Primer for X.509 certificates on Windows

Question

I am presently studying the topic of encrypting and signing SOAP messages via WSE 3.0 or WCF. Since I have not participated in distributed application development involving the public Internet, I find my knowledge on X.509 ceritificates lacking and how it works in the Windows certificate store mechanism. It is not about asymmetric cryptography; it is about the PKI ecosystem.

Therefore I would like to gather what are some articles or books that give comprehensive explanations on Windows' security mechanisms, how to properly use and manage the Certificate Store, CA trust chains, and how APIs like WSE or WCF may interact and make use of certificates. Recommendations?

WSE is obsolete. All new web service work should be done using WCF, and existing WSE code should be migrated or retired ASAP. — John Saunders, Sep 01 '09 at 02:46

score 6 · Answer 1 · answered Jan 13 '09 at 20:11

6

Everyone using (or thinking of using) X.509 certificates should be forced to read this: Everything you Never Wanted to Know about PKI but were Forced to Find Out, as well as X.509 Style guide, both by Peter Gutmann.

answered Jan 13 '09 at 20:11

Teddy

6,013
3
26
38

those are actually funny reads, but unfortunately the presentation PDF seems to be a report on all the massive flaws and ailments of PKI and x.509 but no where explaining "How does Windows and IE make use of the certs stored the Cert Store; and what can developers really do with them for security scenarios?" – icelava Jan 12 '10 at 10:34
The text guide is unfortunately formatted only as a raw text file which makes for difficult reading. I cannot tell which section contains the relevant information i am looking for? – icelava Jan 12 '10 at 10:36
You said that "I find my knowledge on X.509 ceritificates lacking" - this should help. – Teddy Jan 12 '10 at 20:57

score 2 · Accepted Answer · answered Jan 19 '10 at 07:09

I think the base starting point to understanding the Windows implementation of PKI has to come from TechNet

PKI segment http://technet.microsoft.com/en-us/library/cc757327(WS.10).aspx

Certificates overview http://technet.microsoft.com/en-us/library/cc784662(WS.10).aspx

Certificate services http://technet.microsoft.com/en-us/library/cc783511(WS.10).aspx

Certificate templates http://technet.microsoft.com/en-us/library/cc758496(WS.10).aspx

score 1 · Answer 3 · answered Jan 12 '09 at 12:12

1

"Learning WCF" by Michele Bustamente has a good overview chapter on WCF security, including some basic discussion on X.509 certificates.

answered Jan 12 '09 at 12:12

ng5000

12,330
10
51
64

Chapter 7 of Learning WCF gives introductory details about certificates, and how to motion WCF to use them. However, I am also looking for the lower level - managing, issuing, purchasing certificates, establishing own CA, creating fake certs, etc. – icelava Jan 12 '09 at 16:14

score 1 · Answer 4 · answered Jan 12 '09 at 12:24

1

From the MSDN:

How to: Decrypt XML with x509

How to: Encrypt XML with x509

answered Jan 12 '09 at 12:24

mirezus

13,892
11
37
42

I am looking for more than just encrypting/decrypting XML documents. Wish to know what exact x.509 encompasses; how Windows stores and uses them. How they are validated and identified, etc. How do we even setup our own CA and create our own certs? – icelava Jan 12 '10 at 10:37

Primer for X.509 certificates on Windows

4 Answers4