WCF Certificates with IIS on Windows 7 Beta

I’ve blogged earlier about the problems with Cassini and WCF on Windows 7 Beta (build 7000) and your best bet is to install IIS locally test your services in there. Now, there might be some problems getting IIS to read your service certificate and my colleague Tomas helped me get things running. I thought I might as well blog it here so that I got it documented…

Open a VS2008 Command Prompt (I ran it as administrator) and create a certificate, then add it to your local store:

makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=localhost -sky exchange -pe

certmgr.exe -add -r LocalMachine -s My -c -n localhost -r CurrentUser -s TrustedPeople

Then you have to give IIS access to the private part of the certificate and Tomas found some sample code to let you do that. The FindPrivateKey.exe source code is available on MSDN. Keep working on the command prompt:

FindPrivateKey.exe My LocalMachine -n "CN=localhost"

Note the output for private key directory and filename, for example:

Private key directory: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Private key file name: 288538e27a2aebe9f77d2506bf6c836a_adf55683-4eae-4544-bbd1-d6844a44e538

Then use them to feed the final call to give the default IIS-user access to the private key, for example:

CACLS.exe C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\288538e27a2aebe9f77d2506bf6c836a_adf55683-4eae-4544-bbd1-d6844a44e538 /G "IIS_IUSRS":R

That should be it, and it worked on our machines.