n “CN=localhost” -sky exchange -is Root -ir LocalMachine -in Fake-Test-CA -sk “ServerKeyContainer”


3.       Find the thumbprint (a 40-character SHA-1 hash) of the server certificate: run either of the following commands and search for the certificate named localhost with issuer Fake-Test-CA

CertUtil.exe -store My localhost

CertMgr.exe -s -r LocalMachine My


4.       Register the server certificate’s thumbprint with no spaces with HTTP.SYS:

                                i.            On Windows Vista and above (the appid option is an arbitrary GUID):

Netsh.exe http add sslcert ipport= appid={00112233-4455-6677-8899-AABBCCDDEEFF} certhash=<40CharacterThumbprint>


                              ii.            On Windows XP or 2003:

HttpCfg.exe set ssl -i -h <40CharacterThumbprint>


5.       Create a local user:

Net user “TestUserForBasicAuth” “TstPWD@*4Bsic” /add


To clean up the certificates, SSL certificate binding and the user created above, run the following commands. Note if there are multiple certificates of the same name, CertMgr.exe will need your input before deleting them.

CertMgr.exe -del -c -n Fake-Test-CA -s -r LocalMachine Root

CertMgr.exe -del -c -n localhost -s -r LocalMachine My

Netsh.exe http delete sslcert ipport= (or HttpCfg.exe delete ssl -i

Net user “TestUserForBasicAuth” /delete


Troubleshooting note: Make sure there is only one root certificate named Fake-Test-CA. If you are unsure, it’s always safe to try to clean up these certificates using the cleanup commands above (and ignore errors) before starting the 5-step setup.


Additional resources:

How to View Certificates with the MMC Snap-in

Configure HTTP and HTTPS

How to: Configure a Port with an SSL Certificate


Comments (3)

  1. Below you may find links to resources available for connecting C/C++ code and Web Services using Windows

  2. The Kerberos over SSL samples (like the calculator one ) demonstrate WWSAPI mixed mode security that

  3. Just a quick note that over on on haoxu’ s “Lost in History” blog is a posting about how to create and