Re: makecert

Thanks for the response, Joe. I downloaded the IIS toolkit and
installed SELFSSL (only). As you can see from the following, when I
ran it it failed to generate the cryptographic key, an error message
suspiciously similar to the 'Can't create the key of the subject
('424cc447-a7dd-4f3a-b215-bf703499b5d4')' error I get from MAKECERT.
Perhaps something is badly broken(?) Wish I knew more about how it all
works.

'C:\a\IISResourceKitTools\SelfSSL>selfssl/T /P:636
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Failed to generate the cryptographic key: 0x5'


Couple quick questions: Do I need to have IIS up and running to use
SELFSSL? Hope not, that's alot more than I care to get into.

Also, being new to this, I'm not sure exactly what the implication of
the question 'Do you want to replace the SSL settings for site 1
(Y/N)?" is, but it sure sounds as though you might hose yourself
somehow.

Last, assuming I can get the thing made, I'm not sure how to export the
key to a .P12 file, either.

Thanks again,

lm


Joe Kaplan wrote:
I think it is much easier to use selfssl.exe from the IIS 6 resource kit for
generating one off SSL certs and I've used that for ADAM before too. The
cert will get installed on the local machine and configured in IIS, but you
can always reuse it for ADAM. Exporting the cert with private key into a
p12 file will allow you to reinstall it wherever you need to using the certs
MMC.

Technically, it is better to install the cert with private key in the ADAM
service account's store than in the machine store. That's where ADAM will
look for it first.

Also, make sure the CN on the cert matches the DNS name you'll be using to
connect to ADAM, or your clients will generally fail to connect via SSL
since the name on the cert won't match the name they requested in their
connection.

I think Lee Flight posted a good article on ADAM SSL in this newsgroup that
Google will be able to uncover for you.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"LM" <merrittf@xxxxxxxx> wrote in message
news:1163701392.770655.108410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Folks,

I found steps to enable SSL for ADAM by generating certyificates with
MAKECERT here:

http://blogs.msdn.com/cjacks/archive/2005/11/15/493122.aspx

Alas, my understanding of the details of certificates and how they work
with ADAM is limited (referals to good ref material always very
welcome).

Didn't work the first time, no surprise, but now when I try again, I
get the following error from makecert:

'C:\Program Files\Microsoft.NET\SDK\v2.0\Bin>makecert -pe -n "CN=Test
and Dev Roo
t Authority2" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test
and Dev Ro
ot Authority2.cer"
Error: Can't create the key of the subject
('424cc447-a7dd-4f3a-b215-bf703499b5d
4')
Failed'

This same command line succeeded the first time, but now fails whether
I try to use the same names or new ones. I deleted the first certs
using MMC and also the files in 'C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys'. No joy.

Anyone else had this trouble and know how to fix it? If these are just
self-signed certificates, I suppose I could use keytool instead(?)

Of course, any other tips or advice related to enabling SSL for ADAM
also very welcome.

Many thanks,

Lincoln


.

Quantcast