Creating A Private Key-Public Key Pair

Introduction

We require that you generate your own private key because the one that we gave you was
generated by us and sent to you over e-mail. We want you to have total control over who gets
access to this key. To accomplish this control, you need to generate a new private key for your
application in Production that is different from the private key that it uses in the Partner Dev/Test
environment.

Planning for the New Key

The key that you are about to create is your application’s private key.

• Store it somewhere safe.

• Do not include it in any e-mail messages.
• Limit access to the key to only those people who must have access.

Minimizing the number of servers that know your key reduces the chances of that key being
compromised. When preparing to go live, you must generate a public certificate that matches
your private key, and then send that certificate to the Microsoft HealthVault team so that it can
be registered on our server.

Deleting the Old Key

If you already had a PFX with this name installed on the server, you must uninstall it.

To uninstall the old PFX:

• Use the MMC script (LM_Personal_Certs.msc) provided in the Downloads section of the
HealthVault MSDN site, and then right-click the old certificate and select Delete.

Note: Old certificates are not cleanly deleted if a process currently has them open. You may need
to shut off any Web server instances that are currently running.

Creating the Key Pair

Makecert.exe creates a private certificate and loads it on the machine on which you are running
makecert, in LocalMachine\My (your personal store on the local machine). Makecert also creates
a corresponding public certificate that matches the installed private key, and places it in the file
specified in the command line. The public certificate is DER encoded.

If you lose the file that MakeCert generated, or if you generated your private key in a different
way, you can export a DER-encoded public certificate using the Microsoft Management
Console. The corresponding private key is wrapped in a certificate that has been installed in your
LocalMachine\My store.

To create the private/public key pair:

1. Find makecert.exe in C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin.

It is also available in the Downloads section of the HealthVault MSDN site.
2. Using the MakeCert command, generate a certificate with the same name as the one that
we sent you when your AppId was created:

makecert.exe "<OutputPath>\<CertFileName>.cer" -a sha1 -n

"CN=WildcatApp-<AppId>" -sr LocalMachine -ss My -sky signature -pe
-len 2048

For example:

makecert.exe "c:\temp\MyCert.cer" -a sha1 -n "CN=WildcatApp-

6296418d-a6c7-418d-84ea-f4c04b9dd1b6" -sr LocalMachine -ss My
-sky signature -pe -len 2048

3. Send the resulting CER file to Microsoft. This file contains the DER-encoded public key.

Exporting Your Private Key and Installing It on Your Application Server

When Microsoft tells you that the CER has been registered on the server for your AppId, install
the PFX on your application server(s).

To install the PFX:

1. Export Instructions (on machine where you generated the certificate):

a. Use the MMC script (LM_Personal_Certs.msc) to open Microsoft Management
Console to the proper place.
b. Right-click your new certificate.

Note: If you still have the certificate that we gave you loaded on this box, it will
be hard to tell the two apart. If you have not already done so, run the delete
procedure described above.

c. From the context menu, select All Tasks>Export.

d. Click Next.
e. Select Yes, Export the Private Key.
f. Follow the remaining steps: Enter an output filename and choose a password to
protect installation of this private key.
2. Import Instructions (on App server):
a. Use the same MMC script to open the Management Console.
b. Under Certificates (Local Computer)\Personal, right-click Certificates.
 c. Select All Tasks>Import.
d. Use the file that you exported In Step 1.
e. Select to load this cert into Personal.
3. Use WinHttpCertCfg to grant the NetworkService account the permission it needs to
utilize this private key:

WinHttpCertCfg.exe -g -a NetworkService -c Local_Machine\My -s

"WildcatApp-<AppId>"