Client certificate by example

I never really dealt with client certificate validation. Therefore I try to explain in this post how to order and install a client certificate for use in BizTalk. In this case the client certificate was needed by a housing corporation named Stadgenoot. The client certificate was not requested by Stadgenoot, but by a trading partner that wanted to give access to their webservices. I don’t know why Stadgenoot couldn’t order the user certificate themselves.

The trading partner used GlobalSign as the certificate authority. When creatin the client certificate a temporary password needs to be entered. This password needs to be kept safely because the certified party – in this case Stadgenoot – will need the temporaty password when downloading the certificate. For requesting a client certificate you also need an email address, for example esbbeheer@stadgenoot.nl (not a personal address). To this email address a mail with a download link will be sent. It’s important
that the mailbox is accessible.

Link: GlobalSign

1. Login to your GlobalSign Certificate Center (GCC) account if you already have one, and select the Document, Code and Email Signing tab.
2. Click order, select the desired certificate type and click Next. Note: In this example a PersonalSign Certificate is being ordered.
3. Select the certificate validity, a hash algoritm (SHA-256 is recommended) and click Next. The costs range from $89,- for one year to $199 for three years.
4. Enter the Certificate Identity Details like organization name and email address.
5. Finish the certificate application by responding to a confirmation email.

Now what happens, is that an e-mail is sent to the stadgenoot address.

Dear Mister,

Thank you for your order. Your PersonalSign 1 Certificate is now ready for collection.

IMPORTANT: This email includes details about your order, your account and how to contact us should you need assistance. We suggest that you keep a copy for future reference.

Please follow the Pickup & Install instructions below. If you require assistance please visit:
https://support.globalsign.com/#category_Non-SSL_Installation

YOUR ORDER INFORMATION
————————————————–
Order Number: PC201707206834
Product Type: PersonalSign 1
Cert Common Name: …@stadgenoot.nl
Validity Period: 3 year
Placed by User ID: PAR28819_woningnet
————————————————–

ADDITIONAL CERTIFICATE INFORMATION
————————————————–
Expiration Date: 07/26/2020
Cancellation Period: 08/02/2017
————————————————–

HOW TO INSTALL YOUR CERTIFICATE
————————————————–
You must complete this process on the machine from which you intend to use the Certificate.

IMPORTANT:
Please note you must install your digital certificate within 30 days from issuance, otherwise your order will be automatically cancelled

* Windows 2000 & XP Users: We recommend you use the Internet Explorer or Firefox browsers.
* Windows Vista Users: We recommend you do NOT use Internet Explorer.Please use Firefox (available free of charge from www.mozilla.com) to complete the process. If you have to use Internet Explorer, please click on the link below for detailed instructions on preparing the browser:
www.globalsign.com/support/keygen/microsoft.php

Click on the link below to initiate the Certificate generation and installation process.
https://system.globalsign.com/pc/public/certificate/install.do?p=…

Make sure the above link is unbroken and complete. Copy and Paste the entire link into your browser if necessary.

If you experience any problems during certificate pickup and installation, please contact your service provider.

YOUR ACCOUNT & GCC LOGIN DETAILS
————————————————–
Organisation: WoningNet N.V.
Organisation ID: PAR28819

Login to your GlobalSign Certificate Center (GCC) Account to manage the lifecycle of your certificate. Your Account gives you easy access to renew certificates, buy additional certificates and to revoke or cancel existing certificates if necessary.

Your GCC User Name:
Your GCC Password: As you provided during application
GCC Login URL: https://www.globalsign.com/ssl-login.htm

Thank you for choosing GlobalSign, if you have any questions or issues please do not hesitate to contact us.

Now we come to the part of Stadgenoot. Go to the BizTalk Server, open Internet Explorer and paste the following link (as mentioned in the mail) is the address bar:
https://system.globalsign.com/pc/public/certificate/install.do?p=9b4ea7698cc6eb7010464540d3569d2861726c01 copiëren.
For downloading, you will need the temporary password, that must be provided by the trading partner that ordered the certificate. The pfx certificate, that is the certificate with the private key is downloaded.

Next we need to import the certificate in our certificate store.
– Start/Run MMC
– Open Certificate Store computer account. Use computer account instead of current user, because the certificate will be used by BizTalk. BizTalk will not run under the current user account.
– Right-click personal store and import the downloaded certificate.
– On importing the certificate, you need to enter a password. Note: this is not the same password as the temporary password.
– After import you will see two certificates in your personal store:
…@stadgenoot.nl is the actual client certificate. The lock symbol indicates the private key of the certificate is secured by a password.
GlobalSign PersonalSign 1 CA – SHA256 – G3 is an intermediate certificaat. This certificate can actually be moved to store Intermediate Certification Authorities.

After importing the client certificate, you can double click the certificate to find the serial number. You trading partner can use the serial number to validate the client certificate in case of mutual SSL. This approach can be used in a Apache/Tomcat scenario. Alternatively you can also export the public key certificate. This approach can be used in a .Net scenario.

Leave a Reply

Your email address will not be published. Required fields are marked *