Re: SSL on Web server

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: John Spaith [MS] (jspaith_at_ONLINE.microsoft.com)
Date: 06/15/04 

Date: Tue, 15 Jun 2004 15:17:55 -0700

Hmm... it's very odd that your certs are not importing correctly. This
should just work. A few ideas:

(1) Can you import the .cer file on your desktop machine? To do this, go to
iexplore, Tools-> Internet Options, select the Content tab, then
certificates button, then import. If this fails then the cert was bogus.

(2) If (1) succeeded, if you have a full debug build could you turn on
debugzones for rsaenh.dll and crypt32.dll and see if anything interesting
spits out of them.

(3) Make sure the clock on your CE device is accurate. Maybe (though I
doubt this) a cert may be getting rejected if your clock is way off.

With regards to making enroll.exe work with server certs, you're correct
that there's not a way to do this. It actually may be possible in theory to
change the enroll.cfg and fill out a few of the custom fields and make this
just work, but unfortunatly CE team doesn't have the resources at the
present moment to get this going. I do apologize that CE doesn't have a
better story on enroll.exe and that you've been wasting time messing around
with this.

As far as programatically installing certificates without enroll (you'd need
to get cert on your own), the source code to the cert control panel applet
in \public\wceshellfe\oak\ctlpnl\cplmain\certcpl.cpp. In particular
ImportPrivateKey() and ImportCertOrKeyFromFile(). 

-- 
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation
Have an opinion on the effectiveness of Microsoft Embedded newsgroups?  Let
us know!
https://www.windowsembeddedeval.com/community/newsgroups
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
"Hadim" <madjidhadim@hotmail.com> wrote in message
news:94a75331.0406110904.24ebe26b@posting.google.com...
> Hi,
>
> Thank you for your help, but i tried this and it did not work at all,
> I was able to generate my two file .cer & .pvk; but when I do import
> with Certificates control panel utility, no thing happen, I did it for
> many times!
> I am using Windows 2000 server, i tried with both a stand alone CA,
> and enterprise CA...
>
> Is there ant application I can write to let enroll send a request for
> ServerAuth! It seems that enroll support only User and ClientAuth
> template!
>
> Hadim
>
> "John Spaith [MS]" <jspaith@ONLINE.microsoft.com> wrote in message
news:<eJQlYRxTEHA.1048@tk2msftngp13.phx.gbl>...
> > Here are instructions that will work if your device has a UI and control
> > panel.  We're looking right now at how to get SSL certs on headless
devices
> > in a relatively easy fashion (i.e. with enroll.exe).  This can be a very
> > hard problem because you want the certificate subject name to be the
same as
> > the machine itself.  If a user changes the machine name then you'd have
to
> > get a new cert, for example.
> >
> > HOW TO SETUP SERVER CERTIFICATE FOR WINCE WEB SERVER/SSL ON A DISPLAY
BASED
> > DEVICE
> > Stage I - Getting the certificate
> > (1) Open http:// Server>/certsrv/ (This is a cert server running
> > Windows 2000 or Windows 2003 that will create the certificate for you.
> > You're on your own to figure out how to install this.  Non Windows Cert
> > Servers will also work I'm sure, but the setup will obviously be
different.)
> > (2) Select "Request a Certificate"
> > (3) Select "advanced certificate request."
> > (4) Select "Create and submit a request to this CA. "
> > (5) Fill in identifying information.  "Name" should be the name of the
> > machine you're requesting cert for
> > (6) In "Type of Certificate Needed", select "Server Authentication
> > Certificate"
> > (7) Under "Key Options", select "Mark keys as exportable" and also
"Export
> > keys to file".  Enter a file on your harddrive when this appears
> > (8) Select "Submit"
> > (9) Acknowledge all the security warnings that appear.  Enter a password
for
> > the private key once it comes up.
> > (10) On new page, select "Download the certificate" and save it to your
hard
> > drive.
> >
> > You now have on your hardrive 2 files.  One is the certificate (.cer)
and
> > the other the private key (.pvk)
> >
> > Stage II - Install the certificate on the WinCE device (Display based
> > devices)
> > (1) Copy the 2 files from stage (I) to your device
> > (2) In the Control Panel, select "Certificates".
> > (3) Select the "My Certificate" store
> > (4) Select Import.  When dialog box comes up, select "From a file".
Select
> > the .cer file and import it.
> > After completing this, you will see the certificate subject name in the
list
> > of certs in "My Certificate" store.
> > (5) Select Import and again "from a file".  Change the file type from
> > Certificates to "Private Keys".  Select  the .pvk that you created in
Stage
> > I.  Enter the password you created for it when prompted.
> >
> > Now the certificate is registered
> >
> > III - Get Web Server to know it should use this certificate
> > (1) Add the following registry (it's OK to have this burned into the
image)
> > [HKEY_LOCAL_MACHINE\COMM\HTTPD\SSL]
> > "IsEnabled"=dword:1
> > "CertificateSubject"="<certificate subject name from previous Stages>"
> >
> > (2) You must refresh the web server to have it re-read the certificate
> > information.  Even if the proper settings were burned into ROM, you must
> > still do the refresh after installing the certificate.  You can do this
via
> > 'services refresh HTP0:"
> >
> > -- 
> > John Spaith
> > Software Design Engineer, Windows CE
> > Microsoft Corporation
> >
> > Have an opinion on the effectiveness of Microsoft Embedded newsgroups?
Let
> > us know!
> > https://www.windowsembeddedeval.com/community/newsgroups
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > You assume all risk for your use. © 2003 Microsoft Corporation. All
rights
> > reserved.
> >
> > "Hadim" <madjidhadim@hotmail.com> wrote in message
> > news:94a75331.0406070557.8f68a4@posting.google.com...
> > > Hi,
> > >
> > > Please, I need help to resolve this problem!! is there any thing I can
> > > do on the Windows 2000 server (certificate template), or any thing to
> > > do on my CE device to bypass this problem. (I am using CE.NET 4.2.)
> > >
> > > Thanks
> > > Hadim
> > >
> > >
> > > madjidhadim@hotmail.com (Hadim) wrote in message
> >  news:<94a75331.0406021030.d09aa96@posting.google.com>...
> > > > I am testing SLL on Windows CE.Net 4.1 (x 86 devices) with our CE
web
> > > > server.
> > > >
> > > > Our Windows 2000 server it set up with an enterprise CA. with enroll
> > > > utility I am able to request and install a certificate. With
> > > > Certificate Control Panel utility I am able to see that my
certificate
> > > > is well installed under ?My Certificate' store.
> > > >
> > > > However when I restart my web server I am having always the
following
> > > > error message:
> > > > The web server cannot initialize SSL, no SSL actions will be
> > > > performed.  Error code = 0x8009030d
> > > >
> > > > Error 0x8009030d means: The credentials supplied to the package were
> > > > not recognized (SEC_E_UNKNOWN_CREDENTIALS). But it is note the case!
I
> > > > suspect that there is some info missed in my certificate but I can
not
> > > > figure out what it could be? And document and web searching hasn't
> > > > helped me so far.
> > > >
> > > > I tried to configure some option in enroll.cfg (flagged
> > > > CRYPT_EXPORTABLE, CERT_TEMPLATE=ClientAuth (also tested with
> > > > UserSignature)?) but it did not help! Can you tell me how to
configure
> > > > enroll.cfg?
> > > >
> > > >
> > > >
> > > > Is there any one get success in testing SSL on CE web server?
> > > >
> > > > Please, help me.
> > > >
> > > > Thanks.
Quantcast