Configuring certificates in IIS Express and Windows XP development server

We are on the age of Windows 7 and windows 2008 Server. Configuring certificates on Windows 7 and IIS Development server is lot easier. However, in corporate environment you often hit some limitation. You dont have the obvious choice of choosing your own technology stack. You are often governed by corporate policy and their computer licensing. That restricts your development environment as well. IIS Express gives you a nice compressed version of IIS for development. However it is often a tedious task to configure this when you are working on WINDOWS XP. When you are ask to enable security features in this development environment your task become for difficult. I have found many difficulties in configuring certificates in IIS Express in WINDOWS XP environment. So i thought of sharing this. You need to follow the following steps to configure certificates on IIS Express in WINDOWS XP operating system.

Step 1 : Make a directory in your computer. I Created c:\MyCerts
Step 2: Go to c:\MyCerts

Step 3: Clean up any exiting certificates from your MMC Certification Snap in. Execute the following two commands.
certmgr -del -r localmachine -s TrustedPeople -c -n myCert

certmgr -del -r localmachine -s My -c -n myCert

Above two commands will remove any certificates name ‘mycert’ from localmachine and trustedPeople certificate repository. We are going to create a new certificate name ‘mycert’ in the following steps and deploy it.

Step 4: Generate a new certificate
makecert.exe -sr localmachine -ss My -pe -sky exchange -n “CN=mycert” mycert.cer

Step 5: Import it to MMC Certificate Snap in using the following commands.
certmgr.exe -add -r localmachine -s My -c -n mycert -r localmachine -s TrustedPeople

This will import the certificate to you local computer. Check for mycert in both Personal\Certificates and Trusted People\Certificates. To check that go to MMC snap-in and load certificates.

Step 6: If you are using WIF for Security Token Service (STS), you need to update the thumbnail of the certificate in WebHost\Web.config file. To get the thumbnail of the certificate, go to Personal>Certificates. Double click on “MyCert”. Go to details. Click on Thumbnail. Write down the thumbnail .

Step 7:
Open webhost\web.config file … update the thumbnail … Remember to remove the space in between.

Step 8:
As, IIS Express on XP run under the context of localuser, we need to grant access to localuser on certificate machine key to.
Usually machine key are stored on the following location
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Select the appropriate MachineKey (In my case, I don’t know which one was it so I grant access on both of the file).
Select the file. Right click à go to Properties -> go to security. -> Click add …
Grant Full control to ‘ASPNET’ and Your Log In account.
IIS-Express run in as a local account in your Windows XP. So you need to provide appropriate permission to your local account to access the machine keys.