Managing certificates is usually very opaque. Where and how to manage the keys (Private/Public)? What shall be the permissions? Which password and where? etc and the list of questions is very when you would like to setup a relation between 2 parties.

Using the AttributeQuery feature in a circle of trust mandates the deployment of certificates between the ID and SP. The configuration allows to have different one to sign and/or encrypt messages and/or sign/encrypt specific messages like AttributeQuery request and response. The X509 certificate is specified in the "RoleDescriptor" section of service provider descriptor (sp.xml) and in the "AttributeAuthorityDescriptor" section of the identity provider (idp.xml) that forms the circle. And , this is where the difficulties appear, different OS and platforms shall exchange sign/encrypted messages between them.

In the opensso, what you can find currently is long descriptions detailing how to setup the configuration. There usually using a mix of user interfaces and command line operations proper to the platform. There are a lot of hand made operations and all the process is subject to several errors.

In the following script, I replaced all the UI operations by their corresponding command line to generate, transform, find and deploy a certificate in a windows environment. I tested and use it in Windows 7 platform, some path for executable or option may change between all the version of Windows (7, vista, XP, Server, etc) but i'm confident that knowing now the "key words" for operations you will easily transform it to your environment. (script below)


Coming back to the AttributeQuery feature, once this script successfully executed, the user will just have to copy/paste the encoded Base 64 certificate into the sp.xml file. Then to import it into the IDP before starting the example (sampleApp ASP.NET provided within opensso package).

Following the batch file, named generate_certi.bat:

@echo off
echo.
echo Clean:
rem =====
del /F MyFedlet.*

set msdk=s:\Program Files\Microsoft SDKs\Windows\v7.0A
set msdk71=s:\Program Files\Microsoft SDKs\Windows\v7.1
set path="%path%;S:\Windows\Microsoft.NET\Framework\v4.0.303 19"

echo.
echo Generate the self-signed certificate:
rem ======================================
echo - Enter passwsord in pop up window.
"%msdk%\bin\makecert.exe" -r -a sha1 -pe -n "CN=Fedlet" -sky exchange -sv MyFedlet.pvk MyFedlet.cer

echo.
echo Transform the certificate in a windows readable format:
rem ================================================== ======
echo - Enter passwsord in pop up window.
if EXIST MyFedlet.cer ("%msdk%\bin\pvk2pfx.exe" -pvk MyFedlet.pvk -spc MyFedlet.cer -pfx MyFedlet.pfx
)else (
echo MyFedlet.cer file not generated
goto end)

echo.
echo Add the certificate to the Personal Store:
rem ===========================================
echo - Enter passwsord in pop up window.
if EXIST MyFedlet.pfx ( "%WinDir%\system32\certutil.exe" -importpfx -f -p "" MyFedlet.pfx
) else (
echo MyFedlet.pfx file not generated
goto end)

echo.
echo Change the Certificate Friendly name:
rem ======================================
echo [Version] > MyFedlet.inf
echo Signature = "$Windows NT$">> MyFedlet.inf
echo [Properties]>> MyFedlet.inf
echo 11 = {text}fedlet>> MyFedlet.inf
rem get the certificate serial number
"%WinDir%\system32\certutil.exe" -dump MyFedlet.cer | "%WinDir%\system32\find.exe" "Serial Number" >s.tmp
set /p serial=s.tmp
type s.tmp | "%WinDir%\system32\find.exe" "%SystemDrive%" >s1.tmp
type s.tmp | "%WinDir%\system32\find.exe" "-" >s2.tmp
set /p certDir=