How can I generate a private key for my SSL certificate?

Hi,

I've manually created an SSL certificate using OpenSSL on Linux.  No certificate request file was used. I'm trying to import this certificate into IIS6 on Windows 2003 to secure one of my websites.

The certificate has been imported into Certificates(Computer) > Personal > Certificates using the Certificates snap-in, and it shows up in IIS when I try to assign the certificate to the website. IIS accepts the certificate and all seems well.

However, when I try to browse to the secure site, the connection fails immediately. Packet sniffing reveals that the SSL "Client Hello" packet is being sent and it disconnects immediately aftewards. Opening the certificate reveals no errors, however no private key has been created for the certificate.


I'm pretty sure it fails because it hasn't created the private key, but I can't find any information on how to manually created it.

Any ideas?

Thanks for your time,
-Brendan
blowflyAsked:
Who is Participating?
 
blowflyConnect With a Mentor Author Commented:
Found a resolution - it seems IIS will only really accept certificates which were generated by a request originating from IIS.

When we made a request from IIS, fed it into OpenSSL, then imported it into IIS, it accepted the certificate, had a private key, and all was well.
0
 
blowflyAuthor Commented:
Incidentally - the CA which authorized this certificate also authorized it's own trusted root certificate (ie self-signed).

The CA's certificate has been imported in to the webserver and neither certificate shows any errors.
0
 
debuggerauCommented:
Heres some info on the steps you've already done to check against...
http://www.flatmtn.com/article/setting-openssl-create-certificates

And another for importing to IIS 6...
http://www.windowsitpro.com/Windows/Articles/ArticleID/16183/pg/2/2.html

Hope port 443 is active...


0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
blowflyAuthor Commented:
Thanks for the info. The certificate is intact, ports are good (as the last certificate worked), and I've imported it into IIS as per instructions, except that I didn't use a request to generate the certificate in the first place (I've simply introduced the certificate from scratch).

I get the impression that IIS will only generate private keys for certificates it originally generated the request for. If you try to introduce a new certificate (without the request file) it won't handle it.

Any ideas?
0
 
blowflyAuthor Commented:
I've just discovered that a .PEM file was created next to the .CRT file. This appears to be the private key, as it starts with:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED...etc


Presumably this is the private key for this certificate. Can I associate this key with this certificate manually somehow?
0
 
debuggerauCommented:
You will want to keep the private key hidden in a safe place...

In your brower, when the ssl error is generated, I am wondering what error the browser is giving. Double click on the error icon and it should display a detailed error description. The problem may be the ssl version..
0
 
blowflyAuthor Commented:
Understand the private key must be kept securely, problem is atm I don't even have one!

Firefox returns the following error:
"The connection to <myserveraddress> was interrupted while the page was loading."

Packet sniffer shows:
* TCP connection
* ClientHello
* Server kills connection immediately

Event Viewer doesn't show anything interesting.

Pretty sure I just need to convince it to generate a private key for the cert and all will be well. Alternatively - perhaps I misunderstand SSL architecture, is it the Certificate Authority that needs to generate the private key, rather than the server that uses the certificate?

Thanks again for your time,
-Brendan
0
 
debuggerauCommented:
Did you run something like this to generate a priv key?
openssl genrsa -des3 -out keys/ca.key 1024

Ok, what happens when you browse the site on the server itself through IE?

Could be a communications issue you need to resolve first.
0
 
blowflyAuthor Commented:
Originally created using the CA.pl script.

I'm thinking if we few IIS6 a .PFX file (instead of CER file) it would have the private key. Can I ask OpenSSL for a PFX file?
0
All Courses

From novice to tech pro — start learning today.