Making test certificates for SslStream class

[Lucvdv]

This is only my second contact with certificates, and the first time I had
detailed instructions that didn't explain any why, so please be lenient


I'm trying to set up a SslStream, and trying to create the proper
certificates to test it with.

My approach is based on these two articles:
http://www.leastprivilege.com/PermaLink.aspx?guid=f34680fd-a58d-43a7-ba6d-2d813814ee73
http://www.leastprivilege.com/PermaLink.aspx?guid=6b5d5471-0710-41d7-891b-308afa959a6e



I generated two certificates so far: a root certificate to sign the other
with, and a 'server' certificate to use on the server side of my SslStream.

The certificates were created with these commands (after a series of
previous attempts with different switches and with even less success):

makecert -r -pe -n "CN=EurautomatTestCA" -sr LocalMachine -ss AuthRoot
-sk Eurautomat -cy Authority EurautomatTestCA.cer

makecert -pe -n "CN=EurautomatTestServer" -ic EurautomatTestCA.cer
-is AuthRoot -sr LocalMachine -ss TrustedPeople -sk Eurautomat
-cy end EurautomatTestServer.cer

The certificate created with the first command was installed before running
the second.


My app now locates (and finds) the second certificate in the store, and
uses it to set up the server side of a SslStream.

That's where it goes wrong:

SslStream.AuthenticateAsServer(ServerCertificate, True,
SslProtocols.Tls, False)

Exception: "A call to SSPI failed, see inner exception."
Inner exception: "The Local Security Authority cannot be contacted"


I know it finds the certificate, because in a prior attempt with an earlier
version of the certificates, I got an exception telling me it couldn't get
at the private key.

I tried using the 'Trusted Publishers' store instead of 'Trusted People'
too.

 

[Lucvdv]

SslStream.AuthenticateAsServer(ServerCertificate, True,
SslProtocols.Tls, False)

Exception: "A call to SSPI failed, see inner exception."
Inner exception: "The Local Security Authority cannot be contacted"

I got a little further by adding the proper key type (-sky exchange) and
purpose (-eku 1.3.6.1.5.5.7.3.1) to the SSL certificates (two certs, one
for each server and client for mutual authentication).

Now everything looks OK, but although the certificates look OK in the
certificates MMC, an error is reported when they are checked.

Does anyone know what ChainElementStatus.Status 64, "Unknown error" means?

I expected to get a "Certificate name mismatch", but that was *not* there.
neither at the server side when checking the client certificate nor at the
client when checking the server certificate.


I'm now running both sides on the same machine, with all three certificates
(root, server and client) installed with their private keys.

Would it make any difference if I tested it on two machines, with the
private keys installed only where they're needed?



The root certificate I created appears to be OK (no error on that one in
the chain).

 

[Lucvdv]

Does anyone know what ChainElementStatus.Status 64, "Unknown error" means?

I found what status 64 is, by running the test on Win2000.

Instead of "unknown error", the message there reads "The revocation
function was unable to check revocation for the certificate."

And effectively, the error doesn't occur when I keep the last parameter of
the AuthenticateAsClient and AuthenticateAsServer calls at FALSE (as it was
in my original post, but I had changed it to TRUE somewhere inbetween).