"Software + Services" is Microsoft's representation of what a large part of the future of computing is going to be. Microsoft, however, has not done a great job of explaining what "Software + Services" is.

Based on what I have read and heard, let me try to explain it as I see it.

The fundamental question that one has to ask is "Where does computation happen?"

The obvious answer to everyone today is: "Everywhere".

 We compute on mobile devices, appliances, desktops and laptops, and remote computers. We communicate with text and voice.

Everybody understand this. The key question is: "Why?"

I think the answer is because "Hardware is cheap, and data is expensive to move."

The late Jim Gray did an analysis¹ of the economics of distributed computing. His analysis came to two conclusions:

1. Put the computation near the data. Unless you have something that is very compute intensive, it is much cheaper to not move the data.
2. If you need data from multiple sites, push the processing closer to the data source by filtering the data early.

The assumption here is that telecommunication prices drop slower than Moore's Law.  So far this has always been the case.

The natural conclusion is to do the computation where the data naturally resides. In other words: Do what makes sense. Some things will be in the cloud, some things will still be on the desktop. As long as Internet connectivity is not ubiquitous, and not always connected, you may have to cache data somewhere. Depending on the mission criticality of your application, a few seconds could be a long time.

As Ray Ozzie put it in his MIX Keynote, we live in a "World of small pieces loosely joined."

Software + Services means some things will be services in the cloud, others will be software as we know it today.  That includes mobile devices and appliances that we are learning to love and hate, just as we have always done with traditional software.

1. MSR-TR-2003-24 "Distributed Computing Economics"

To further simplify the example, let us assume that the we want to use the certificate to encrypt a message from the client to the service. It is easy to apply what we discuss here to other scenarios.

 

As we discussed in the previous post, we need to generate two certificates, the root certificate that represents the Certificate Authority, and the certificate that represents the identity of the client or service. We will also create a Certificate Revocation List (CRL).

 

We will use a tool called makeCert to generate our certificates. Makecert, which ships with the .NET platform,  allows you to build an X509 certificate that can be used for development and testing. It does three things:

1. Generates a public and private key

2. It associates the key pair with a name

3. It binds the name with the public key.

 

Many of the published examples use makecert to both create and install the certificate. We will do the installation in a separate step because this approach is closer to the use of real certificates.  Separating the certificates also allows the certificates to be installed on many machines instead of just one. This makes distributing certificates to developer machines much easier.

 

First we will create the Root Certificate with the following command:

 

makecert -sv RootCATest.pvk -r -n "CN=RootCATest" RootCATest.cer

 

-n specifies the name for the root certificate authority. The convention is to prefix the name with "CN=" where CN stands for "Common Name"

-r indicates that the certificate will be a root certificate because it is self-signed.

-sv specifies the file that contains the private key. The private key will be used for signing certificates issued by this certificate authority. Makecert will ask you for a password to protect the private key in the file.

 

The file RootCATest.cer will just have the public key. It is in the  Canonical Encoding Rules (CER) format. This is the file that will be installed on machines as the root of the trust chain.

 

Next we will create a certificate revocation list.

 

makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl

 

-crl indicates we are creating a revocation list

-n is the name of the root certificate authority

-r indicates that this is the CRL for the root certificate, it is self-signed

-sv indicates the file that contains the private key

 

RootCATest.crl is the name of the CRL file.

 

At this point we could install the root certificate, but we will wait until we finish with the certificate we will use in our scenario.  Here we need two files. We will need a CER file for the client machine so that we can install the public key associated with the service. Then we will create a PKCS12  format file that will be used to install the public and private key in the service.

 

The initial step is :

 

makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=TempCert" -sv  TempCert.pvk -pe -sky exchange TempCert.cer

 

-n specifies the name for the certificate

-sv specifies the file for the certificate. This must be unique for each certificate created. If you try to reuse a name, you will get an error message .

-iv specifies the name of the container file for the private key of the root certificate created in the first step.

-ic specifies the name of the root certificate file created in the first step

-sky specifies what kind of key we are creating. Using the exchange option enables the certificate to be used for signing and encrypting the message.

-pe specifies that the private key is exportable and is included with the certificate. For message security is this required because you need the corresponding private key. 

 

The name of the CER file for the certificate is specified at the end of the command.

 

Now we need to create the PKCS12 file. We will use a the Software Publisher Certificate Test Tool to create a Software Publisher's Certificate. You use this format to create the PKCS12 file using the pvkimprt tool.

 

cert2spc TempCert.cer TempCert.spc

pvkimprt -pfx TempCert.spc TempCert.pvk

 

We now have four files:

 

RootCATest.cer

RootCATest.crl

TempCert.cer

TempCert.pvk

 

The next step is to install these on the appropriate machines. I could not get certmgr to work properly to do an automated install.  The Winhttpcertcfg tool works for PKCS12 format files, but not CER format files. We will use the MMC snap-in for this.

 

 

Run the mmc snapin tool (type mmc in the Run menu). First we will open the Certificates snap-in.  Choose: Add/Remove Snap-In.

 

 

Then Add the Certficate Snap-In.

 

 

 

When you add the snap-in, choose local computer account for the computer you want to install the certificate (usually the local one).




We want to install the root certificate on both the client and service machines  in the Trusted Root Certificate Store. 

 

 

 

Select that store, right mouse click and install both the RootCATest.cer and RootCATest.crl files.  On the client side you want to install only the public key in the TempCert.cer file.  On the service side only you want to install the PKCS12 format file (TempCert.pvk) which has the private key for the certificate. Install that in the Personal store. For private key installation you will have to provide the password for the PKCS12 file.

 

On the service side, we need to give the identity of the running process (NETWORK SERVICE) the rights to read the private key. We use two tools FindPrivateKey and cacls to do this. Run the following command:

 

for /F "delims=" %%i in ('FindPrivateKey.exe My LocalMachine -n "CN=TempITNCert" -a') do (cacls.exe "%%i" /E /G "NT AUTHORITY\NETWORK SERVICE":R)

 

Remember to delete these certificates when you are finished with them.