Installing and Configuring SSL Certificates for Use with MapPoint Location Server

MapPoint Location Service Technical Articles

 

Chandu Thota
Microsoft Corporation

August 2004

Applies to:
   Microsoft MapPoint Location Server, version 1.0

Summary: Learn how to obtain, install, and configure Secure Sockets Layer (SSL) certificates for Microsoft MapPoint Location Server and how to configure your mobile devices for MapPoint Location Server application development. (8 printed pages)

Contents

Introduction
Certificate Basics
Obtaining and Installing SSL Certificates
Installing SSL Certificates on MapPoint Location Server for Application Development
Conclusion

Introduction

When you deploy MapPoint Location Server, you must install Secure Sockets Layer (SSL) certificates before installing the MapPoint Location Server software. SSL certificates are required on both the computer running MapPoint Location Server Web Service and the computer running the MapPoint Location Server database.

This article describes procedures and examines alternatives for obtaining and installing SSL certificates to make your MapPoint Location Server installation more secure. This article also examines MapPoint Location Server and SSL certificates from an application development perspective.

Let's start by looking at certificate basics and the SSL-related terminology that will be used throughout this article.

Certificate Basics

SSL is a set of cryptographic technologies that provide authentication, encryption, and data integrity. To enable SSL on a server, you must install an X.509 certificate (a .cer or .crt file), which is the industry-standard certificate type. Microsoft Windows 95 and later versions natively support X.509 certificates.

Certificates are documents issued by trusted authorities, such as VeriSign, that help to establish a trust relationship between the two parties exchanging them. For example, if VeriSign issues a certificate to company A, VeriSign is certifying that company A actually is company A. When company A exchanges this certificate with company B to establish a trusted connection, company B accepts company A's claim of authenticity because company B recognizes VeriSign as an authority of trust. A trusted authority is also known as a certification authority (CA).

Sometimes a CA is certified by another CA, establishing a hierarchy in which parent CAs verify that child CAs are authorized to issue certificates. The ultimate parent, or root, of such a hierarchy signs its own certificate and is called a root certification authority, or root CA. Windows operating systems for both computers and devices include certificates from root CAs such as VeriSign, GTE, and so on, so that when you obtain and install a certificate from a known CA, the operating system can recognize that certificate as being trusted.

To obtain a certificate, you must send a special request to a known CA. The CA will verify your request and send you the certificate in an e-mail message. You can also issue your own certificate for development and testing purposes. Note that using test certificates is not recommended for production deployments.

Now that you know what certificates are and how they are used, let's examine the details of obtaining and installing certificates for both test and production deployments.

Obtaining and Installing SSL Certificates

The number of certificates you need depends on your MapPoint Location Server deployment:

• If you are installing MapPoint Location Server Web Service and the MapPoint Location Server database on a single computer, you need only one SSL certificate.
• If you are installing MapPoint Location Server Web Service and the MapPoint Location Server database on separate computers, you need two SSL certificates.

The following sections describe each step in detail.

Creating a Certificate Request

Use the procedure in this section to request a new certificate for a production or test deployment of MapPoint Location Server.

To create a certificate request

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the tree view, expand the node that contains your Web server, and then expand the Web Sites node.
3. Right-click the Default Web Site node, and then click Properties.
4. Click the Directory Security tab, and then click Server Certificate. The Web Server Certificate Wizard starts, displaying a Welcome page containing text that indicates whether a certificate is already installed for the selected server and whether you have any pending certificate requests. Click Next.

   Note  If a certificate is already installed on the server, you must remove it before requesting a new one. To remove the certificate, select Remove the current certificate, click Next, and then complete the wizard. Restart the wizard to continue with your request. On the Server Certificate page, click Create a new certificate, and then click Next.

