Creating a Private Key-Public Key Pair
We require that you generate your own private key because the one that we gave you was generated by us and sent to you over e-mail. We want you to have total control over who gets access to this key. To accomplish this control, you need to generate a new private key for your application in Production that is different from the private key that it uses in the Partner Dev/Test environment.
Last updated: November 2012
This topic contains the following sections.
The key that you are about to create is your application’s private key.
- Store it somewhere safe.
- Do not include it in any e-mail messages.
- Limit access to the key to only those people who must have access.
Minimizing the number of servers that know your key reduces the chances of that key being compromised. When preparing to go live, you must generate a public certificate that matches your private key, and then send that certificate to the Microsoft HealthVault team so that it can be registered on our server.
If you already had a PFX with this name installed on the server, you must uninstall it.
To uninstall the old PFX:
Open the Certificates MMC console for the local machine store. For information about opening the Certificates MMC console, see How to: View Certificates with the MMC Snap-in.
Open the Personal folder, and then open the Cetificates subfolder.
Right-click the old certificate and select Delete.
Old certificates are not cleanly deleted if a process currently has them open. You may need to shut off any Web server instances that are currently running.
Makecert.exe creates a private certificate and loads it on the machine on which you are running makecert, in LocalMachine\My (your personal store on the local machine). Makecert also creates a corresponding public certificate that matches the installed private key, and places it in the file specified in the command line. The public certificate is DER encoded.
If you lose the file that MakeCert generated, or if you generated your private key in a different way, you can export a DER-encoded public certificate using the Microsoft Management Console. The corresponding private key is wrapped in a certificate that has been installed in your LocalMachine\My store.
To create the private/public key pair:
- Find makecert.exe in the bin directory of the Microsoft Visual Studio installation. It is also available in the Downloads section of the HealthVault MSDN site.
- Using the MakeCert command, generate a certificate with the same
name as the one that we sent you when your AppId was created:
makecert.exe "<OutputPath>\<CertFileName>.cer" -a sha1 -n "CN=WildcatApp-<AppId>" -sr LocalMachine -ss My -sky signature -pe -len 2048
makecert.exe "c:\temp\MyCert.cer" -a sha1 -n "CN=WildcatApp-6296418d-a6c7-418d-84ea-f4c04b9dd1b6" -sr LocalMachine -ss My -sky signature -pe -len 2048
- Upload the resulting CER file and associated with your application using Application Configuration Center. This file contains the DER-encoded public key.
Once the CER has been uploaded and associated with your application, install the PFX on your application server(s).
To install the PFX:
- Export Instructions (on machine where you generated the certificate):
- Use the Certificates MMC console, and open the folder containing the certificate. For information about opening the Certificates MMC console, see How to: View Certificates with the MMC Snap-in.
- Right-click your new certificate.
- From the context menu, select All Tasks>Export.
- Click Next
- Select Yes, Export the Private Key.
- Follow the remaining steps: Enter an output filename and choose a password to protect installation of this private key.
- Import Instructions (on App server):
- Open the Certificates MMC console for the local machine.
- If the machine currently has a certificate with the same certificate name, delete the existing certificate before importing the new one.
- Under Certificates (Local Computer)\Personal, right-click Certificates.
- Select All Tasks > Import.
- Use the file that you exported In Step 1.
- Select to load this cert into Personal.
- Use WinHttpCertCfg to grant the NetworkService account the permission
it needs to utilize this private key:
WinHttpCertCfg.exe -g -a NetworkService -c Local_Machine\My -s "WildcatApp-<AppId>"