Article
09/09/2016

Walkthrough: Creating a Certificate and User Roles for Service Provider Foundation

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 R2 Orchestrator

This walkthrough shows how to administer important tasks for managing both certificates and user roles in Service Provider Foundation. To start, we show how to generate a self-signed certificate if you are not already working with an issuer's signed certificate. Next, we show how to obtain the certificate's public key, and how to use that key to create the tenant in Service Provider Foundation and user roles in System Center 2012 – Virtual Machine Manager (VMM).

This walkthrough is organized into the following sections and procedures. The procedures are designed to be performed sequentially, although they contain the information that you need to run them individually as needed. These procedures are tasks for the hoster administrator to perform.

Section	Procedures
Create a certificate	To create a self-signed certificate for a tenant
Obtain and export keys	To export the public key To export the private key To obtain the public key in Windows PowerShell
Create the tenant and its user roles	To create a tenant with the certificate's public key To create a tenant administrator role in VMM To create a tenant self-service user role

Create a certificate

The following procedure describes how to create a certificate for a tenant by using makecert.exe (Certificate Creation Tool).

To create a self-signed certificate for a tenant

Open a command prompt as administrator.

Generate the certificate by running the following command:

makecert -r -pe -n "cn=contoso.com" -b 07/12/2012 -e 09/23/2014 -ss My -sr CurrentUser -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sky exchange

This command puts the certificate in the Current User Certificate Store.

To access the certificate that you created

On the Start screen, type certmgr.msc and then in the Apps results click certmgr.msc.
In the certmgr window, click Certificates - Current User, open the Personal folder, and then open the Certificates folder to view the certificate that you just generated.

Obtain and export keys

The procedures in this section show how to export public and private keys from certificate files. You associate a public key with a tenant in Service Provider Foundation to later validate claims made, or made on behalf of, a tenant. This section includes a procedure that shows how to obtain the public key directly in your PowerShell session.

To export the public key

Open your certificates folder to view the certificate as described in the To access the certificate that you created procedure.
Right-click the certificate, click All Tasks, and then click Export.
After the Welcome page, on the Export Private Key page, choose No, do not export the private key and then click Next.
On the Export File Format page, select Base-64 encoded X.509 (.CER) and then click Next.
On the File to Export page, specify a path and filename for the certificate and then click Next.
On the Completing the Certificate Export Wizard page, click Finish.

To export the private key

Open your certificates folder to view the certificate as described in the To access the certificate that you created procedure.
Right-click the certificate, click All Tasks, and then click Export.
After the Welcome page, on the Export Private Key page choose Yes, export the private key and then click Next.

If the Yes option is disabled, that is because the makecert command to create the certificate did not include the -pe option.
On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option, check the Include all certificates in the certification path if possible check box and then click Next.
On the Security page, select the Password: option, provide and confirm a password, and then click Next.
On the File to Export page, specify a path and filename for the certificate and then click Next.
On the Completing the Certificate Export Wizard page, click Finish.

To obtain the public key in Windows PowerShell

You can obtain the public key directly from an exported public key certificate file (.CER) by using the .NET Framework cryptography classes. Run the following commands to obtain the key from the certificate's public key file that you exported in the To export the public key procedure.
```
PS C:\> $path = "C:\Temp\tenant4D.cer"  

PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)  

PS C:\> $key = [Convert]::ToBase64String($cert.RawData)  
```
The next procedure uses the $key variable that you just created.

Create the tenant and its user roles

Service Provider Foundation does not create user roles or define their scope (such as clouds), resources, or actions. Instead, the New-SCSPFTenantUserRole cmdlet creates an association for a tenant with a user role name. When that association is created, it also generates an ID that can be used for the corresponding ID for creating the role in System Center 2012 – Virtual Machine Manager.

You can also create user roles by using the Admin OData protocol service that uses the Service Provider Foundation Developer's Guide.

To create a tenant with the certificate's public key

Run the System Center 2012 Service Provider Foundation Command Shell as Administrator.
Enter the following command to create the tenant. This command assumes that the $key variable contains the public key as obtained from the To obtain the public key in Windows PowerShell procedure.
```
PS C:\> $tenant = New-SCSPFTenant -Name "contoso.cloudspace.com" -IssuerName "contoso.cloudspace.com" –Key $key  
```
Verify that the public key for the tenant was imported successfully by running the following command and viewing the results:
```
PS C:\> Get-SCSPFTrustedIssuer  
```
The next procedure uses the $tenant variable that you just created.

To create a tenant administrator role in VMM

Enter the following command and agree to this elevation for the Windows PowerShell command shell:
```
PS C:\> Set-Executionpolicy remotesigned  
```
Enter the following command to import the Virtual Machine Manager module:
```
PS C:\> Import-Module virtualmachinemanager  
```
Use the Windows PowerShell New-SCUserRole cmdlet to create the user role. This command assumes the $tenant variable was created as described in the To create a tenant with the certificate's public key procedure.
```
PS C:\> $TARole = New-SCUserRole -Name contoso.cloudspace.com -ID $tenant.Id -UserRoleProfile TenantAdmin  
```
Warning

Note that if the user role was previously created by using the VMM Administration Console, its permissions would be overwritten by those specified by the New-SCSUserRole cmdlet.
Verify that the user role was created by verifying that it is listed in the User Roles in Settings workspace in the VMM Administration Console.
Define the following for the role by selecting the role and clicking Properties on the toolbar:
- On the Scope tab, select one or more clouds.
- On the Resources tab, add any resources such as templates.
- On the Actions tab, select one or more actions.
Repeat this procedure for every server assigned to the tenant.

The next procedure uses the $TARole variable that you just created.

To create a tenant self-service user role

Enter the following command to create a self-service user in Service Provider Foundation for the tenant you created in the To create a tenant with the certificate's public key procedure.
```
PS C:\> $TenantSSU = New-SCSPFTenantUserRole -Name ContosoCloudSpaceSSU -Tenant $tenant   
```

Create the corresponding tenant user role in VMM by entering the following command:

PS C:\> $vmmSSU = New-SCUserRole -Name ContosoCloudSpaceVMMSSU -UserRoleProfile SelfServiceUser -ParentUserRole $TARole -ID $TenantSSU.ID

Verify that the user role was created by verifying that it is listed in the User Roles in Settings workspace in the VMM Administration Console. Notice that the parent of the role is the tenant administrator.

Repeat this procedure as needed for the tenant.