Test certificate and key files are supplied that may also be used during the development of your identity provider or service provider applications.
For example, the SP initiated identity provider includes an idp.pfx and sp.cer in its root directory. The SP initiated service provider includes an sp.pfx and idp.cer in its root directory. The password for these PFX files is password.
The identity provider uses the secret key stored in idp.pfx to sign messages. The service provider uses the public key contained in idp.cer to verify signatures in messages received from the identity provider.
Similarly, the service provider uses the secret key stored in sp.pfx to sign messages. The identity provider uses the public key contained in sp.cer to verify signatures in messages received from the service provider.
Certificates may also be embedded in the XML signature that’s included with the signed message. These certificates may be used rather than separately stored certificates although you need to consider any security ramifications.
The following sections outline one way for generating your own test certificates and keys.
Test certificate and keys should not be used in a production environment. You should purchase these from a certificate issuing service. Standard SSL certificates may be used.
Makecert
Use the makecert and pvk2pfx tools that ships with Visual Studio (e.g. C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin\makecert.exe) to create certificate files and private key files.
makecert -r -pe -sky exchange -n "cn=www.idp.com" -sv idp.pvk idp.cer
You then need to convert the PVK file to a PFX file so it can be loaded with the .NET framework classes.
pvk2pfx -pvk idp.pvk -spc idp.cer -pfx idp.pfx -po password -f
Refer to the Microsoft help for additional options.
Makecert and SHA-256 XML Signatures
When using makecert to create a self-signed certificate to generate SHA-256 XML signatures (see section 16.3), the correct cryptographic provider type must be specified.
The Microsoft Enhanced RSA and AES Cryptographic Provider is required to support SHA-256 signatures. This provider’s type is twenty-four.
For example:
makecert -r -pe -sky exchange -n "cn=www.idp.com" -ss My -sy 24
Rather than saving the certificate and private key to files, they’re saved to the Windows certificate store. This is required to work around an issue in makecert or pvk2pfx where the provider type information is lost if the certificate and private key are directly saved to files.
The Microsoft Management Console’s Windows Certificate snap-in should be used to export the certificate and private key to a PFX file.
The default 1024 bit key length may be used for SHA-256 XML signature generation.
If you wish to create a 2048 bit key, specify the length parameter.
For example:
makecert -r -pe -sky exchange -n "cn=www.idp.com" -ss My -sy 24 -len 2048
The default signature algorithm used to sign the certificate using the issuer’s private key is SHA-1. This is independent of the certificate’s support for SHA-256 XML signatures. For example, a SHA-1 signed certificate may be used to generate SHA-256 XML signatures.
If you wish to sign the certificate using SHA-256, specify the algorithm parameter.
For example:
makecert -r -pe -sky exchange -n "cn=www.idp.com" -ss My -sy 24 -len 2048 -a sha256