Certificates and STS

Mar 19, 2012 at 10:00 PM
Edited Mar 19, 2012 at 10:08 PM

Any help with customizing the HOL "Lab04-ActiveClient" would be GREATLY appreciated!

I have tried to re-code the Issuer -> FederationProvider -> Services -> Active Client using a custom implementation and custom certificates, replacing Litware Issuer, Adatum Federation Provider, and Order Tracking Services with simple "MyIssuer", "MyFederationProvider", and "MyService" respectively.

Using Windows 7 Pro as Admin, I attempted to generate my own server certificate called "MyIdentity-HTTPS-Server" as well as certificates for "MyIssuer" and "MyFederationProvider" and then replace all of the certificate name lookups and thumbprints with the new values.

I cannot get the new solution to "like" the certificate chain.

Solution is zipped up at:


One example of attempts to generate the certificates: *Followed by importing into the "Trusted Root Certification Authorities" and IIS Server Certificates...

makecert -n "CN=MyIssuer" -r -sv MyIssuer.pvk MyIssuer.cer -sky exchange -pe
pvk2pfx.exe -pvk MyIssuer.pvk -spc MyIssuer.cer -pfx MyIssuer.pfx
makecert -n "CN=MyFederationProvider" -r -sv MyFederationProvider.pvk MyFederationProvider.cer -sky exchange -pe
pvk2pfx.exe -pvk MyFederationProvider.pvk -spc MyFederationProvider.cer -pfx MyFederationProvider.pfx
FindPrivateKey.exe My LocalMachine -n CN=MyIssuer
icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\%KEYFROMPREVCMD% /grant "IIS AppPool\identity":R
FindPrivateKey.exe My LocalMachine -n CN=MyFederationProvider
icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\%KEYFROMPREVCMD% /grant "IIS AppPool\identity":R

Some resources: