Self-signed SSL certificate for the NAS service

Setup a self-signed SSL certificate for the NAS Service

Read this chapter to learn how to create, install and configure a self-signed SSL certificate to be used for securing the communication between the Sana Commerce web application and the NAS service.

This description can only be applied to a Sana Commerce installation connecting to Dynamics NAV through a NAS service. When using the build-in web services of NAV 2009 or NAV 2009 R2 please read the following chapter on how to configure web services to use SSL: http://msdn.microsoft.com/en-us/library/ee414240.aspx

To complete this walkthrough, you will need:

• The makecert.exe utility.
  
  The makecert.exe utility is installed with Microsoft Visual Studio and Microsoft Windows SDK. For more information, see 'Certificate Creation Tool (Makecert.exe)' in the MSDN Library.
  
  
• The Certificates snap-in for Microsoft Management Console (MMC).

The self-signed SSL certificate can be created on any computer where Microsoft Visual Studio or Microsoft Windows SDK is installed. You can do it on your local computer. The certificate should be installed on the server running the NAS service.

Create a self-signed root authority certificate and export the private key

• Run the following command from the command prompt and replace the subject name with a name suitable for your environment:
  

  makecert -sv SignRoot.pvk -cy authority -r SignRoot.cer -a sha512 -n "CN=Sana Test Certification Authority" -ss my -sr localmachine
  

  where:
  -n Specifies the subject's certificate name. You can use any name, specified in double quotes and preceded by CN=
  Example: "CN=Sana Software Company"
  
  -a Specifies the secure hash algorithm. It must be sha256, sha384, or sha512.
  
  
• Enter a password to protect the private key. This password is required when creating a certificate signed by this root certificate.

For more information, visit this website: http://msdn.microsoft.com/en-us/library/ms733813.aspx.

Create a new certificate signed by a root authority certificate

• Run the following command from the command prompt and replace the subject name. In this case you need to specify the external IP address on which the WCF service will be exposed to the webshop:
  

  makecert -iv SignRoot.pvk -ic SignRoot.cer -cy end -pe -n CN="XXX.XXX.XXX.XXX" -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
  

  where:
  -n parameter: specifies the subject name

For more information, visit this website: http://msdn.microsoft.com/en-us/library/ms733813.aspx.

Installing a Certificate in the Trusted Root Certification Authorities Store

• Open the certificate snap-in. For more information visit this website: http://msdn.microsoft.com/en-us/library/ms788967.aspx;
• Open the folder to store the certificate, either the Local Computer or the Current User;
• Open the Trusted Root Certification Authorities folder;
• Right-click on the Certificates folder and select 'All Tasks -> Import';
• Follow the on-screen wizard instructions to import the cer-file, which was created in the 'Create a self-signed root authority certificate and export the private key' step, into the store.

For more information, visit this website: http://msdn.microsoft.com/en-us/library/ms733813.aspx.

Run 'certutil' to see the 'key container guid' of the certificate

• Run the following command from the command prompt and replace the subject name with the name used in the 'Create a new certificate signed by a root authority certificate' step:
  

  certutil -store "My" "XXX.XXX.XXX.XXX"
  

  where:
  "XXX.XXX.XXX.XXX": specifies the subject name
  
  Example:
  

  certutil -store "My" "XXX.XXX.XXX.XXX"
  ================ Certificate 8 ================
  Serial Number: a907c132bf73cca6467920df9071a39a
  Issuer: CN=Sana Test Certification Authority
  Subject: CN=10.3.16.25
  Non-root Certificate
  Cert Hash(sha1): 52 ea 14 bb 6d 9a cf c0 fa 64 55 82 da 15 68 ab 7b d8 3a d3
    Key Container = {627F58A2-1ADD-4CCE-B55B-65B1684325FA}
    Provider = Microsoft RSA SChannel Cryptographic Provider
  Private key is NOT exportable
  Encryption test passed
  

Configure the NAS port with the SSL Certificate

• Run the following command from the command prompt and replace:
• • The server IP address and port number with the server IP address and port number configured in the Sana Commerce settings in NAV;
  • The hash key with the hash key of the certificate (see the 'Run 'certutil' to see the 'key container guid' of the certificate' step). Make sure that no spaces are used in the hash key;
  • The key container guid (see the 'Run 'certutil' to see the 'key container guid' of the certificate' step).
    

    Httpcfg.exe set ssl -i XX.XX.XX.XX:PORT -h 52ea14bb6d9acfc0fa645582da1568ab7bd83ad3 -g "{627F58A2-1ADD-4CCE-B55B-65B1684325FA}"
    

    where:
    -i parameter: specifies the IP address and port number
    -h parameter: specifies the hash key of the certificate
    -g parameter: specifies the key container guid
    
    

    If you are running on Windows Server 2008, Windows Vista or Windows 7 use the Netsh.exe tool instead. The following shows an example of using this command: netsh http add sslcert ipport=XX.XX.XX.XX:PORT certhash=52ea14bb6d9acfc0fa645582da1568ab7bd83ad3 appid={627F58A2-1ADD-4CCE-B55B-65B1684325FA}

Allow remote access to the WCF service

• Run the following command from the command prompt and replace the server IP address and port number with the server IP address and port number configured in the Sana Commerce settings in NAV:
  

  httpcfg set urlacl /u https://+:PORT/navision/ /a "O:AUG:AUD:(A;;GA;;;AU)"
  

  where:
  /u parameter: specifies the IP address and port number
  
  

  If you are running on Windows Server 2008, Windows Vista or Windows 7 use the Netsh.exe tool instead. The following shows an example of using this command: netsh.exe http add urlacl url=https://+:PORT/navision/ user=DOMAIN\USERNAME

Add the certificate to the trusted certificated on the webserver

• Copy the cer-file, which was created in the 'Create a self-signed root authority certificate and export the private key' step, to the webserver;
• On the webserver open the certificate snap-in. For more information, visit this website: http://msdn.microsoft.com/en-us/library/ms788967.aspx;
• Open the folder to store the certificate, either the Local Computer or the Current User;
• Open the Trusted Root Certification Authorities folder;
• Right-click on the Certificates folder and select 'All Tasks -> Import';
• Follow the on-screen wizard instructions to import the cer-file into the store.

Further reading

For more information about the 'Makecert' tool, please visit the following website: http://msdn.microsoft.com/en-us/library/aa386968(v=vs.85).aspx

For more information about how to create the temporary certificates for use during development, please visit the following website: http://msdn.microsoft.com/en-us/library/ms733813.aspx