Creating A Private Key-Public Key Pair

Introduction

We require that you generate your own private key because the one that we gave you was generated by us and sent to you over e-mail. We want you to have total control over who gets access to this key. To accomplish this control, you need to generate a new private key for your application in Production that is different from the private key that it uses in the Partner Dev/Test environment.

Planning for the New Key

The key that you are about to create is your application’s private key.

• Store it somewhere safe.
• Do not include it in any e-mail messages.
• Limit access to the key to only those people who must have access.

Minimizing the number of servers that know your key reduces the chances of that key being compromised. When preparing to go live, you must generate a public certificate that matches your private key, and then send that certificate to the Microsoft HealthVault team so that it can be registered on our server.

Deleting the Old Key

If you already had a PFX with this name installed on the server, you must uninstall it.

To uninstall the old PFX:

• Use the MMC script (LM_Personal_Certs.msc) provided in the Downloads section of the HealthVault MSDN site, and then right-click the old certificate and select Delete.

Note: Old certificates are not cleanly deleted if a process currently has them open. You may need to shut off any Web server instances that are currently running.

Creating the Key Pair

Makecert.exe creates a private certificate and loads it on the machine on which you are running makecert, in LocalMachine\My (your personal store on the local machine). Makecert also creates a corresponding public certificate that matches the installed private key, and places it in the file specified in the command line. The public certificate is DER encoded.

If you lose the file that MakeCert generated, or if you generated your private key in a different way, you can export a DER-encoded public certificate using the Microsoft Management Console. The corresponding private key is wrapped in a certificate that has been installed in your LocalMachine\My store.

To create the private/public key pair:

1. Find makecert.exe in C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin. It is also available in the Downloads section of the HealthVault MSDN site.
2. Using the MakeCert command, generate a certificate with the same name as the one that we sent you when your AppId was created:

   makecert.exe "<OutputPath>\<CertFileName>.cer" -a sha1 -n "CN=WildcatApp-<AppId>" -sr LocalMachine -ss My -sky signature -pe -len 2048

   For example:

   makecert.exe "c:\temp\MyCert.cer" -a sha1 -n "CN=WildcatApp-6296418d-a6c7-418d-84ea-f4c04b9dd1b6" -sr LocalMachine -ss My -sky signature -pe -len 2048

3. Send the resulting CER file to Microsoft. This file contains the DER-encoded public key.

Exporting Your Private Key and Installing It on Your Application Server

When Microsoft tells you that the CER has been registered on the server for your AppId, install the PFX on your application server(s).

To install the PFX:

1. Export Instructions (on machine where you generated the certificate):
   1. Use the MMC script (LM_Personal_Certs.msc) to open Microsoft Management Console to the proper place.
   2. Right-click your new certificate.

      Note: If you still have the certificate that we gave you loaded on this box, it will be hard to tell the two apart. If you have not already done so, run the delete procedure described above.

   3. From the context menu, select All Tasks>Export.
   4. Click Next.
   5. Select Yes, Export the Private Key.
   6. Follow the remaining steps: Enter an output filename and choose a password to protect installation of this private key.
2. Import Instructions (on App server):
   1. Use the same MMC script to open the Management Console.
   2. Under Certificates (Local Computer)\Personal, right-click Certificates.
   3. Select All Tasks>Import.
   4. Use the file that you exported In Step 1.
   5. Select to load this cert into Personal.
3. Use WinHttpCertCfg to grant the NetworkService account the permission it needs to utilize this private key:

   WinHttpCertCfg.exe -g -a NetworkService -c Local_Machine\My -s "WildcatApp-<AppId>"