Installing the Security Administration Certificates
The actual certificate files reside in a Certs folder
beside the scripts. Install these files on your application servers. They must all be
installed in the Computer Account’s Personal certificate store and the private key for
the imported PFX certificates must be readable by the NETWORK SERVICE user. In addition,
the Root certificate must be imported into the Trusted Root Certificate Authorities
store so that cert chains can be validated appropriately.
Install the following certificates (location specified for each certificate):
WKFS.STSv3.Administration:Personal\CertificatesWKFS.STSv3.Key.Protection:Personal\CertificatesWKFS.STSv3.OIDC.SigningCertificate:Personal\CertificatesandTrusted People\CertificatesWKFS.STSv3.RootCA:Personal\CertificatesandTrusted Root Certificate Authorities\CertificatesWKFS.STSv3.ServiceAccount.Certificate:Personal\CertificatesWKFS.STSv3.Tests:Personal\Certificates
The generated certificates consist of the following:
| Certificate Name | Location | Description | Exportable? |
|---|---|---|---|
wkfs-sts-root-ca.pfx (WKFS.STSv3.RootCA) |
Personal\Certificates and Trusted Root
Certificate Authorities\Certificates |
The root certificate authority that is used to sign all other certificates and needs to be Trusted Root Certificate Authorities. Private (PFX) Cert. | Yes* |
wkfs-sts-oidc-signing.pfx
(WKFS.STSv3.OIDC.SigningCertificate) |
Personal\Certificates and Trusted
People\Certificates |
The certificate that will be used to sign all JWT tokens. Private (PFX) Cert. | Yes* |
wkfs-sts-oidc-signing.crt (NOT USED) |
NA | NA | NA |
wkfs-sts-key-protection.pfx
(WKFS.STSv3.Key.Protection) |
Personal\Certificates |
Used to encrypt token keys in the database. Private (PFX) Cert. | Yes* |
wkfs-sts-admin.client.crt
(WKFS.STSv3.Administration) |
Personal\Certificates |
Used to authenticate the Security Administration application’s client. Security Cert. | No |
wkfs-sts-test-client.crt (WKFS.STSv3.Tests) |
Personal\Certificates |
Used to authenticate tests for the HealthCheck page (https://server/STSAdministration/HealthCheck). Security Cert. | No |
wkfs-sts-service-account-client.crt
(WKFS.STSv3.ServiceAccount.Certificate) |
Personal\Certificates |
Used to authenticate a generic resource owner client. Authenticating with this client (Client Id: wk.serviceaccount_resourceowner), will allow the passing of user credentials not of the logged in user. This would be useful if there is need to elevate permissions for a particular user workflow or, more likely, if there is process that does not have a user context available. Security Cert. | No |
OspreyApplicationIdentity |
Personal\Certificates |
Used to run core services; should already be created. Private (PFX) Cert. | No |
Note: *To make a certificate exportable: in the Certificate Import Wizard dialog
for the desired certificate, click the Mark this key as exportable. This will
allow you to back up or transport your keys at a later time.
The following certs should have access to the private keys (through Manage Private Keys):
WKFS.STSv3.Key.ProtectionWKFS.STSv3.OIDC.SigningCertificateWKFS.STSv3.RootCAOspreyApplicationIdentity
- Verify you have the certificates imported in the following locations:
WKFS.STSv3.RootCAin Trusted Root Authorities StoreWKFS.STSv3.OIDC.SigningCertificatein Trusted People.
Note: It is not necessary to purchase certificates; using the scripts to generate them. The
only certificate you are required to purchase is your SSL certificate.