I'm trying to follow these instructions to create a SAML2 token using WIF.

The instructions say

To supply signing credentials to the SecurityTokenDescriptor, you must first get a reference to the signing certificate as an X509Certificate2 instance. From this you can create a SecurityKeyIdentifier and produce a SigningCredentials instance

The following code is supplied:

X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com ");
SecurityKeyIdentifier ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new     X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() });
X509SigningCredentials signingCreds = new X509SigningCredentials(signingCert, ski);
descriptor.SigningCredentials = signingCreds;

I've tried making a test certificate using makecert that includes a subject key identifier, but when I run any certificate that I make through the above code I get the following System.NotSupportedException:

'X509SecurityToken' does not support 'X509SubjectKeyIdentifierClause' creation.

This occurs when calling this line:

new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>()

Now I know the instructions say...

Note: Certificates created with makecert.exe do not include a subject key identifier and thus cannot be used in this manner. You should produce certificates with Windows Server or purchase a certificate from Verisign or an equivalent provider.

...however I've used the argument -eku 2.5.29.14, which I hoped would resolve the issue, and I think this image shows that I've done it right?

Can anyone give me instructions on how I can create a test certificate that I can use to get this code working, or point me in the right direction? I'm also not sure what they mean by "You should produce certificates with Windows Server." Does it mean a creating a CSR?

Thanks in advance :)

IMHO it would be best to simulate real world scenario so make a CA that will issue the certificate used for SAML token generation. You will learn more about PKI and certificates, solve problems in development time, not production time. But technically it is not required to do it this way.

So what needs to be done:

1. Download XCA
2. In XCA make a CA certificate (it has already CA template so just use it). Guide can be found here
3. Issue an end-entity certificate under the CA. Guide can be found here
4. Export CA certificate (without private key) to a file
5. Import CA certificate to Trusted Root Store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
6. Export issued end-entity certificate with private key (PKCS#12 format).
7. Import end-entity certificate into Personal store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
8. Generate CRL. Guide can be found here
9. Place the CRL at the location that you put when issuing end-entity certificate or place it in Trusted Root Store in LocalMachine
10. Then X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com "); will work ... probably. If not, you will have to modify private key rights (mmc again) so that you account can use private key from local machine personal store.