5. On the Delayed or Immediate Request page, click one of the following options. The first option is always available, but the second option is available only if the Web server has access to one or more computers running Certificate Services in a Windows 2000 or Windows 2003 domain that is configured to issue SSL certificates:
   • Prepare the request now, but send it later—Choose this option if you do not have an issuing CA published in Active Directory, or if you want to request a certificate from a commercial CA (the most common scenario).
   • Send the request immediately to an online certification authority—Choose this option if you have an issuing CA published in Active Directory and you want to get the certificate from that CA.
6. On the Name and Security Settings page, do the following:
   • Under Name, type the fully qualified domain name (FQDN) of the server.
   • From the Bit length list, select 1024 as the public key length of the certificate.
   • Click Next.
7. On the Organization Information page, type the name of your organization (for example, ABC Corporation) and organizational unit (for example, Product Development), and then click Next. This information will go into the certificate, so make sure that it's accurate.
8. On the Your Site's Common Name page, type the FQDN of the computer to be certified, and then click Next.
9. On the Geographical Information page, select the name of your country/region, type the name of your state or province and your city, and then click Next. The state or province name must be complete, not an abbreviation.
10. The next page varies depending on the option you chose on the Delayed or Immediate request page:
    • If you are preparing the request now and sending it later, type the name of the text file that will contain the certificate request information. By default, the file name is C:\Certreq.txt.
    • If you are sending the request now, specify the SSL port for the Web site, and then click Next. On the Choose a Certification Authority page, under Certification authorities, select a CA, and then click Next.
11. On the Certificate Request Submission page, review the information you provided, click Next, and then click Finish.

Obtaining a Certificate

This step differs depending on whether you sent the request to the CA immediately or prepared the request and saved it.

If you sent the request to a CA, you will receive the certificate in an e-mail message after the CA processes your request.

If you saved the request for development and testing purposes, you can generate your own certificate by using Certificate Services, which is available with Windows 2000 Server and the Windows Server 2003 family.

Note  The text on the Certificate Services Web pages varies slightly from the text in the following procedure, depending on which version of Windows you are using.

To create a test certificate

1. In your Web browser, type http://yourservername/certsrv, and then click Request a certificate.
2. On the Request a Certificate page, click advanced certificate request.
3. On the Submit a Certificate Request page, click Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file.
4. Open the Certreq.txt file in Notepad, copy and paste the entire text of the file (including the BEGIN... and END... lines) into the Saved Request box, and then click Submit.
5. Do one of the following:
   • If your certificate request is pending, go to step 6.
   • If you are prompted to download the certificate, skip to step 11.
6. Close your browser, and then, on the Administrative Tools menu, click Certification Authority.
7. In the tree view, expand the node for your server, and then expand the Pending Requests folder.
8. Right-click the certificate that you just submitted, click All Tasks, click Issue, and then close the Certification Authority tool.
9. In your Web browser, type http://yourservername/certsrv, and then click View the status of a pending certificate request.
10. On the View the Status of a Pending Certificate Request page, click the request that you just issued.
11. On the Certificate Issued page, click DER encoded, and then click Download CA certificate. Save the certificate file to the local drive on your Web server, and close your Web browser.

The certificate is now ready to be installed.

Installing the Certificate

Perform the following steps to install the SSL certificate.

To install the certificate

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the tree view, expand the node that contains your Web server, and then expand the Web Sites node.
3. Right-click the Default Web Site node, and then click Properties.
4. Click the Directory Security tab, and then click Server Certificate to start the Web Server Certificate Wizard. When the Welcome page appears, click Next.
5. Click Process the pending request and install the certificate, and then click Next.
6. Type the path and file name of the certificate that you saved in the previous step, click Next twice, and then click Finish to complete the wizard.
7. In the Properties dialog box, click the Web Site tab, and make sure that the port on which you want SSL to run is displayed in the SSL Port box. The default (and recommended) port is 443.
8. Click OK to close the Properties dialog box.

Now you have successfully installed an SSL certificate on your server. If you are deploying MapPoint Location Server in a two-computer scenario, you'll need to repeat these procedures to obtain and install a certificate on the second computer.

Configuring the SSL Certificate on the Web Server

As a final step, you'll need to configure the SSL certificate on the computer that is running MapPoint Location Server Web Service (your Web server). If you are using a two-computer deployment, you only need to perform the following steps on the Web server.

To configure the SSL certificate

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the tree view, expand the node that contains your Web server, and then expand the Web Sites node.
3. Expand the Default Web Site node, right-click the MMLSService virtual directory, and then click Properties.
4. Click the Directory Security tab, and under Secure communications, click Edit.
5. Select Require Secure Channel (SSL), and then click OK.
6. Click OK twice to close the Properties dialog box.

