Re: IIS 6.0 SSL Certificate Difficulties
From: Bill Bean (Bean_at_discussions.microsoft.com)
Date: 11/07/04
- Next message: Sporty: "IIS Crash 1009 - 1011 W3SVC HELP!"
- Previous message: Jim Carlock: "FTP problem, Internet Explorer, IIS 5.0"
- In reply to: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Next in thread: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Reply: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 6 Nov 2004 19:15:02 -0800
"Bernard" wrote:
> I haven't actually looking at Machinekeys folder when generating CSR.
> that is just a plain text file with encrypted detail of your server detail.
>
> have you actually repeat the export and import steps.
> from the log it looks like many detail is missing, I would remove
> the cert and redo again.
No, we really do know how to create, import and apply certificates. It
turns out that the problem was that some account needs 'Bypass traverse
checking' rights for this to work. (I haven't figured out exactly which one
yet, at the moment I have it down to one of the following: SYSTEM, SERVICE,
LOCAL SERVICE, NETWORK SERVICE, IUSR..., IWAM...)
It seems that changes between Windows 2000 Server and Windows 2003 Server
have greatly increased the number of accounts that must be allowed to bypass
traverse checking.
Bill Bean
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> news:D0CB2E2F-3979-4702-9E75-EDC9EFB73A79@microsoft.com...
> >
> >
> > "Bernard" wrote:
> >
> > > This is very clear that :
> > > #WARNING: You DON'T have a private key that corresponds to this
> certificate
> > >
> > > when you export it, do you export the private key as well ?
> > >
> > > remove this cert, re-export with private key and import again.
> >
> > We did export with the private key. (We have done this before too :) The
> > diagnostic tool says that we DON'T have a private key but when we view the
> > certificate from the IIS Snap-in it says that "You have a private key that
> > corresponds to this certificate." Same if we view the certificate using
> the
> > Certificates Snap-in.
> >
> > Another symptom is that when we create the request on the 2003 server, the
> > certreq.txt file has a long string of A's in the middle. When we create
> the
> > request on another machine, it only has a short string of A's (maybe five
> or
> > six).
> >
> > When we create the request a file is created in C:\Documents and
> > Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. I
> > thought that this was the private key?
> >
> > My guess - and it is just a guess - is that somehow the private key is
> being
> > created but that it is corrupt.
> >
> > Bill Bean
> >
> > >
> > >
> > > --
> > > Regards,
> > > Bernard Cheah
> > > http://www.tryiis.com/
> > > http://support.microsoft.com/
> > > http://www.msmvps.com/bernard/
> > >
> > >
> > >
> > > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > > news:08A07406-D8F0-4BDF-8D72-72A47948E147@microsoft.com...
> > > >
> > > >
> > > > "Jacqueline Jaynes [MSFT]" wrote:
> > > >
> > > > > The results from the SSLDiag basically say that the certificate is
> > > invalid.
> > > > > Run thru the following article:
> > > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;228984
> > > > >
> > > > > It explains how to generate a certificate using Certificate
> Authority.
> > > >
> > > > We know how to generate certificate requests and issue the
> certificates.
> > > We
> > > > have done this many times. The problem is specific to the one Windows
> > > 2003
> > > > server (we have other Windows 2003 servers that work perfectly). We
> have
> > > > configured this server as a very secure bastion host. A similar
> > > > configuration on Windows 2000 worked without problems. But we are
> unable
> > > to
> > > > install a certificate successfully on the secure 2003 machine.
> > > >
> > > > We assume that this is a problem with ACLs or some other security
> setting.
> > > > We have tried to give the Everyone account administrator priviledges
> prior
> > > to
> > > > requesting/installing the certificate, to no avail.
> > > >
> > > > We have also run filemon to examine file access requests while we are
> > > > requesting/installing the certificate. We do not see any failed
> requests.
> > > >
> > > > We have also set auditing on all files to report failures, and don't
> find
> > > > any problems in the event logs.
> > > >
> > > > Any suggestions would be greatly appreciated.
> > > >
> > > > Bill Bean
> > > >
> > > >
> > > > >
> > > > > Hope this helps
> > > > >
> > > > > Thank you,
> > > > >
> > > > > Jackie Jaynes [MSFT]
> > > > > Microsoft IIS
> > > > > JackieJa@online.microsoft.com
> > > > >
> > > > > Please do not send email directly to this alias. This
> > > > > is our online account name for newsgroup participation only.
> > > > >
> > > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > > You assume all risk for your use. © 2001 Microsoft Corporation.
> All
> > > rights
> > > > > reserved.
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
- Next message: Sporty: "IIS Crash 1009 - 1011 W3SVC HELP!"
- Previous message: Jim Carlock: "FTP problem, Internet Explorer, IIS 5.0"
- In reply to: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Next in thread: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Reply: Bernard: "Re: IIS 6.0 SSL Certificate Difficulties"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
