Re: makecert

Hmm, that's pretty weird. Are you logged in as admin? I think if I were
you, I'd start over by asking at the security.crypto newsgroup to see if
anyone knows what these obscure errors are. I've never done them and I'm
not enough of a PKI nerd to just know. :) The badly broken theory may be
true, but it is often more the case that something is just slightly hosed.

You do need to have IIS installed in order to use this tool. All it really
does is generates a self-signed certificate and private key with the correct
flags and OIDs for SSL, installs them in the right place in the crypto
containers for IIS to use them (personal store for the machine account) and
then configures the IIS metabase to use that certificate on the primary
website (the only one if you are using XP, since XP can only have one). For
you, the configuration of IIS isn't important to you. You just want the
cert set up correctly. Makecert can do that too, but it is just a little
more complex to get the right arguments and stuff.

I wouldn't worry about anything in IIS getting hosed unless you had SSL
configured on the primary web site. If that was true, you'd need to undo
that in the IIS MMC by putting the previous cert back.

To export the cert, the easiest way to do it is with the GUI using the
certificates MMC snap-in. You can get this going by doing "start->run
"mmc.exe" and then using the add snap-in menu to add the Certificates
snap-in (choose the machine account store on the local machine). You would
find the cert that was created in the personal store and can then export it
by right clicking to get to the context menu. Follow the options to get a
p12 or pfx file (same thing) by exporting the cert with the private key.
You can then import it into the personal store for the ADAM service account
and do whatever else you want with the file.

I hope this provides some additional details that will help.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"LM" <merrittf@xxxxxxxx> wrote in message
news:1163721215.871560.205840@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for the response, Joe. I downloaded the IIS toolkit and
installed SELFSSL (only). As you can see from the following, when I
ran it it failed to generate the cryptographic key, an error message
suspiciously similar to the 'Can't create the key of the subject
('424cc447-a7dd-4f3a-b215-bf703499b5d4')' error I get from MAKECERT.
Perhaps something is badly broken(?) Wish I knew more about how it all
works.

'C:\a\IISResourceKitTools\SelfSSL>selfssl/T /P:636
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Failed to generate the cryptographic key: 0x5'


Couple quick questions: Do I need to have IIS up and running to use
SELFSSL? Hope not, that's alot more than I care to get into.

Also, being new to this, I'm not sure exactly what the implication of
the question 'Do you want to replace the SSL settings for site 1
(Y/N)?" is, but it sure sounds as though you might hose yourself
somehow.

Last, assuming I can get the thing made, I'm not sure how to export the
key to a .P12 file, either.

Thanks again,

lm


Joe Kaplan wrote:
I think it is much easier to use selfssl.exe from the IIS 6 resource kit
for
generating one off SSL certs and I've used that for ADAM before too. The
cert will get installed on the local machine and configured in IIS, but
you
can always reuse it for ADAM. Exporting the cert with private key into a
p12 file will allow you to reinstall it wherever you need to using the
certs
MMC.

Technically, it is better to install the cert with private key in the
ADAM
service account's store than in the machine store. That's where ADAM
will
look for it first.

Also, make sure the CN on the cert matches the DNS name you'll be using
to
connect to ADAM, or your clients will generally fail to connect via SSL
since the name on the cert won't match the name they requested in their
connection.

I think Lee Flight posted a good article on ADAM SSL in this newsgroup
that
Google will be able to uncover for you.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"LM" <merrittf@xxxxxxxx> wrote in message
news:1163701392.770655.108410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Folks,

I found steps to enable SSL for ADAM by generating certyificates with
MAKECERT here:

http://blogs.msdn.com/cjacks/archive/2005/11/15/493122.aspx

Alas, my understanding of the details of certificates and how they work
with ADAM is limited (referals to good ref material always very
welcome).

Didn't work the first time, no surprise, but now when I try again, I
get the following error from makecert:

'C:\Program Files\Microsoft.NET\SDK\v2.0\Bin>makecert -pe -n "CN=Test
and Dev Roo
t Authority2" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test
and Dev Ro
ot Authority2.cer"
Error: Can't create the key of the subject
('424cc447-a7dd-4f3a-b215-bf703499b5d
4')
Failed'

This same command line succeeded the first time, but now fails whether
I try to use the same names or new ones. I deleted the first certs
using MMC and also the files in 'C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys'. No joy.

Anyone else had this trouble and know how to fix it? If these are just
self-signed certificates, I suppose I could use keytool instead(?)

Of course, any other tips or advice related to enabling SSL for ADAM
also very welcome.

Many thanks,

Lincoln




.