How can I generate a private key for my SSL certificate?

Hi,

I've manually created an SSL certificate using OpenSSL on Linux.  No certificate request file was used. I'm trying to import this certificate into IIS6 on Windows 2003 to secure one of my websites.

The certificate has been imported into Certificates(Computer) > Personal > Certificates using the Certificates snap-in, and it shows up in IIS when I try to assign the certificate to the website. IIS accepts the certificate and all seems well.

However, when I try to browse to the secure site, the connection fails immediately. Packet sniffing reveals that the SSL "Client Hello" packet is being sent and it disconnects immediately aftewards. Opening the certificate reveals no errors, however no private key has been created for the certificate.


I'm pretty sure it fails because it hasn't created the private key, but I can't find any information on how to manually created it.

Any ideas?

Thanks for your time,
-Brendan
blowflyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blowflyAuthor Commented:
Incidentally - the CA which authorized this certificate also authorized it's own trusted root certificate (ie self-signed).

The CA's certificate has been imported in to the webserver and neither certificate shows any errors.
0
debuggerauCommented:
Heres some info on the steps you've already done to check against...
http://www.flatmtn.com/article/setting-openssl-create-certificates

And another for importing to IIS 6...
http://www.windowsitpro.com/Windows/Articles/ArticleID/16183/pg/2/2.html

Hope port 443 is active...


0
blowflyAuthor Commented:
Thanks for the info. The certificate is intact, ports are good (as the last certificate worked), and I've imported it into IIS as per instructions, except that I didn't use a request to generate the certificate in the first place (I've simply introduced the certificate from scratch).

I get the impression that IIS will only generate private keys for certificates it originally generated the request for. If you try to introduce a new certificate (without the request file) it won't handle it.

Any ideas?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

blowflyAuthor Commented:
I've just discovered that a .PEM file was created next to the .CRT file. This appears to be the private key, as it starts with:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED...etc


Presumably this is the private key for this certificate. Can I associate this key with this certificate manually somehow?
0
debuggerauCommented:
You will want to keep the private key hidden in a safe place...

In your brower, when the ssl error is generated, I am wondering what error the browser is giving. Double click on the error icon and it should display a detailed error description. The problem may be the ssl version..
0
blowflyAuthor Commented:
Understand the private key must be kept securely, problem is atm I don't even have one!

Firefox returns the following error:
"The connection to <myserveraddress> was interrupted while the page was loading."

Packet sniffer shows:
* TCP connection
* ClientHello
* Server kills connection immediately

Event Viewer doesn't show anything interesting.

Pretty sure I just need to convince it to generate a private key for the cert and all will be well. Alternatively - perhaps I misunderstand SSL architecture, is it the Certificate Authority that needs to generate the private key, rather than the server that uses the certificate?

Thanks again for your time,
-Brendan
0
debuggerauCommented:
Did you run something like this to generate a priv key?
openssl genrsa -des3 -out keys/ca.key 1024

Ok, what happens when you browse the site on the server itself through IE?

Could be a communications issue you need to resolve first.
0
blowflyAuthor Commented:
Originally created using the CA.pl script.

I'm thinking if we few IIS6 a .PFX file (instead of CER file) it would have the private key. Can I ask OpenSSL for a PFX file?
0
blowflyAuthor Commented:
Found a resolution - it seems IIS will only really accept certificates which were generated by a request originating from IIS.

When we made a request from IIS, fed it into OpenSSL, then imported it into IIS, it accepted the certificate, had a private key, and all was well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.