Re: IIS 6.0 SSL Certificate Difficulties

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 11/07/04 

Date: Sun, 7 Nov 2004 09:24:00 +0800

I haven't actually looking at Machinekeys folder when generating CSR.
that is just a plain text file with encrypted detail of your server detail.

have you actually repeat the export and import steps.
from the log it looks like many detail is missing, I would remove
the cert and redo again. 

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
news:D0CB2E2F-3979-4702-9E75-EDC9EFB73A79@microsoft.com...
>
>
> "Bernard" wrote:
>
> > This is very clear that :
> > #WARNING: You DON'T have a private key that corresponds to this
certificate
> >
> > when you export it, do you export the private key as well ?
> >
> > remove this cert, re-export with private key and import again.
>
> We did export with the private key.  (We have done this before too :)  The
> diagnostic tool says that we DON'T have a private key but when we view the
> certificate from the IIS Snap-in it says that "You have a private key that
> corresponds to this certificate."  Same if we view the certificate using
the
> Certificates Snap-in.
>
> Another symptom is that when we create the request on the 2003 server, the
> certreq.txt file has a long string of A's in the middle.  When we create
the
> request on another machine, it only has a short string of A's (maybe five
or
> six).
>
> When we create the request a file is created in C:\Documents and
> Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.  I
> thought that this was the private key?
>
> My guess - and it is just a guess - is that somehow the private key is
being
> created but that it is corrupt.
>
> Bill Bean
>
> >
> >
> > -- 
> > Regards,
> > Bernard Cheah
> > http://www.tryiis.com/
> > http://support.microsoft.com/
> > http://www.msmvps.com/bernard/
> >
> >
> >
> > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > news:08A07406-D8F0-4BDF-8D72-72A47948E147@microsoft.com...
> > >
> > >
> > > "Jacqueline Jaynes [MSFT]" wrote:
> > >
> > > > The results from the SSLDiag basically say that the certificate is
> > invalid.
> > > >   Run thru the following article:
> > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;228984
> > > >
> > > > It explains how to generate a certificate using Certificate
Authority.
> > >
> > > We know how to generate certificate requests and issue the
certificates.
> > We
> > > have done this many times.  The problem is specific to the one Windows
> > 2003
> > > server (we have other Windows 2003 servers that work perfectly).  We
have
> > > configured this server as a very secure bastion host.  A similar
> > > configuration on Windows 2000 worked without problems.  But we are
unable
> > to
> > > install a certificate successfully on the secure 2003 machine.
> > >
> > > We assume that this is a problem with ACLs or some other security
setting.
> > > We have tried to give the Everyone account administrator priviledges
prior
> > to
> > > requesting/installing the certificate, to no avail.
> > >
> > > We have also run filemon to examine file access requests while we are
> > > requesting/installing the certificate.  We do not see any failed
requests.
> > >
> > > We have also set auditing on all files to report failures, and don't
find
> > > any problems in the event logs.
> > >
> > > Any suggestions would be greatly appreciated.
> > >
> > > Bill Bean
> > >
> > >
> > > >
> > > > Hope this helps
> > > >
> > > > Thank you,
> > > >
> > > > Jackie Jaynes [MSFT]
> > > > Microsoft IIS
> > > > JackieJa@online.microsoft.com
> > > >
> > > > Please do not send email directly to this alias. This
> > > > is our online account name for newsgroup participation only.
> > > >
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > >  You assume all risk for your use. © 2001 Microsoft Corporation.
All
> > rights
> > > > reserved.
> > > >
> > > >
> >
> >
> >

Relevant Pages

  • Re: Cannot request certificate on client computer
    ... re-connect both computer and user account on the server. ... PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot request certificate on client computer
    ... re-connect both computer and user account on the server. ... one PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
    (microsoft.public.windows.server.sbs)
  • RE: Wireless connection problem from XP Pro SP2 to SBS 2003
    ... the screen I'm seeing under advanced request is a little different than what ... In Type of Certificate needed, click Server Authentication Certificate. ...
    (microsoft.public.windows.server.sbs)
  • Re: Private key generation
    ... As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. ... identity based encryption) simply requires generation of private key on server... ... High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. ... Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys. ...
    (microsoft.public.dotnet.security)
  • Re: Generate SSL certificate request from ISA server
    ... when you receive the certificate from the authority, install it on the ISA ... Server instead of the web server. ... > request to send to them, which doesn't appear to be possible directly from ...
    (microsoft.public.isa.configuration)