X.509 Certificate management in.Net By, Vishnu Kamisetty
Overview of the topic General Discussion X.509 as in.NET Certificate Management Tools Web Services and X.509
Terminology Public Keys These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures. Digitally Signed If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entitys' private key. Identity A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an address to an X.509 Distinguished Name.
Terminology (contd..) Signature A signature is computed over some data using the private key of an entity (the signer). Private Keys These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems (also referred to as "public key crypto systems"). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures. Entity An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.
X.509 certificate in general What is a certificate? A public-key certificate is a digitally signed statement from one entity, saying that the public key (and some other information) of another entity has some specific value. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. This creates a trust relationship between two unknown entities. The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format).
Properties of X.509 certificates It has the following properties: 1.Version 2.Serial Number 3.Signature Algorithm Identifier 4.Issuer Name 5.Validity Period 6.Subject Name 7.Subject Public Key Information ‘To-be-performed’ actions on the certificates: 1.Generate 2.Display 3.Import 4.Export 5.Access 6.Manage (Java API : Certificate Factory, Certificate, CRL, X509Certificate, X509Extension etc)
X.509 Certificates in.NET a.Managing X.509 Certificates b.Signing a SOAP Message Using an X.509 Certificate c.Verifying Digital Signatures of SOAP Messages Signed by an X.509 Certificate d.Encrypting a SOAP Message Using an X.509 Certificate e.Decrypting a SOAP Message Encrypted with an X.509 Certificate
Managing X.509 Certificates Obtain an X.509 Certificate Using the X.509 Certificate Management Tools Using the X.509 Certificate Management Tools Making X.509 Certificates Accessible to WSE Making X.509 Certificates Accessible to WSE Specifying the Certificate Authority Certificate Chain Used to Verify Signatures Specifying the Certificate Authority Certificate Chain Used to Verify Signatures
Signing a SOAP Message Using an X.509 Certificate 1.Obtain the X.509 certificate.Obtain the X.509 certificate. 2.Create a custom policy assertion.Create a custom policy assertion. 3.Override the Secure Message method.Override the Secure Message method. 4.Add referencesAdd references 5.Add ImportsAdd Imports 6.Add code to get an X.509 certificate.Add code to get an X.509 certificate. 7.Get the client's X.509 certificateGet the client's X.509 certificate 8.Add the X.509 certificateAdd the X.509 certificate 9.Create a new instance of the Message Signature classCreate a new instance of the Message Signature class 10.Add the digital signature to the SOAP header.Add the digital signature to the SOAP header.
Verifying Digital Signatures of SOAP To configure WSE to validate digital signatures for incoming SOAP messages. To configure WSE to validate digital signatures for incoming SOAP messages. To use code to require incoming SOAP messages be signed using an X.509 certificate and that it signed the required XML elements. To use code to require incoming SOAP messages be signed using an X.509 certificate and that it signed the required XML elements.
Encrypting a SOAP Message Using an X.509 Certificate Obtain the recipient's X.509 certificate. Install the recipient's X.509 certificate Create a custom policy assertion. Override the Secure Message method Add references to the Microsoft.Web.Services3 and System.Web.Services assemblies. Add references to the Microsoft.Web.Services3 and System.Web.Services assemblies. Add Imports Add code to get an X.509 certificate. Encrypt and optionally sign the SOAP message.
Decrypting a SOAP Message Encrypted with an X.509 Certificate Include an Element element in the section. Include an Element element in the section. Apply a policy to the Web service that requires SOAP messages to be encrypted by an X.509 certificate. Apply a policy to the Web service that requires SOAP messages to be encrypted by an X.509 certificate.
Examples To verify that incoming SOAP messages are signed using a X509SecurityToken security token. To verify that incoming SOAP messages are signed using a X509SecurityToken security token. For signing and encrypting a SOAP request to a Web service. For signing and encrypting a SOAP request to a Web service.
References US/library/aa aspx 9Certificate.asp asp ing-Web-Services-with-X509-Certificates/