One thing I briefly touched on in yesterday's talk was the need for your web site to have read access to your SSL certificate. The token delivered to your information card accepting site is encrypted with an asymmetric key, as part of the conversation. This means that the identity selector, be it CardSpace or another selector cannot look inside or change it, nor can any spyware installed on the user's machine sniff the traffic. The asymmetric key is encrypted using the public key of the relying party's (your accepting web site) SSL certificate. Thus, in order to decrypt the conversation key and take the next step of decrypting the token your web site needs access to the private key contained within your SSL certificate. This is not a common scenario (in SSL it's the IIS process that takes care of this for you) and does not happen automatically, and there are no tools to do this as part of the base XP or 2003 operating system.
So what can you do? Well there's WinHttpCertCfg, a command line utility from the Windows Resource Kit; issue
winhttpcertfg -g -c LOCALMACHINE\My -s Fabrikam -a ASPNET
obviously replacing Fabrikam with the friendly name of your certificate and ASPNET with the account your web site runs under.
If you want a GUI process the WSE toolkit includes a tool to view and set certificate ACLs. In the Microsoft WSE folder on your Start menu you will see a Certificate tool. Fire it up (whilst logged in as an administrative account) and change the certificate location to "Local Computer" (all SSL certificates are held under Local Computer) and the store name to "Personal";
Now click on the Open Certificate button and you will be presented with a list of certificates installed in your selected location and store;
You can see here I have the Microsoft supplied test certificates installed. Select the certificate for your web site, in my case Fabrikam and choose OK, which will return you to the main dialog (you will see the certificate properties update, including the key identifier, which you may need if there is more than one certificate on your machine with the same subject name).
Click View Private Key Properties and you'll get a normal property dialog with a security tab;
You can add the process account that your web site runs under to allow Read access to the certificate, and thus the private key without having to resort to running IIS as "Local System". (which we all realise is a bad thing right?)
Technorati tags: CardSpace, Information Card