Certificate recipes

See also: all the recipes and the intro See also my series of posts about the certificates. The recipes here partially overlap with the information from these posts. # Machine Certificates http://msdn.microsoft.com/en-us/library/windows/desktop/cc542475%28v=vs.85%29.aspx # how to create certs in .NET http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c # how to create self-signed certs with makecert.exe https://msdn.microsoft.com/en-us/library/ms733813%28v=vs.110%29.aspx # cert EKU values https://support.microsoft.com/en-us/kb/287547 http://stackoverflow.com/questions/10019412/certificates-oid-reference-for-extended-key-usages…


how to upload a machine cert to Azure

When you’re creating a VM with the Azure Resource Manager (“new Azure portal”) and want to connect to it through WinRM/PowerShell with the HTTPS protocol, you have to provide a machine certificate for it. In the old Azure it was easier, it would generate a cert on its own and would let you download its…


Certificates, Part 5: dealing with the CNG certificates

As described in the Part 1, the certificates may belong to the classic “Crypto providers” and the new-style “Key Store Providers” (also known as CNG, Cert Next Generation). These CNG certificates don’t work well with the traditional .NET classes, for example if you try to get the field PrivateKey, it will be returned as empty….


Certificates, part4: PowerShell/WinRM remoting over HTTPS, and cert copying

To do the PowerShell remoting over HTTPS, the WinRM on the remote machine needs a certificate. If you join the machine to a domain, this certificate¬†might be generated automatically, I haven’t tried. But for the non-domain-joined machines a self-signed certificate can be used instead. I’m going to create the cert on my work machine and…


Certificates, part 3: encryption and decryption by hand, and SecureString

Continuing the example from part 2, what if you don’t have the class EnvelopedCms, such as on the NanoServer in general and CoreCLR in particular? (BTW, that class will be added in the final server 2016 release but it’s not available in the current preview). Then you can construct the envelopes manually. In the simple case…


Certificates, part 2: encryption and decryption, and some about the cert store

To do the encryption and decryption with pubic/private keys, you need to start with getting a certificate. The easiest way is to generate a self-signed cert. The first thing to know is that the cert from the PowerShell command New-SelfSignedCertificate won’t work. It hardcodes the wrong crypto provider into the certs it generates. The wrong…


Certificates, part 1: what do they mean

I’ve recently learned about certificates on Windows, and I must say collecting the information about them wasn’t that easy. So I want to write down the summary while it’s fresh in my mind. It’s not the most exhaustive treatment but I hope that it’s a good quick introduction. First, what is a certificate? I hope…