Published: 04 Dec 2006
By: Tomas McGuinness

This article is part one in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the setup of a high assurance certificate to give you an environment where a CardSpace application can be hosted. It assumes a basic knowledge of IIS and HTML.


With the introduction of .Net Framework 3.0 (WinFX) comes a technology called CardSpace (code-named InfoCard). Microsoft publicized the other three components, WPF, WCF and WF very well but CardSpace seems to have slipped under the radar. Plenty of literature has been written about these others but CardSpace hasn't gotten as much attention (search for example). I decided to investigate it myself. In a series of articles I hope to cover what’s involved in getting CardSpace setup and to create a sample application so you can get an idea what CardSpace is all about, and what it can do. But first, a little background info.

Windows CardSpace is a technology designed to help eliminate the need for usernames and passwords. Instead it will provide Windows users with digital identities in the form of Cards that users can access in a secure and familiar manner. For more background information and a better-than-two-line-example, check this. Once I read through all the spiel it was time to get down and dirty by setting up an example. Microsoft, as usual, provide a lot of samples, walkthroughs and other documentation to help the budding developer get started.

Working samples? Anyone?

My first run at this resulted in two dead ends when the samples I downloaded failed to install properly. Not a good start. I’m putting this down to the fact that these samples were not targeted at the RTM version, rather they were targeted at "RC1 and Beyond". Obviously not as “beyond” as RC1.

Since the samples wouldn’t install correctly, I figured it might not be a bad idea to do it manually (and since this was my only option…). When things are done automatically by an installer script it’s almost impossible to know what they are doing in the background. I find that by doing things manually you often get a greater insight into what’s happening under the covers and this usually gives you a greater understanding of the whole picture. This comes in handy when something breaks!

High Assurance Certificates

With the release of IE7, Microsoft has introduced support for a new form of SSL certificate called a High Assurance or Extended Validation Certificate. Currently, Certificate Authorities or CAs issue SSL certificates to individuals and companies. At present there is no one standard used to determine if a certificate customer is who they claim to be. Different companies apply varying degrees of checks to determine the identity of the customer whilst others have lax standards. What this means to the everyday Joe is that while the padlock they see may ensure that nobody reads the info they send, it doesn’t guarantee their information won’t be abused by the party at the other end! Phishing sites can make great use of this by using an SSL certificate. How many people actually open the certificate and check the details of the company they are about to send their details to? I’d wager not too many.

With this in mind new SSL certificates have been created with a new process to ensure that all CAs apply the same level of scrutiny before a certificate is issued.

Installing your first High Assurance certificate

So now that you know what a High Assurance certificate is, it’s time to set one up on your IIS. Grab this sample from the website. Unpack the sample into a directory called C:\cardspaces. This should create a sub-directory called certificates which contains four .pfx files. I decided just to install the Fabrikam certificate because I liked the name. Open a management console (MMC from the Run window). Add the Certificate Snap-in (File->Add/Remove Snap-In, Click the Add button and choose Certificates. Click Add and choose Computer Account. Click Next and then Finish). Once you have the Certificate management console open, expand Certificates and right click on Personal. Under All Tasks click Import. The Certificate Import Wizard will launch. Click next and then browse to the location of the certificate file (you’ll have to change the extension file to pfx, p12). Once you’ve selected your certificate click Next, Next, Next and Finish. You should see a message saying the import was successful. You’ve now installed your first (or maybe 100th) certificate.

Here is a screenshot of the Certificate MMC:

It’s now time to install this certificate into IIS so it can offer an SSL connection. Open the IIS console and navigate to Default Web Site. I’m assuming you’re running IIS 5.1 on XP. IIS 6.0 should be a similar process but I’ve no idea yet about IIS 7 (I’ve only just installed Vista!). Right click on the Default Web Site and click properties. Under the properties window open the Directory Security tab. From here, click Server Certificate and on the second page select “Assign an existing certificate” and click Next. In the next window you should see the Fabrikam certificate. This should be the only one if you’ve never installed a certificate before. Select this and click Next, Next and Finish. You’ve now installed an SSL certificate for your default IIS server.

As an exercise open IE7 and navigate to https://localhost. IE7 should prompt you at this point to say the certificate's validity is somewhat questionable and you should see a message like this:

This is correct behavior. You can see there are two errors associated with the certificate. Firstly, it wasn’t issued by a CA that we trust and secondly it was issued for a different website address. We’ll address these issues now. The Fabrikam certificate we installed was issued by a company called Adatum (a fictitious CA created by Microsoft). Our PC won’t trust this certificate since it can’t validate its CA. To get to the next step it’s necessary to install the adatum certificate into our list of Trusted Root Certificate Authorities. This is a similar process to the installation of the Fabrikam certificate. Go back to the Certificate management console and right click on Trusted Root Certificate Authorities and click import (under All Tasks as before). This time however select the adatum.sst file in the certificates directory instead of, as you might expect, This is because an sst file represents a root certificate and it’s treated differently from normal certificates.

Once you’ve installed the Adatum root certificate, go back to IE7 and refresh the page. You should see that the first error has disappeared and that the only complaint now is the difference in website name. This occurs because the certificate represents and not localhost! To correct this we need to make an entry in the hosts file. Open Explorer and navigate to C:\WINDOWS\system32\drivers\etc (again I’m assuming XP). Open the hosts file using notepad and make the following addition:

Save the file and close it. In IE7 enter the URL

The background of the address bar in IE7 has changed to indicate that this certificate is fully trusted.


With a high assurance certificate in place the next step is to setup a small application that allows a user to select and submit an info card to a website. I'll cover the creation of this application in part two of this series.


Microsoft's CardSpace: Part 2 - Creating and using your first identity card
Microsoft’s CardSpace: Part 3 – Using a Card
.Net Framework homepage

<<  Previous Article Continue reading and see our next or previous articles Next Article >>

About Tomas McGuinness

Tomas McGuinness is currently working as an application developer for Resilient Networks in London and does part-time freelance work on small projects. He has worked primarily in web application development for a variety of companies.

This author has published 4 articles on DotNetSlackers. View other articles or the complete profile here.

Other articles in this category

An inside look at Symmetric Encryption
This article describes the internal workings of symmetric encryption; also known as secret key encry...
The Diffie-Hellman Key Agreement Standard
The Diffie-Hellman Key Agreement Standard describes an algorithm which allows two individual parties...
Microsoft’s CardSpace: Part 3 – Using a Card
This article is the final part in a series of articles designed to get you up and running with Micro...
Protect Code with Skater .NET Obfuscator
Application vulnerabilities, Intellectual Property theft and revenue loss are among the most serious...
Book Review: Understanding Windows CardSpace
Review of the book “Understanding Windows CardSpace”.

You might also be interested in the following related blog posts

Adding IIS Manager Users and Permissions using PowerShell read more
GiveCamps Get a new Sponsor read more
The Downside of Transparency read more
Scenarios for WS-Passive and OpenID read more
Foxit PDF Previewer update read more
Why Embedded Silverlight Makes Sense read more
Im asked, how did you learn what you know ? read more
Lets build an Application Together. read more
Win a Govie Award Submit an Innovative Gov 2.0 Application read more
VideoWiki - Step 0 read more

Please login to rate or to leave a comment.