Microsoft KB Archive/288897

= How To Set Up Test Certificates for SSL/TLS Application Development =

Article ID: 288897

Article Last Modified on 11/21/2006

-

APPLIES TO

 Microsoft Win32 Application Programming Interface, when used with:  Microsoft Windows 95

 Microsoft Windows 98 Standard Edition

 Microsoft Windows Millennium Edition

 Microsoft Windows NT 4.0</li></ul>

 Microsoft Windows 2000 Standard Edition</li></ul>

 Microsoft Windows XP Professional</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q288897

<div class="summary_section">

SUMMARY
You must have certificates to be able to develop and test Secure Socket Layer (SSL) or Transport Layer Security (TLS) client and server applications. You can obtain suitable certificates from either third-party certificate vendors or through Microsoft Certificate Server.

<div class="moreinformation_section">

MORE INFORMATION
The Secure Socket Layer and Transport Layer Security protocols require that the SSL or TLS clients and servers that connect exchange certificates. Usually, certificates for Secure Socket Layer or Transport Layer Security connections are installed and retrieved prior to creation of the connections. On Windows-based computers, certificates are usually installed into a &quot;certificate store&quot; that is associated with a user account or with the local computer. Each user account, as well as the local computer, maintains a certificate store. Secure Socket Layer and Transport Layer Security client and server processes each run in a specified security context and have an associated certificate store.

For example, Secure Socket Layer servers often run as a service in the &quot;LocalSystem&quot; security context, but Secure Socket Layer clients usually run in the security context of the user who launched the client process. The security context that uses a certificate must &quot;trust&quot; the certificate authority (CA) that issued the certificate. A certificate authority is trusted by a security context when a certificate that is issued by the certificate authority is installed in either that user account or in the trusted root certificate store for the security context the server is running in.

Secure Socket Layer and Transport Layer Security servers must present a server authentication certificate to clients, which must be issued by a certificate authority that is trusted by the client. Usually this certificate is stored in the server's &quot;My&quot; (also called &quot;Personal&quot;) certificate store and is retrieved prior to the Secure Socket Layer or Transport Layer Security authentication. If the server process will run in the LocalSystem context, the server authentication certificate should be put in the My or Personal store of the local computer.

If Secure Socket Layer or Transport Layer Security client authentication is required, then the Secure Socket Layer or Transport Layer Security client must present a client authentication certificate to the server that was issued from a certificate authority that is trusted by the server. Usually the client authentication certificate is stored in the My or Personal certificate store of the security context that the client process will run in and is retrieved prior to the Secure Socket Layer or Transport Layer Security connection.

Using Certificate Server
Microsoft Windows 2000 Server includes Microsoft Certificate Server. To install Certificate Server, go to Control Panel, start the Add/Remove Programs utility, and then click 'Add/Remove Windows Components'. After installation, Certificate Server can act as a certificate authority and issue certificates for server and client authentication through Microsoft Internet Explorer and the Certificate Enrollment Control.

Certificate Server is also available for Microsoft Windows NT 4.0 Server. You can install it from the Windows NT 4.0 Server Option Pack, which is available from the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcedit98/HTML/vcsmpntoptionpack.asp

After you install the Option Pack, you must reinstall the latest Windows NT 4.0 Service Pack. After you install Certificate Server (Certsrv), Secure Socket Layer and Transport Layer Security clients and servers can request certificates through the Web address format: http:// /certsrv (where  is the name of the computer which Certificate Server is installed on).

The Certificate Enrollment Control needs Internet Explorer 5.0 or later to function correctly. To configure the Secure Socket Layer or Transport Layer Security client and server to trust Certificate Server as a certificate authority, retrieve the certificate authority certificate from Certsrv through the http:// /certsrv interface. The Certsrv home page provides an option for you to retrieve the certificate authority certificate. Select this option, click next, and then click Download CA certificate. Follow the wizard's instructions to download and install the certificate. A local administrator must install the certificate authority certificate on both the Secure Socket Layer or Transport Layer Security client system and the server system.

After you install the certificate authority certificate on both the Secure Socket Layer or Transport Layer Security client and server systems, use the Secure Socket Layer or Transport Layer Security server system to return to the Certsrv home page:
 * 1) Click Request a certificate, and then click Advanced Request.
 * 2) Click Request a certificate using a form.
 * 3) Fill in the certificate identification fields and make sure that the certificate's &quot;Intended Purpose&quot; is set to Server Authentication.
 * 4) Click Submit.

Note For Windows 95, Windows 98, Windows Millennium Edition, and Windows NT 4.0, you must also select Mark keys as exportable. If the Secure Socket Layer or Transport Layer Security server will run as a LocalSystem service or from a security context that will not have a personal user profile, select Use local machine store, click next, and then follow the wizard's instructions to install the certificate.

If Secure Socket Layer or Transport Layer Security client authentication is required, you must have a client authentication certificate installed on the client system. To install a client authentication certificate: from the Secure Socket Layer or Transport Layer Security client, go to the Certsrv home page and request a client authentication certificate. Use the same process as before, except in the certificate request form make sure the &quot;Intended Purpose&quot; of the certificate is set to Client Authentication. Also, do not select Use local machine store if you must place the certificate in the current user's My or Personal certificate store.

Using Third-Party Certificates
Additionally, test certificates may be available from third-party certificate vendors. Contact specific certificate vendors for information about purchase and use of test certificates.

Testing Certificates
You can use the Webclient and Webserver Secure Socket Layer and Transport Layer Security samples in the Microsoft Platform SDK to verify the installation of Secure Socket Layer or Transport Layer Security certificates. These samples create a Secure Socket Layer or Transport Layer Security connection to test if the certificates were created and installed correctly.

For more information, see the Readme.txt file that is available with these samples. You can download the Platform SDK from the following Microsoft Web site:

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

Note If you want to use the Webclient and Webserver samples to verify the certificates, when you create the server authentication certificate you must make sure that the name in the certificate matches the name of the Secure Socket Layer or Transport Layer Security server that the Web client will connect to.

<div class="references_section">