Now you are ready to install MapPoint Location Server. For more information about how to install MapPoint Location Server, see the MapPoint Location Server Administrator's Guide.

Installing SSL Certificates on MapPoint Location Server for Application Development

When you program with MapPoint Location Server, using test SSL certificates (certificates that are issued by you instead of a trusted CA) can be challenging because the root CA is not known to the development computers and other test devices such as Pocket PCs, Smartphones, and emulators. This is not a problem in production deployments because the certificates installed on these servers are issued by a well-known CA.

If you are using a test certificate for a single-computer deployment, you must perform the following steps:

1. Obtain the root CA certificate as a PCKS #7 file or as an X.509 certificate (.cer) file from the computer running MapPoint Location Server.
2. Add this certificate to your Trusted Root Certification Authorities store on your development computer. You can do this by using the Certificate Import Wizard, which can be launched by double-clicking the certificate (.cer) file.

However, because MapPoint Location Server is targeted for mobile devices, there is a good chance that you must also add the certificates to the mobile devices and mobile device emulators. This section describes different ways to install a certificate on Pocket PC, Smartphone, and device emulators.

Installing an SSL Certificate on a Pocket PC

The process for installing an SSL certificates on a Pocket PC device differs slightly from installing an SSL certificates on an emulator. In both cases, you need the AddRootCert.exe tool to install an SSL certificate. You can download the AddRootCert.exe tool from this page on Microsoft.com.

To installing an SSL certificate on a Pocket PC

1. Copy AddRootCert.exe to your Pocket PC device by using Microsoft ActiveSync.
2. Copy the certificate (.cer file) that you want to install to the My Documents folder on your Pocket PC.
3. Run AddRootCert.exe on your Pocket PC device: On the File menu, tap Open, and then double-tap the certificate that you copied.
4. Double-tap the screen to return to the AddRootCert.exe window, and then tap Install Certificate.

To install an SSL certificate on a Pocket PC emulator

1. On the emulator, use File Explorer to map to a network drive on your development computer.
2. On the Start menu of the emulator, tap Settings, tap the System tab, tap About, and then tap the Device ID tab.
3. By default, the Device name field is set to POCKET_PC. Change this name so that this device has a unique name within your domain.
4. In the emulator, from the Programs menu, open File Explorer.
5. On the toolbar, click Network Share.
6. On the Open page, type the path to your development computer (for example, \\your-computer-name\your-drive$).
7. Navigate to the folders in which you saved the certificate and AddRootCert.exe on your development computer, tap and hold, and then tap Copy.
8. Tap Device toolbar to switch back to your device.
9. Navigate to the My Documents folder, tap and hold, and then tap Paste.
10. Run AddRootCert.exe on your Pocket PC emulator: On the File menu, tap Open, and then double-tap the certificate that you copied in step 7.
11. Double-tap the screen to return to the AddRootCert.exe window, and then tap Install Certificate.

Installing SSL Certificates on Smartphone or a Smartphone Emulator

Unlike the Pocket PC platform, the Smartphone platform does not have a tool that supports installing SSL certificates directly. If you have a test SSL certificate installed on your MapPoint Location Server and you see the message, "Could not establish secure channel for SSL/TLS" while running your MapPoint Location Server application, use the following procedure to resolve the issue.

1. Open Pocket Internet Explorer on your Smartphone or Smartphone emulator, and then type the ASMX URL for the location service. It should look like the following:

   https://YourFQDNforMapPointLocationServer/MMLSService/LocationService.asmx

2. Provide your domain credentials when prompted.

You should see the default view of the ASMX file with all supported methods listed.

Now you should be able to run your program without SSL-related errors. When Pocket Internet Explorer communicated with the MapPoint Location Server, the server and client exchanged certificates for a trusted relationship. The test SSL certificate is now present in the Smartphone certificate store.

Conclusion

This article has described the basics of SSL certificates and how they work, and outlined how to obtain and install SSL certificates for a MapPoint Location Server deployment. Finally, this article described how to install SSL certificates on development computers and devices such as Pocket PCs and Smartphones.