Re: Problems enabling SSL on AD
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 20 Jan 2007 23:27:03 -0600
Something got hosed between the request for the certificate and the actual
receipt of it. You probably have the private key on your machine somewhere
(since you requested the certificate based on a key pair you generated), but
somehow when the cert from the CA came back, it didn't get properly
associated with the original request, so Windows doesn't know that the cert
you have belongs to the private key.
If you don't have the private key, you can't do SSL, so the cert is
basically useless.
I'd suggest asking what to do over on ms.public.platformsdk.security to see
if there is a way to recover from this situation. Ideally, there is some
way you can get the issued certificate associated with the private key you
already have and then you are fine. That would be better than starting
over. However, starting over and trying again might be easier.
Having a p12 or pfx file for the cert is always the most flexible option, as
you can then install it anywhere you like. The private key and cert travel
together. However, they are also the most dangerous thing from a security
perspective for exactly the same reason that they are the most convenient.
Security is always like that. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"ohaya" <ohaya@xxxxxxx> wrote in message
news:e3q89AQPHHA.4260@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
We've been trying to enable SSL on our AD system. We followed procedure
at:
http://support.microsoft.com/kb/321051
Prior to doing anything, we imported the CA and SubCA certs on the AD
machine using the MMC Certificates snap-in.
Then, we created the cert request using certreq, submitted the request to
the SubCA, and saved the server cert that the SubCA issued.
We got an error (don't remember what) when we tried to do the "certreq -
accept", so then we used the MMC Certificate snap-in to import the server
cert into Local Computer/Personal.
We restarted the AD machine, but even after that, when we test SSL using
ldp.exe, we cannot connect.
When we double-click on the server cert in MMC Certificate snap-in on the
AD machine, the server cert looks ok, so I'm puzzled by why the SSL is
still not working.
I did note that when we double-click on the cert, the text "You have a
private key that corresponds to this certificate" is *NOT* displayed, and
I also note that in the article above, one of the requirements is:
"A private key that matches the certificate is present in the Local
Computer's store and is correctly associated with the certificate.
The private key must not have strong private key protection
enabled."
So, I'm thinking that the problem is that we don't have the private key
associated with the server cert, but I don't know why not?
I thought that when we created the cert request using the certreq.exe,
that that would cause a private key to be created and stored, but we must
be doing something wrong.
Can anyone here tell me what step we missed and how we create/store the
private key that that article is talking about?
Thanks in advance,
Jim
.
- Follow-Ups:
- Re: Problems enabling SSL on AD
- From: ohaya
- Re: Problems enabling SSL on AD
- References:
- Problems enabling SSL on AD
- From: ohaya
- Problems enabling SSL on AD
- Prev by Date: Re: Delegation of groups admin. - restricted to a subset of object
- Next by Date: Add to Address Book from AD search doesn't work in Outlook
- Previous by thread: Problems enabling SSL on AD
- Next by thread: Re: Problems enabling SSL on AD
- Index(es):
Relevant Pages
|
