Kentico CMS 7.0 Developer's Guide

Using X.509 authentication

Using X.509 authentication

 Previous topic Next topic Mail us feedback on this topic!  

Using X.509 authentication

 Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

In order to use X.509 authentication, install your own certificates or you use our sample ones.

 

Using the sample certificates

 

Kentico CMS is delivered with sample client and server private certificates. In order to install them, do the following on the source server and on the target server:

 

Server certificate

 

Install the server certificate:

 

1. Choose Start -> Run, type mmc and press Enter.

 

2. In the console window, choose File -> Add/Remove Snap-in.

 

3. Choose Certificates and click Add.

 

4. Choose Computer account and click Next.

 

devguide_clip2127

 

5. Choose Local computer (the computer this console is running on) and press Finish.

 

6. Close the Add or Remove Snap-ins window by clicking OK.

 

7. Unfold Certificates (Local Computer) under the console root, right-click Personal and choose All Tasks -> Import... The Certificate Import Wizard starts.

 

8. Import the Server private.pfx file located in C:\Program Files\Kentico CMS\<version>\SampleCertificates.

 

9. Enter the following password for the sample certificate: wse2qs.

 

10. Don't change any other settings and finish the Certificate Import Wizard.

 

11. Now, grant Read permission to the certificate file for the ASP.NET account. Do that by right-clicking the imported WSE2QuickStartServer certificate and choosing All tasks -> Manage private keys.

 

devguide_clip2128

 

12. Click on Add..., fill in the name of the account and click OK.

 

devguide_clip2130

 

13. Make sure the account's permission is set to Read - Allow and click OK.

 

devguide_clip2129

 

Client certificate

 

Install the client certificate:

 

1. Choose Start -> Run, type mmc and press Enter.

 

2. In the console window, choose File -> Add/Remove Snap-in.

 

3. Choose Certificates and click Add.

 

4. Choose My user account and click Finish.

 

devguide_clip2131

 

5. Close the Add or Remove Snap-ins window by clicking OK.

 

6. Unfold Certificates - Current User under the console root, right-click Personal and choose All Tasks -> Import... The Certificate Import Wizard starts.

 

8. Import the Client private.pfx file located in C:\Program Files\Kentico CMS\<version>\SampleCertificates.

 

9. Enter the following password for the sample certificate: wse2qs.

 

10. Don't change any other settings and finish the Certificate Import Wizard.

 

11. Now you need to grant the Read permissions for the certificate file to the ASP.NET account. For the Client certificate, do that using the WseCertificate3.exe tool that can also be found in C:\Program Files\Kentico CMS\<version>\Sample Certificates folder.

 

12. Run the WseCertificate3.exe tool.

 

13. Choose Current User in the Certificate Location field.

 

14. Choose Personal in the Store Name field.

 

15. Click Open Certificate.

 

devguide_clip2132

 

16. Choose the WSE2QuickStartClient certificate and click OK.

 

devguide_clip2133

 

17. Click View Private Key File Properties... and grant the Read permission for this file to the ASP.NET account.

 

18. Click on Add..., fill in the name of the account and click OK.

 

19. Make sure the account's permission is set to Read - Allow and click OK.

 

 

devguide_clip2124

 

Important: Sample certificates

 

Using the sample certificates is not secure and it's also very slow. It's highly recommended that you use your own certificate issued by a certification authority.

 

 

Using your own certificates

 

If you're using your own certificates (highly recommended), you will need to update the following values in Site Manager -> Settings -> Versioning & Synchronization -> Staging:

 

Client key ID

Server key ID

 

To get these IDs, you can use the WseCertificate3.exe tool located in C:\Program files\KenticoCMS\<version>\SampleCertificates.

 

1. Run the WseCertificate3.exe tool.

 

2. Choose Local Computer in the Certificate Location field.

 

3. Choose Personal in the Store Name field.

 

4. Click Open certificate and select either client or the server certificate. In the Key identifiers group you can now see the certificate key, Windows key identifier (Base64) should be used within Kentico CMS settings.

 

 

devguide_clip2125

 

Tip

 

If you encounter problems with content staging when using SLL (X.509), you may try adding the following key to your web.config file:

 

<add key="CMSStagingAcceptAllCertificates" value="true" />

 

This key ensures that all certificates will be accepted. If set to false, only certificates issued by a certification authority will be accepted.

 

 

Configuring staging for the use of certificates

 

Now that you have installed and configured the certificates, configure staging inside Kentico CMS to use the certificates for authentication.

 

Target server

 

On the target server, change the staging service authentication service as follows:

 

1. Navigate to Site manager -> Settings -> Versioning & Synchronization.

 

2. Under the Staging service (target only) settings group, change the form to X.509.

 

3. Save Save the settings.

 

4. Note that you need to copy the Client and Server key ID to your source server's settings.

 

devguide_clip2134

 

Source server

 

On the source server, change the settings as follows:

 

1. Navigate to CMS Desk -> Tools -> Staging.

 

2. Choose the Servers tab and Edit (Save) the server you want to configure.

 

3. Change Server authentication to X509 and copy the Client and Server key ID's from the target server.

 

4. Save Save the configuration.

 

devguide_clip2136

 

You have now successfully configured staging in Kentico CMS for the use of certificates in authentication.